Change the iptables rules.v4 template to support specific policies and to automatically reject the traffic for not allowed addresses.
This commit is contained in:
Andrea Dell'Amico
parent
4a4af42f19
commit
8156a3883b
|
|
@ -16,16 +16,16 @@
|
|||
#https_allowed_hosts:
|
||||
# - 0.0.0.0/0
|
||||
#
|
||||
# Generic tcp and udp access
|
||||
# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
|
||||
# iptables:
|
||||
# tcp_rules: True
|
||||
# tcp:
|
||||
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
||||
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
||||
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
|
||||
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
|
||||
# - { port: '80' }
|
||||
# udp_rules: True
|
||||
# udp:
|
||||
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
||||
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
|
||||
|
||||
# munin_server:
|
||||
# - 146.48.122.15
|
||||
|
|
@ -47,6 +47,8 @@ iptables_nat_interfaces:
|
|||
iptables_input_default_policy: '{{ iptables_default_policy }}'
|
||||
iptables_forward_default_policy: '{{ iptables_default_policy }}'
|
||||
iptables_banned_default_policy: DROP
|
||||
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
||||
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
||||
ganglia_enabled: False
|
||||
nagios_enabled: False
|
||||
iptables_open_all_to_isti_nets: False
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
{% for ip in iptables_ssh_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
|
||||
|
|
@ -52,20 +53,30 @@
|
|||
{% for ip in http_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if https_port is defined %}
|
||||
# https
|
||||
{% if https_allowed_hosts is defined %}
|
||||
{% for ip in https_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
{% if https_managed_hosts is defined %}
|
||||
{% for rule in https_managed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if psql_firewall_enabled %}
|
||||
{% if psql_db_port is defined %}
|
||||
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
||||
|
|
@ -105,6 +116,8 @@
|
|||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
{% if not openldap_slapd_ssl_only %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
||||
|
|
@ -140,6 +153,7 @@
|
|||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
||||
# Someone still uses ftp
|
||||
|
|
@ -151,6 +165,9 @@
|
|||
-A INPUT -m helper --helper ftp -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
#
|
||||
# TODO: add the rules that block traffic from now on
|
||||
#
|
||||
{% if nagios_enabled is defined %}
|
||||
{% if nagios_enabled %}
|
||||
{% if nagios_monitoring_server_ip is defined %}
|
||||
|
|
@ -160,6 +177,8 @@
|
|||
# Check ntp from the nagios server
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
@ -170,6 +189,7 @@
|
|||
{% for ip in munin_server %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
|
@ -192,6 +212,7 @@
|
|||
{% for ip in prometheus_servers_ip %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
|
||||
{% endif %}
|
||||
|
|
@ -224,6 +245,7 @@
|
|||
# These are only needed on the machines that act as relay servers
|
||||
#
|
||||
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
|
||||
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||
|
|
@ -253,15 +275,15 @@
|
|||
{% if tcp_rule.allowed_hosts is defined %}
|
||||
{% for ip in tcp_rule.allowed_hosts %}
|
||||
{% if ip is string %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||
{% else %}
|
||||
{% for ip_really in ip %}
|
||||
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
@ -271,15 +293,15 @@
|
|||
{% if udp_rule.allowed_hosts is defined %}
|
||||
{% for ip in udp_rule.allowed_hosts %}
|
||||
{% if ip is string %}
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||
{% else %}
|
||||
{% for ip_really in ip %}
|
||||
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
||||
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
||||
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
|
@ -291,6 +313,14 @@
|
|||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
|
||||
# ANY rules
|
||||
{% for any_rule in iptables.any %}
|
||||
{% for rule in any_rule.allowed_hosts %}
|
||||
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
# End of the custom rules
|
||||
{% endif %}
|
||||
{% if keepalived_enabled is defined and keepalived_enabled %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue