ISTI-ansible-roles
/
ansible-role-linux-firewall
4
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge the iptables and firewalld roles.

This commit is contained in:
Andrea Dell'Amico 2020-07-10 19:17:56 +02:00
parent c029757895
commit 1a550b3168
12 changed files with 825 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
README.md
View File

@ -1,31 +1,65 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
A role that configures firewall rules on a Linux system
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
The most important variables are listed below:
``` yaml
# Base iptables rules, they use netfilter-persistent
iptables:
tcp_rules: True
tcp:
- { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
udp_rules: True
udp:
- { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
iptables_default_policy: ACCEPT
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False
iptables_nat_interfaces:
- '{{ ansible_default_ipv4.interface }}'
iptables_input_default_policy: '{{ iptables_default_policy }}'
iptables_forward_default_policy: '{{ iptables_default_policy }}'
iptables_banned_default_policy: DROP
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
nagios_enabled: False
tomcat_cluster_enabled: False
# Another variable needs to be defined before the db rules are set
psql_firewall_enabled: True
mysql_firewall_enabled: True
#
# Firewalld (CentOS only)
#
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True
firewalld_rules:
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
#firewalld_new_services:
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
# We execute direct rules as they are written
# firewalld_direct_rules:
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
# firewalld_zones_interfaces:
# - { interface: 'eth1', zone: 'internal' }
```
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
None
License
-------
@ -35,4 +69,4 @@ EUPL-1.2
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).
Andrea Dell'Amico, <andrea.dellamico@isti.cnr.it>

87
defaults/main.yml
View File

@ -1,2 +1,87 @@
---
# defaults file for ansible-role-template
iptables_persistent_enabled: True
#iptables_default_policy: REJECT
iptables_default_policy: ACCEPT
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False
iptables_nat_interfaces:
- '{{ ansible_default_ipv4.interface }}'
iptables_input_default_policy: '{{ iptables_default_policy }}'
iptables_forward_default_policy: '{{ iptables_default_policy }}'
iptables_banned_default_policy: DROP
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
ganglia_enabled: False
nagios_enabled: False
iptables_open_all_to_isti_nets: False
tomcat_cluster_enabled: False
# Another variable needs to be defined before the db rules are set
psql_firewall_enabled: True
mysql_firewall_enabled: True
iptables_deb_pkgs:
- iptables
- iptables-persistent
#
# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
#
#pg_allowed_hosts:
# - 146.48.123.17/32
# - 146.48.122.110/32
#
#munin_server:
# - 146.48.122.15
# - 146.48.87.88
#http_port: 80
#http_allowed_hosts:
# - 1.2.3.4/24
#https_port: 443
#https_allowed_hosts:
# - 0.0.0.0/0
#
# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
# iptables:
# tcp_rules: True
# tcp:
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
# - { port: '80' }
# udp_rules: True
# udp:
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
# munin_server:
# - 146.48.122.15
# - 146.48.87.88
#nagios_monitoring_server_ip: 146.48.123.23
#mongodb:
# start_server: 'yes'
# tcp_port: 27017
# allowed_hosts:
# - 146.48.123.100/32
#
# firewalld
#
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True
firewalld_rules:
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
#firewalld_new_services:
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
# We execute direct rules as they are written
# firewalld_direct_rules:
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
# firewalld_zones_interfaces:
# - { interface: 'eth1', zone: 'internal' }

16
files/mosh.xml Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Mosh SSH service</short>
<description>This allows mosh to send and receive datagram connections.</description>
<port protocol="udp" port="60000"/>
<port protocol="udp" port="60001"/>
<port protocol="udp" port="60002"/>
<port protocol="udp" port="60003"/>
<port protocol="udp" port="60004"/>
<port protocol="udp" port="60005"/>
<port protocol="udp" port="60006"/>
<port protocol="udp" port="60007"/>
<port protocol="udp" port="60008"/>
<port protocol="udp" port="60009"/>
<port protocol="udp" port="60010"/>
</service>

7
files/traceroute.xml Normal file
View File

@ -0,0 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ports needed by traceroute</short>
<description>This allows the host to be reached by traceroute.</description>
<port protocol="udp" port="33434"/>
<port protocol="udp" port="33523"/>
</service>

