Add role

templates/nftables.conf.j2

@@ -0,0 +1,37 @@
+#!/usr/sbin/nft -f
+
+# {{ ansible_managed }}
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0; policy drop
+    iif lo accept
+    ct state established,related accept
+    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
+    ip protocol icmp icmp type echo-request accept
+    tcp dport { ssh } ct state new accept
+    udp dport { {{ wireguard_listenport }} } ct state new accept
+    counter drop
+  }
+  chain forward {
+    type filter hook forward priority 0; policy drop
+    ct state established,related accept
+    ip6 nexthdr ipv6-icmp icmpv6 type { echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+    ip protocol icmp icmp type echo-request accept
+    iifname "{{ wireguard_if }}" ct state new accept
+    counter drop
+  }
+  chain output {
+    type filter hook output priority 0;
+  }
+
+}
+table ip nat {
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		oifname "{{ wireguard_ext_if }}" masquerade
+	}
+}
+