From 1a550b3168278d8f27e6aff796d25e0c2257867f Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 10 Jul 2020 19:17:56 +0200 Subject: [PATCH] Merge the iptables and firewalld roles. --- README.md | 70 ++++-- defaults/main.yml | 87 +++++++- files/mosh.xml | 16 ++ files/traceroute.xml | 7 + handlers/main.yml | 33 ++- meta/main.yml | 67 ++---- tasks/firewalld_disable.yml | 5 + tasks/firewalld_rules.yml | 91 ++++++++ tasks/main.yml | 13 +- tasks/plain-iptables.yml | 107 +++++++++ templates/iptables-rules.v4.j2 | 382 +++++++++++++++++++++++++++++++++ templates/iptables-rules.v6.j2 | 15 ++ 12 files changed, 825 insertions(+), 68 deletions(-) create mode 100644 files/mosh.xml create mode 100644 files/traceroute.xml create mode 100644 tasks/firewalld_disable.yml create mode 100644 tasks/firewalld_rules.yml create mode 100644 tasks/plain-iptables.yml create mode 100644 templates/iptables-rules.v4.j2 create mode 100644 templates/iptables-rules.v6.j2 diff --git a/README.md b/README.md index 3637db8..bd40bf6 100644 --- a/README.md +++ b/README.md @@ -1,31 +1,65 @@ Role Name ========= -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A role that configures firewall rules on a Linux system Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +The most important variables are listed below: + +``` yaml +# Base iptables rules, they use netfilter-persistent +iptables: + tcp_rules: True + tcp: + - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] } + udp_rules: True + udp: + - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] } +iptables_default_policy: ACCEPT +iptables_nat_enabled: False +iptables_nat_specify_interfaces: True +iptables_post_nat_enabled: False +iptables_nat_interfaces: + - '{{ ansible_default_ipv4.interface }}' +iptables_input_default_policy: '{{ iptables_default_policy }}' +iptables_forward_default_policy: '{{ iptables_default_policy }}' +iptables_banned_default_policy: DROP +iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited' +iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited' +nagios_enabled: False +tomcat_cluster_enabled: False +# Another variable needs to be defined before the db rules are set +psql_firewall_enabled: True +mysql_firewall_enabled: True +# +# Firewalld (CentOS only) +# +firewalld_enabled: True +firewalld_default_zone: public +firewalld_ssh_enabled_on_default_zone: True + +firewalld_rules: +# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' } +# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' } +# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' } + +#firewalld_new_services: +# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' } + +# We execute direct rules as they are written +# firewalld_direct_rules: +# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' } + +# firewalld_zones_interfaces: +# - { interface: 'eth1', zone: 'internal' } +``` Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +None License ------- @@ -35,4 +69,4 @@ EUPL-1.2 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +Andrea Dell'Amico, diff --git a/defaults/main.yml b/defaults/main.yml index 95d3c70..935d00f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,2 +1,87 @@ --- -# defaults file for ansible-role-template \ No newline at end of file +iptables_persistent_enabled: True +#iptables_default_policy: REJECT +iptables_default_policy: ACCEPT +iptables_nat_enabled: False +iptables_nat_specify_interfaces: True +iptables_post_nat_enabled: False +iptables_nat_interfaces: + - '{{ ansible_default_ipv4.interface }}' +iptables_input_default_policy: '{{ iptables_default_policy }}' +iptables_forward_default_policy: '{{ iptables_default_policy }}' +iptables_banned_default_policy: DROP +iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited' +iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited' +ganglia_enabled: False +nagios_enabled: False +iptables_open_all_to_isti_nets: False +tomcat_cluster_enabled: False +# Another variable needs to be defined before the db rules are set +psql_firewall_enabled: True +mysql_firewall_enabled: True + +iptables_deb_pkgs: + - iptables + - iptables-persistent + +# +# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables +# +#pg_allowed_hosts: +# - 146.48.123.17/32 +# - 146.48.122.110/32 +# +#munin_server: +# - 146.48.122.15 +# - 146.48.87.88 +#http_port: 80 +#http_allowed_hosts: +# - 1.2.3.4/24 +#https_port: 443 +#https_allowed_hosts: +# - 0.0.0.0/0 +# +# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT' +# iptables: +# tcp_rules: True +# tcp: +# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] } +# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] } +# - { port: '80' } +# udp_rules: True +# udp: +# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] } + +# munin_server: +# - 146.48.122.15 +# - 146.48.87.88 + +#nagios_monitoring_server_ip: 146.48.123.23 +#mongodb: +# start_server: 'yes' +# tcp_port: 27017 +# allowed_hosts: +# - 146.48.123.100/32 + + +# +# firewalld +# +firewalld_enabled: True +firewalld_default_zone: public +firewalld_ssh_enabled_on_default_zone: True + +firewalld_rules: +# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' } +# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' } +# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' } + +#firewalld_new_services: +# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' } + +# We execute direct rules as they are written +# firewalld_direct_rules: +# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' } + +# firewalld_zones_interfaces: +# - { interface: 'eth1', zone: 'internal' } diff --git a/files/mosh.xml b/files/mosh.xml new file mode 100644 index 0000000..eccc3d7 --- /dev/null +++ b/files/mosh.xml @@ -0,0 +1,16 @@ + + + Mosh SSH service + This allows mosh to send and receive datagram connections. + + + + + + + + + + + + diff --git a/files/traceroute.xml b/files/traceroute.xml new file mode 100644 index 0000000..7d2ad90 --- /dev/null +++ b/files/traceroute.xml @@ -0,0 +1,7 @@ + + + ports needed by traceroute + This allows the host to be reached by traceroute. + + + diff --git a/handlers/main.yml b/handlers/main.yml index 27474e0..c7525d7 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,33 @@ --- -# handlers file for ansible-role-template \ No newline at end of file +- name: Start the iptables service + service: name=iptables-persistent state=restarted enabled=yes + notify: Restart fail2ban + +- name: Start the netfilter service + service: name=netfilter-persistent state=restarted enabled=yes + when: is_debian8 + notify: Restart fail2ban + +- name: Flush the iptables rules + command: /etc/init.d/iptables-persistent flush + ignore_errors: true + +- name: Restart fail2ban after an iptables restart + service: name=fail2ban state=restarted enabled=yes + when: has_fail2ban + +- name: Enable and start firewalld + service: name=firewalld state=started enabled=yes + when: firewalld_enabled + +- name: Reload firewall config + command: firewall-cmd --reload + notify: Restart fail2ban + when: firewalld_enabled + +- name: Restart fail2ban + service: name=fail2ban state=restarted + when: + - fail2ban_enabled is defined and fail2ban_enabled + - centos_install_epel + diff --git a/meta/main.yml b/meta/main.yml index 1126a5e..339fea0 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,61 +1,34 @@ galaxy_info: - author: your name - description: your description + author: Andrea Dell'Amico + description: Systems Architect company: ISTI-CNR - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value issue_tracker_url: https://redmine-s2i2s.isti.cnr.it/projects/provisioning - # Some suggested licenses: - # - BSD (default) - # - MIT - # - GPLv2 - # - GPLv3 - # - Apache - # - CC-BY - license: EUPL-1.2 + license: EUPL 1.2+ min_ansible_version: 2.8 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # Optionally specify the branch Galaxy will use when accessing the GitHub - # repo for this role. During role install, if no tags are available, - # Galaxy will use this branch. During import Galaxy will access files on - # this branch. If Travis integration is configured, only notifications for this - # branch will be accepted. Otherwise, in all cases, the repo's default branch - # (usually master) will be used. - #github_branch: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. # To view available platforms and versions (or releases), visit: # https://galaxy.ansible.com/api/v1/platforms/ # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 + platforms: + - name: Ubuntu + versions: + - trusty + - bionic + - name: EL + versions: + - 7 - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. + galaxy_tags: + - firewall + - iptables + - firewalld -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. +dependencies: + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-postfix.git + version: master + name: postfix + state: latest diff --git a/tasks/firewalld_disable.yml b/tasks/firewalld_disable.yml new file mode 100644 index 0000000..24b4d9e --- /dev/null +++ b/tasks/firewalld_disable.yml @@ -0,0 +1,5 @@ +--- +- name: Ensure that the firewalld service is stopped and disabled if we do not want it + service: name=firewalld state=stopped enabled=no + when: not firewalld_enabled | bool + tags: [ 'iptables', 'firewall', 'firewalld' ] diff --git a/tasks/firewalld_rules.yml b/tasks/firewalld_rules.yml new file mode 100644 index 0000000..b8c7b1c --- /dev/null +++ b/tasks/firewalld_rules.yml @@ -0,0 +1,91 @@ +--- +- block: + - name: Ensure that the service is enabled and started + service: name=firewalld state=started enabled=yes + notify: Restart