33
handlers/main.yml
View File

@ -1,2 +1,33 @@
---
# handlers file for ansible-role-template
- name: Start the iptables service
service: name=iptables-persistent state=restarted enabled=yes
notify: Restart fail2ban
- name: Start the netfilter service
service: name=netfilter-persistent state=restarted enabled=yes
when: is_debian8
notify: Restart fail2ban
- name: Flush the iptables rules
command: /etc/init.d/iptables-persistent flush
ignore_errors: true
- name: Restart fail2ban after an iptables restart
service: name=fail2ban state=restarted enabled=yes
when: has_fail2ban
- name: Enable and start firewalld
service: name=firewalld state=started enabled=yes
when: firewalld_enabled
- name: Reload firewall config
command: firewall-cmd --reload
notify: Restart fail2ban
when: firewalld_enabled
- name: Restart fail2ban
service: name=fail2ban state=restarted
when:
- fail2ban_enabled is defined and fail2ban_enabled
- centos_install_epel

67
meta/main.yml
View File

@ -1,61 +1,34 @@
galaxy_info:
author: your name
description: your description
author: Andrea Dell'Amico
description: Systems Architect
company: ISTI-CNR
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: EUPL-1.2
license: EUPL 1.2+
min_ansible_version: 2.8
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
platforms:
- name: Ubuntu
versions:
- trusty
- bionic
- name: EL
versions:
- 7
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- firewall
- iptables
- firewalld
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
dependencies:
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-postfix.git
version: master
name: postfix
state: latest

5
tasks/firewalld_disable.yml Normal file
View File

@ -0,0 +1,5 @@
---
- name: Ensure that the firewalld service is stopped and disabled if we do not want it
service: name=firewalld state=stopped enabled=no
when: not firewalld_enabled | bool
tags: [ 'iptables', 'firewall', 'firewalld' ]

91
tasks/firewalld_rules.yml Normal file
View File

@ -0,0 +1,91 @@
---
- block:
- name: Ensure that the service is enabled and started
service: name=firewalld state=started enabled=yes
notify: Restart fail2ban
- name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
when: firewalld_ssh_enabled_on_default_zone | bool
- name: Set the firewalld default zone.
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
- name: Add sources to the availability zones, if any
firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_src_rules | default([]) }}'
- name: Assign interfaces to firewalld zones if needed
firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True
with_items: '{{ firewalld_zones_interfaces | default([]) }}'
when:
- firewalld_zones_interfaces is defined
- item.interface is defined
- item.zone is defined
- name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.service is defined
- name: Save the ports firewalld rules that need to be permanent
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.port is defined
- item.protocol is defined
- name: Save the rich_rules firewalld rules that need to be permanent
firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.rich_rule is defined
notify: Reload firewall config
- name: Enable the firewall-cmd direct passthrough rules
shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
with_items: '{{ firewalld_direct_rules }}'
args:
creates: /etc/firewalld/.{{ item.label }}
when:
- firewalld_direct_rules is defined
- item.action is defined
- name: Set the firewall-cmd direct passthrough rules as permanent ones
command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
with_items: '{{ firewalld_direct_rules }}'
when:
- firewalld_direct_rules is defined
- item.action is defined
- name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
command: firewall-cmd --new-service={{ item.name }} --permanent
args:
creates: '/etc/firewalld/services/{{ item.name }}.xml'
with_items: '{{ firewalld_new_services }}'
when: firewalld_new_services is defined
notify: Reload firewall config
- name: Install the custom firewall services
copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
with_items: '{{ firewalld_new_services }}'
when: firewalld_new_services is defined
notify: Reload firewall config
- name: Manage the custom services firewalld rules.
firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_new_services }}'
when:
- firewalld_new_services is defined
- item.name is defined
notify: Reload firewall config
# Last one to not take ourselves out
- name: Set the firewalld default zone.
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
tags: [ 'iptables', 'firewall', 'firewalld' ]

13
tasks/main.yml
View File

@ -1,2 +1,13 @@
---
# tasks file for ansible-role-template
- import_tasks: plain-iptables.yml
when:
- iptables_persistent_enabled
- ansible_distribution_file_variety == "Debian"
- import_tasks: firewalld_rules.yml
when:
- firewalld_enabled
- ansible_distribution_file_variety == "RedHat"
- import_tasks: firewalld_disable.yml
when:
- firewalld_enabled
- ansible_distribution_file_variety == "RedHat"

107
tasks/plain-iptables.yml Normal file
View File

@ -0,0 +1,107 @@
---
- block:
- name: Install the needed iptables packages
apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
- name: Create the /etc/iptables directory when needed
file: dest=/etc/iptables state=directory owner=root group=root mode=0755
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
with_items:
- rules.v4
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
notify: Start the iptables service on Ubuntu < 12.04
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_trusty
register: install_iptables_rules_trusty
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian7
register: install_iptables_rules_deb7
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian8
register: install_netfilter_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_major_version >= '16'
register: install_netfilter_rules
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_t
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_trusty is changed
- name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_d7
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_deb7 is changed
- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
service: name=netfilter-persistent state=restarted enabled=yes
register: restart_related_x
notify: Restart fail2ban after an iptables restart
when: install_netfilter_rules is changed
- name: Check if the fail2ban service is present
stat: path=/usr/bin/fail2ban-server
register: fail2ban_installed
- name: Restart fail2ban after an iptables restart on Ubunt Trusty
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_t is changed
- name: Restart fail2ban after an iptables restart on debian 7
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_d7 is changed
- name: Restart fail2ban after an iptables restart on Ubuntu Xenial
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_x is changed
- name: Check if the docker service is present
stat: path=/usr/bin/dockerd
register: dockerd_installed
- name: Restart docker after an iptables restart on Ubuntu Trusty
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related_t is changed
- name: Restart docker after an iptables restart on Ubuntu Xenial
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related_x is changed
tags: [ 'iptables', 'iptables_rules' ]

382
templates/iptables-rules.v4.j2 Normal file
View File

@ -0,0 +1,382 @@
#
# {{ ansible_managed }} don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if iptables_banlist is defined %}
# We manage the banned IP/networks list before anything else
{% for obj in iptables_banlist %}
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% elif obj.proto is defined and obj.destport is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% elif obj.proto is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% else %}
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% endif %}
{% endfor %}
{% endif %}
# Return traffic and localhost
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
{% for ip in iptables_ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% else %}
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if http_port is not defined %}
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
{% endif %}
{% endif %}
{% if http_port is defined %}
# http
{% if http_allowed_hosts is defined %}
{% for ip in http_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if https_port is defined %}
# https
{% if https_allowed_hosts is defined %}
{% for ip in https_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
{% if https_managed_hosts is defined %}
{% for rule in https_managed_hosts %}
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
{% endif %}
{% endif %}
{% endif %}
{% if psql_firewall_enabled %}
{% if psql_db_port is defined %}
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
{% if psql_global_firewall is defined %}
{% for cidr in psql_global_firewall %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% else %}
{% if psql_db_data is defined %}
# postgresql clients
{% for db in psql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% endif %}
{% endif %}
{% endif %}
{% if mysql_firewall_enabled %}
{% if mysql_db_port is defined %}
{% if mysql_listen_on_ext_int %}
# mysql clients
{% for db in mysql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
{% endif %}
{% endif %}
{% if openldap_slapd_tcp_port is defined %}
{% if openldap_allowed_clients is defined %}
# LDAP
{% for addr in openldap_allowed_clients %}
{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if mongodb_allowed_hosts is defined %}
# mongodb clients
{% for ip in mongodb_allowed_hosts %}
{% if mongodb_tcp_port is defined %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
{% else %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
{% endif %}
{% endfor %}
{% if mongodb_tcp_port is defined %}
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
{% else %}
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
{% endif %}
{% endif %}
{% if docker_swarm is defined and docker_swarm %}
{% for cidr in docker_swarm_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
# Someone still uses ftp
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
{% for ip in vsftpd_iptables_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
{% endfor %}
-A INPUT -m helper --helper ftp -j ACCEPT
{% endif %}
{% endif %}
#
# TODO: add the rules that block traffic from now on
#
{% if nagios_enabled is defined %}
{% if nagios_enabled %}
{% if nagios_monitoring_server_ip is defined %}
# Nagios NRPE
{% for ip in nagios_monitoring_server_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
# Check ntp from the nagios server
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% endif %}
{% if zabbix_agent_install is defined and zabbix_agent_install %}
{% if zabbix_agent_passive_checks_status == "enabled" %}
# Zabbix servers that can send passive checks
{% for ip in zabbix_monitoring_servers %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% if configure_munin is defined %}
{% if configure_munin %}
{% if munin_server %}
# Munin
{% for ip in munin_server %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% endif %}
{% if tomcat_cluster_enabled %}
# tomcat cluster
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
{% if tomcat_cluster_multicast_net is defined %}
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
{% endif %}
{% endif %}
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
# orientdb hazelcast multicast rules
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
{% endif %}
# Postfix
{% if postfix_relay_server is defined %}
{% if postfix_relay_server %}
#
# These are only needed on the machines that act as relay servers
#
{% for cidr in postfix_relay_server_permitted_networks %}
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% endif %}
{% if postfix_relay_server is defined and not postfix_relay_server %}
{% if postfix_relay_client is defined%}
{% if postfix_relay_client %}
#
# When we are not a relay server but we want send email using our relay
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
{% if postfix_smtp_relay_servers is defined %}
{% for host in postfix_smtp_relay_servers %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ host }} -j ACCEPT
{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% endif %}
{% endif %}
{% if iptables is defined %}
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
# TCP rules
{% for tcp_rule in iptables.tcp %}
{% if tcp_rule.allowed_hosts is defined %}
{% for ip in tcp_rule.allowed_hosts %}
{% if ip is string %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% else %}
{% for ip_really in ip %}
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.udp_rules is defined and iptables.udp_rules %}
# UDP rules
{% for udp_rule in iptables.udp %}
{% if udp_rule.allowed_hosts is defined %}
{% for ip in udp_rule.allowed_hosts %}
{% if ip is string %}
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
{% else %}
{% for ip_really in ip %}
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.any_rules is defined and iptables.any_rules %}
# ANY rules
{% for any_rule in iptables.any %}
{% for ip in any_rule.allowed_hosts %}
-A INPUT -s {{ ip }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
# ANY rules
{% for any_rule in iptables.any %}
{% for rule in any_rule.allowed_hosts %}
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
{% endfor %}
{% endfor %}
{% endif %}
# End of the custom rules
{% endif %}
# Prometheus exporters
{% if prometheus_enabled is defined and prometheus_enabled %}
{% if prometheus_servers_ip is defined %}
{% for ip in prometheus_servers_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
{% endif %}
{% endif %}
{% if keepalived_enabled is defined and keepalived_enabled %}
# Keepalived rules. Protocol vrrp, 112
{% if not keepalived_use_unicast %}
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
{% else %}
{% endif %}
-A INPUT -p vrrp -j ACCEPT
-A OUTPUT -p vrrp -j ACCEPT
{% endif %}
#
# INPUT POLICY
{% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_input_default_policy }}
{% endif %}
#
# FORWARD rules and POLICY
{% if iptables_post_nat_enabled %}
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
{% for rule in iptables_nat_rules %}
-A FORWARD {{ rule.options }} -j ACCEPT
{% endfor %}
{% endif %}
{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A FORWARD -j {{ iptables_forward_default_policy }}
{% endif %}
COMMIT
{% if iptables_nat_enabled %}
# This should be obsoleted
# NAT rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if iptables_nat_specify_interfaces %}
{% for int in iptables_nat_interfaces %}
-A POSTROUTING -o {{ int }} -j MASQUERADE
{% endfor %}
{% else %}
-A POSTROUTING -j MASQUERADE
{% endif %}
COMMIT
{% endif %}
{% if iptables_post_nat_enabled %}
# NAT rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% for rule in iptables_nat_rules %}
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
{% endfor %}
COMMIT
{% endif %}

15
templates/iptables-rules.v6.j2 Normal file
View File

@ -0,0 +1,15 @@
#
# {{ ansible_managed }} don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp6-addr-unreachable
-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
{% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
{% endif %}
COMMIT