the iptables and firewalld roles have been merged into 'linux-firewall'.

This commit is contained in:
Andrea Dell'Amico 2020-07-10 19:08:47 +02:00
parent 4041633aa4
commit 139b3068dc
16 changed files with 30 additions and 800 deletions

View File

@ -6,9 +6,19 @@ dependencies:
- role: '../../library/roles/sshd_config'
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
- { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
- role: '../../library/centos/roles/firewalld'
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
version: master
name: linux-firewall
state: latest
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
version: master
name: letsencrypt-acme-sh-client
state: latest
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
version: master
name: zabbix-agent
state: latest
when: zabbix_agent_install is defined and zabbix_agent_install
- role: '../../library/centos/roles/fail2ban'
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
- { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
- { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
- { role: '../../library/centos/roles/prometheus-node-exporter', when: prometheus_enabled }

View File

@ -4,9 +4,19 @@ dependencies:
- role: '../../library/roles/rsyslog'
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
- role: '../../library/roles/tmpreaper'
- role: '../../library/roles/iptables'
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
version: master
name: linux-firewall
state: latest
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
- role: '../../library/roles/sshd_config'
- { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
- { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
version: master
name: letsencrypt-acme-sh-client
state: latest
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
version: master
name: zabbix-agent
state: latest
when: zabbix_agent_install is defined and zabbix_agent_install
- { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled }

View File

@ -1,19 +0,0 @@
---
firewalld_enabled: True
firewalld_default_zone: public
firewalld_ssh_enabled_on_default_zone: True
firewalld_rules:
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
#firewalld_new_services:
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
# We execute direct rules as they are written
# firewalld_direct_rules:
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
# firewalld_zones_interfaces:
# - { interface: 'eth1', zone: 'internal' }

View File

@ -1,16 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Mosh SSH service</short>
<description>This allows mosh to send and receive datagram connections.</description>
<port protocol="udp" port="60000"/>
<port protocol="udp" port="60001"/>
<port protocol="udp" port="60002"/>
<port protocol="udp" port="60003"/>
<port protocol="udp" port="60004"/>
<port protocol="udp" port="60005"/>
<port protocol="udp" port="60006"/>
<port protocol="udp" port="60007"/>
<port protocol="udp" port="60008"/>
<port protocol="udp" port="60009"/>
<port protocol="udp" port="60010"/>
</service>

View File

@ -1,7 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>ports needed by traceroute</short>
<description>This allows the host to be reached by traceroute.</description>
<port protocol="udp" port="33434"/>
<port protocol="udp" port="33523"/>
</service>

View File

@ -1,16 +0,0 @@
---
- name: Enable and start firewalld
service: name=firewalld state=started enabled=yes
when: firewalld_enabled
- name: Reload firewall config
command: firewall-cmd --reload
notify: Restart fail2ban
when: firewalld_enabled
- name: Restart fail2ban
service: name=fail2ban state=restarted
when:
- fail2ban_enabled is defined and fail2ban_enabled
- centos_install_epel

View File

@ -1,5 +0,0 @@
---
- name: Ensure that the firewalld service is stopped and disabled if we do not want it
service: name=firewalld state=stopped enabled=no
when: not firewalld_enabled | bool
tags: [ 'iptables', 'firewall', 'firewalld' ]

View File

@ -1,91 +0,0 @@
---
- block:
- name: Ensure that the service is enabled and started
service: name=firewalld state=started enabled=yes
notify: Restart fail2ban
- name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
when: firewalld_ssh_enabled_on_default_zone | bool
- name: Set the firewalld default zone.
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
- name: Add sources to the availability zones, if any
firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_src_rules | default([]) }}'
- name: Assign interfaces to firewalld zones if needed
firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True
with_items: '{{ firewalld_zones_interfaces | default([]) }}'
when:
- firewalld_zones_interfaces is defined
- item.interface is defined
- item.zone is defined
- name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.service is defined
- name: Save the ports firewalld rules that need to be permanent
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.port is defined
- item.protocol is defined
- name: Save the rich_rules firewalld rules that need to be permanent
firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_rules }}'
when:
- firewalld_rules is defined
- item.rich_rule is defined
notify: Reload firewall config
- name: Enable the firewall-cmd direct passthrough rules
shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
with_items: '{{ firewalld_direct_rules }}'
args:
creates: /etc/firewalld/.{{ item.label }}
when:
- firewalld_direct_rules is defined
- item.action is defined
- name: Set the firewall-cmd direct passthrough rules as permanent ones
command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
with_items: '{{ firewalld_direct_rules }}'
when:
- firewalld_direct_rules is defined
- item.action is defined
- name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
command: firewall-cmd --new-service={{ item.name }} --permanent
args:
creates: '/etc/firewalld/services/{{ item.name }}.xml'
with_items: '{{ firewalld_new_services }}'
when: firewalld_new_services is defined
notify: Reload firewall config
- name: Install the custom firewall services
copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
with_items: '{{ firewalld_new_services }}'
when: firewalld_new_services is defined
notify: Reload firewall config
- name: Manage the custom services firewalld rules.
firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
with_items: '{{ firewalld_new_services }}'
when:
- firewalld_new_services is defined
- item.name is defined
notify: Reload firewall config
# Last one to not take ourselves out
- name: Set the firewalld default zone.
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
tags: [ 'iptables', 'firewall', 'firewalld' ]