fail2ban + + - name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses + firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True + when: firewalld_ssh_enabled_on_default_zone | bool + + - name: Set the firewalld default zone. + command: firewall-cmd --set-default-zone={{ firewalld_default_zone }} + + - name: Add sources to the availability zones, if any + firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True + with_items: '{{ firewalld_src_rules | default([]) }}' + + - name: Assign interfaces to firewalld zones if needed + firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True + with_items: '{{ firewalld_zones_interfaces | default([]) }}' + when: + - firewalld_zones_interfaces is defined + - item.interface is defined + - item.zone is defined + + - name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent + firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True + with_items: '{{ firewalld_rules }}' + when: + - firewalld_rules is defined + - item.service is defined + + - name: Save the ports firewalld rules that need to be permanent + firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True + with_items: '{{ firewalld_rules }}' + when: + - firewalld_rules is defined + - item.port is defined + - item.protocol is defined + + - name: Save the rich_rules firewalld rules that need to be permanent + firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True + with_items: '{{ firewalld_rules }}' + when: + - firewalld_rules is defined + - item.rich_rule is defined + notify: Reload firewall config + + - name: Enable the firewall-cmd direct passthrough rules + shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }} + with_items: '{{ firewalld_direct_rules }}' + args: + creates: /etc/firewalld/.{{ item.label }} + when: + - firewalld_direct_rules is defined + - item.action is defined + + - name: Set the firewall-cmd direct passthrough rules as permanent ones + command: firewall-cmd --direct --permanent --passthrough {{ item.action }} + with_items: '{{ firewalld_direct_rules }}' + when: + - firewalld_direct_rules is defined + - item.action is defined + + - name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file + command: firewall-cmd --new-service={{ item.name }} --permanent + args: + creates: '/etc/firewalld/services/{{ item.name }}.xml' + with_items: '{{ firewalld_new_services }}' + when: firewalld_new_services is defined + notify: Reload firewall config + + - name: Install the custom firewall services + copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml + with_items: '{{ firewalld_new_services }}' + when: firewalld_new_services is defined + notify: Reload firewall config + + - name: Manage the custom services firewalld rules. + firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True + with_items: '{{ firewalld_new_services }}' + when: + - firewalld_new_services is defined + - item.name is defined + notify: Reload firewall config + + # Last one to not take ourselves out + - name: Set the firewalld default zone. + command: firewall-cmd --set-default-zone={{ firewalld_default_zone }} + + tags: [ 'iptables', 'firewall', 'firewalld' ] diff --git a/tasks/main.yml b/tasks/main.yml index 53c6cae..b86f135 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,2 +1,13 @@ --- -# tasks file for ansible-role-template \ No newline at end of file +- import_tasks: plain-iptables.yml + when: + - iptables_persistent_enabled + - ansible_distribution_file_variety == "Debian" +- import_tasks: firewalld_rules.yml + when: + - firewalld_enabled + - ansible_distribution_file_variety == "RedHat" +- import_tasks: firewalld_disable.yml + when: + - firewalld_enabled + - ansible_distribution_file_variety == "RedHat" diff --git a/tasks/plain-iptables.yml b/tasks/plain-iptables.yml new file mode 100644 index 0000000..7aae2fe --- /dev/null +++ b/tasks/plain-iptables.yml @@ -0,0 +1,107 @@ +--- +- block: + - name: Install the needed iptables packages + apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800 + + - name: Create the /etc/iptables directory when needed + file: dest=/etc/iptables state=directory owner=root group=root mode=0755 + when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 + + - name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640 + with_items: + - rules.v4 + when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 + notify: Start the iptables service on Ubuntu < 12.04 + + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_trusty + register: install_iptables_rules_trusty + + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_debian7 + register: install_iptables_rules_deb7 + + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: is_debian8 + register: install_netfilter_rules + + - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04 + template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 + with_items: + - rules.v4 + - rules.v6 + when: + - ansible_distribution == 'Ubuntu' + - ansible_distribution_major_version >= '16' + register: install_netfilter_rules + + - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks + service: name=iptables-persistent state=restarted enabled=yes + register: restart_related_t + notify: Restart fail2ban after an iptables restart + when: install_iptables_rules_trusty is changed + + - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks + service: name=iptables-persistent state=restarted enabled=yes + register: restart_related_d7 + notify: Restart fail2ban after an iptables restart + when: install_iptables_rules_deb7 is changed + + - name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks + service: name=netfilter-persistent state=restarted enabled=yes + register: restart_related_x + notify: Restart fail2ban after an iptables restart + when: install_netfilter_rules is changed + + - name: Check if the fail2ban service is present + stat: path=/usr/bin/fail2ban-server + register: fail2ban_installed + + - name: Restart fail2ban after an iptables restart on Ubunt Trusty + service: name=fail2ban state=restarted enabled=yes + when: + - fail2ban_installed.stat.exists + - restart_related_t is changed + + - name: Restart fail2ban after an iptables restart on debian 7 + service: name=fail2ban state=restarted enabled=yes + when: + - fail2ban_installed.stat.exists + - restart_related_d7 is changed + + - name: Restart fail2ban after an iptables restart on Ubuntu Xenial + service: name=fail2ban state=restarted enabled=yes + when: + - fail2ban_installed.stat.exists + - restart_related_x is changed + + - name: Check if the docker service is present + stat: path=/usr/bin/dockerd + register: dockerd_installed + + - name: Restart docker after an iptables restart on Ubuntu Trusty + service: name=docker state=restarted enabled=yes + when: + - dockerd_installed.stat.exists + - restart_related_t is changed + + - name: Restart docker after an iptables restart on Ubuntu Xenial + service: name=docker state=restarted enabled=yes + when: + - dockerd_installed.stat.exists + - restart_related_x is changed + + tags: [ 'iptables', 'iptables_rules' ] diff --git a/templates/iptables-rules.v4.j2 b/templates/iptables-rules.v4.j2 new file mode 100644 index 0000000..ca5a753 --- /dev/null +++ b/templates/iptables-rules.v4.j2 @@ -0,0 +1,382 @@ +# +# {{ ansible_managed }} don't manually modify this file +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +{% if iptables_banlist is defined %} +# We manage the banned IP/networks list before anything else +{% for obj in iptables_banlist %} +{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %} +-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} +{% elif obj.proto is defined and obj.destport is defined %} +-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} +{% elif obj.proto is defined %} +-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} +{% else %} +-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} +{% endif %} +{% endfor %} +{% endif %} +# Return traffic and localhost +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +# +{% if iptables_managed_ssh is defined and iptables_managed_ssh %} +{% if iptables_ssh_allowed_hosts is defined %} +# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses +{% for ip in iptables_ssh_allowed_hosts %} +-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited +{% endif %} +{% else %} +# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses +-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT +{% endif %} +{% if http_port is not defined %} +{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT +{% endif %} +{% endif %} +{% if http_port is defined %} +# http +{% if http_allowed_hosts is defined %} +{% for ip in http_allowed_hosts %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited +{% else %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT +{% endif %} +{% endif %} + +{% if https_port is defined %} +# https +{% if https_allowed_hosts is defined %} +{% for ip in https_allowed_hosts %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited +{% else %} +{% if https_managed_hosts is defined %} +{% for rule in https_managed_hosts %} +-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }} +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }} +{% else %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT +{% endif %} +{% endif %} +{% endif %} +{% if psql_firewall_enabled %} +{% if psql_db_port is defined %} +{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %} +{% if psql_global_firewall is defined %} +{% for cidr in psql_global_firewall %} +-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT +{% endfor %} +-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP +{% else %} +{% if psql_db_data is defined %} +# postgresql clients +{% for db in psql_db_data %} +{% for ip in db.allowed_hosts %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT +{% endfor %} +{% endfor %} +{% endif %} +{% endif %} +-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT +-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP +{% endif %} +{% endif %} +{% endif %} +{% if mysql_firewall_enabled %} +{% if mysql_db_port is defined %} +{% if mysql_listen_on_ext_int %} +# mysql clients +{% for db in mysql_db_data %} +{% for ip in db.allowed_hosts %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT +{% endfor %} +{% endfor %} +{% endif %} +-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT +-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP +{% endif %} +{% endif %} +{% if openldap_slapd_tcp_port is defined %} +{% if openldap_allowed_clients is defined %} +# LDAP +{% for addr in openldap_allowed_clients %} +{% if not openldap_slapd_ssl_only %} +-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT +{% endif %} +-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited +{% else %} +{% if not openldap_slapd_ssl_only %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT +{% endif %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT +{% endif %} +{% endif %} +{% if mongodb_allowed_hosts is defined %} +# mongodb clients +{% for ip in mongodb_allowed_hosts %} +{% if mongodb_tcp_port is defined %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT +{% else %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT +{% endif %} +{% endfor %} +{% if mongodb_tcp_port is defined %} +-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP +{% else %} +-A INPUT -p tcp -m tcp --dport 27017 -j DROP +{% endif %} +{% endif %} + +{% if docker_swarm is defined and docker_swarm %} +{% for cidr in docker_swarm_allowed_hosts %} +-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT +-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT +-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT +-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT +{% endfor %} +-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited +-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited +{% endif %} + +{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %} +# Someone still uses ftp +{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %} +{% for ip in vsftpd_iptables_allowed_hosts %} +-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT +-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT +{% endfor %} +-A INPUT -m helper --helper ftp -j ACCEPT +{% endif %} +{% endif %} +# +# TODO: add the rules that block traffic from now on +# +{% if nagios_enabled is defined %} +{% if nagios_enabled %} +{% if nagios_monitoring_server_ip is defined %} +# Nagios NRPE +{% for ip in nagios_monitoring_server_ip %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT +# Check ntp from the nagios server +-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited +{% endif %} +{% endif %} +{% endif %} +{% if zabbix_agent_install is defined and zabbix_agent_install %} +{% if zabbix_agent_passive_checks_status == "enabled" %} +# Zabbix servers that can send passive checks +{% for ip in zabbix_monitoring_servers %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited +{% endif %} +{% endif %} + +{% if configure_munin is defined %} +{% if configure_munin %} +{% if munin_server %} +# Munin +{% for ip in munin_server %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited +{% endif %} +{% endif %} +{% endif %} +{% if tomcat_cluster_enabled %} +# tomcat cluster +-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT +-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT +{% if tomcat_cluster_multicast_net is defined %} +-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT +{% endif %} +{% endif %} +{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %} +# orientdb hazelcast multicast rules +-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT +-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT +{% endif %} +# Postfix +{% if postfix_relay_server is defined %} +{% if postfix_relay_server %} +# +# These are only needed on the machines that act as relay servers +# +{% for cidr in postfix_relay_server_permitted_networks %} +-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT +{% endfor %} +-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT +{% if postfix_use_relay_host is defined and postfix_use_relay_host %} +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT +{% else %} +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT +{% endif %} +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP +{% endif %} +{% endif %} +{% if postfix_relay_server is defined and not postfix_relay_server %} +{% if postfix_relay_client is defined%} +{% if postfix_relay_client %} +# +# When we are not a relay server but we want send email using our relay +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT +{% if postfix_smtp_relay_servers is defined %} +{% for host in postfix_smtp_relay_servers %} +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ host }} -j ACCEPT +{% else %} +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT +{% endif %} +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid +-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP +{% endif %} +{% endif %} +{% endif %} +{% if iptables is defined %} +{% if iptables.tcp_rules is defined and iptables.tcp_rules %} +# TCP rules +{% for tcp_rule in iptables.tcp %} +{% if tcp_rule.allowed_hosts is defined %} +{% for ip in tcp_rule.allowed_hosts %} +{% if ip is string %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} +{% else %} +{% for ip_really in ip %} +-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} +{% endfor %} +{% endif %} +{% endfor %} +{% else %} +-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} +{% endif %} +{% endfor %} +{% endif %} +{% if iptables.udp_rules is defined and iptables.udp_rules %} +# UDP rules +{% for udp_rule in iptables.udp %} +{% if udp_rule.allowed_hosts is defined %} +{% for ip in udp_rule.allowed_hosts %} +{% if ip is string %} +-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} +{% else %} +{% for ip_really in ip %} +-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} +{% endfor %} +{% endif %} +{% endfor %} +{% else %} +-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} +{% endif %} +{% endfor %} +{% endif %} +{% if iptables.any_rules is defined and iptables.any_rules %} +# ANY rules +{% for any_rule in iptables.any %} +{% for ip in any_rule.allowed_hosts %} +-A INPUT -s {{ ip }} -j ACCEPT +{% endfor %} +{% endfor %} +{% endif %} +{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %} +# ANY rules +{% for any_rule in iptables.any %} +{% for rule in any_rule.allowed_hosts %} +-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }} +{% endfor %} +{% endfor %} +{% endif %} +# End of the custom rules +{% endif %} +# Prometheus exporters +{% if prometheus_enabled is defined and prometheus_enabled %} +{% if prometheus_servers_ip is defined %} +{% for ip in prometheus_servers_ip %} +-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT +{% endfor %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited +{% else %} +-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT +{% endif %} +{% endif %} +{% if keepalived_enabled is defined and keepalived_enabled %} +# Keepalived rules. Protocol vrrp, 112 +{% if not keepalived_use_unicast %} +-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT +-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT +{% else %} +{% endif %} +-A INPUT -p vrrp -j ACCEPT +-A OUTPUT -p vrrp -j ACCEPT +{% endif %} +# +# INPUT POLICY +{% if iptables_input_default_policy == 'REJECT' %} +-A INPUT -j REJECT --reject-with icmp-host-prohibited +{% else %} +-A INPUT -j {{ iptables_input_default_policy }} +{% endif %} +# +# FORWARD rules and POLICY +{% if iptables_post_nat_enabled %} +-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT +{% for rule in iptables_nat_rules %} +-A FORWARD {{ rule.options }} -j ACCEPT +{% endfor %} +{% endif %} +{% if iptables_forward_default_policy == 'REJECT' %} +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +{% else %} +-A FORWARD -j {{ iptables_forward_default_policy }} +{% endif %} +COMMIT +{% if iptables_nat_enabled %} +# This should be obsoleted +# NAT rules +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +{% if iptables_nat_specify_interfaces %} +{% for int in iptables_nat_interfaces %} +-A POSTROUTING -o {{ int }} -j MASQUERADE +{% endfor %} +{% else %} +-A POSTROUTING -j MASQUERADE +{% endif %} +COMMIT +{% endif %} + +{% if iptables_post_nat_enabled %} +# NAT rules +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +{% for rule in iptables_nat_rules %} +-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }} +{% endfor %} +COMMIT +{% endif %} diff --git a/templates/iptables-rules.v6.j2 b/templates/iptables-rules.v6.j2 new file mode 100644 index 0000000..f9cab76 --- /dev/null +++ b/templates/iptables-rules.v6.j2 @@ -0,0 +1,15 @@ +# +# {{ ansible_managed }} don't manually modify this file +# +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +{% if iptables_default_policy == 'REJECT' %} +-A INPUT -j REJECT --reject-with icmp6-addr-unreachable +-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable +{% else %} +-A INPUT -j {{ iptables_default_policy }} +-A FORWARD -j {{ iptables_default_policy }} +{% endif %} +COMMIT