View File

@ -1,7 +0,0 @@
---
- import_tasks: firewalld_rules.yml
when: firewalld_enabled | bool
- import_tasks: disable_firewalld.yml
when: not firewalld_enabled | bool

View File

@ -1,63 +0,0 @@
---
iptables_deb_pkgs:
- iptables
- iptables-persistent
#
# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
#
#pg_allowed_hosts:
# - 146.48.123.17/32
# - 146.48.122.110/32
#
#munin_server:
# - 146.48.122.15
# - 146.48.87.88
#http_port: 80
#http_allowed_hosts:
# - 1.2.3.4/24
#https_port: 443
#https_allowed_hosts:
# - 0.0.0.0/0
#
# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
# iptables:
# tcp_rules: True
# tcp:
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
# - { port: '80' }
# udp_rules: True
# udp:
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
# munin_server:
# - 146.48.122.15
# - 146.48.87.88
#nagios_monitoring_server_ip: 146.48.123.23
#mongodb:
# start_server: 'yes'
# tcp_port: 27017
# allowed_hosts:
# - 146.48.123.100/32
#iptables_default_policy: REJECT
iptables_default_policy: ACCEPT
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False
iptables_nat_interfaces:
- '{{ ansible_default_ipv4.interface }}'
iptables_input_default_policy: '{{ iptables_default_policy }}'
iptables_forward_default_policy: '{{ iptables_default_policy }}'
iptables_banned_default_policy: DROP
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
ganglia_enabled: False
nagios_enabled: False
iptables_open_all_to_isti_nets: False
tomcat_cluster_enabled: False
# Another variable needs to be defined before the db rules are set
psql_firewall_enabled: True
mysql_firewall_enabled: True

View File

@ -1,25 +0,0 @@
---
- name: Start the iptables service
service: name=iptables-persistent state=restarted enabled=yes
notify: Restart fail2ban
- name: Start the netfilter service
service: name=netfilter-persistent state=restarted enabled=yes
when: is_debian8
notify: Restart fail2ban
- name: Flush the iptables rules
command: /etc/init.d/iptables-persistent flush
ignore_errors: true
- name: Start the iptables service on Ubuntu < 12.04
command: /etc/init.d/iptables-persistent start
ignore_errors: true
- name: Stop the iptables service on Ubuntu < 12.04
command: /etc/init.d/iptables-persistent stop
ignore_errors: true
- name: Restart fail2ban after an iptables restart
service: name=fail2ban state=restarted enabled=yes
when: has_fail2ban

View File

@ -1,4 +0,0 @@
---
dependencies:
- { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
- { role: '../../library/roles/postfix-relay', when: postfix_relay_server is defined and postfix_relay_server }

View File

@ -1,127 +0,0 @@
---
- block:
- name: Install the needed iptables packages
apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
- name: Create the /etc/iptables directory when needed
file: dest=/etc/iptables state=directory owner=root group=root mode=0755
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
with_items:
- rules.v4
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
notify: Start the iptables service on Ubuntu < 12.04
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_precise
register: install_iptables_rules_precise
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_trusty
register: install_iptables_rules_trusty
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian7
register: install_iptables_rules_deb7
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when: is_debian8
register: install_netfilter_rules
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
with_items:
- rules.v4
- rules.v6
when:
- ansible_distribution == 'Ubuntu'
- ansible_distribution_major_version >= '16'
register: install_netfilter_rules
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_p
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_precise is changed
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_t
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_trusty is changed
- name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
service: name=iptables-persistent state=restarted enabled=yes
register: restart_related_d7
notify: Restart fail2ban after an iptables restart
when: install_iptables_rules_deb7 is changed
- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
service: name=netfilter-persistent state=restarted enabled=yes
register: restart_related_x
notify: Restart fail2ban after an iptables restart
when: install_netfilter_rules is changed
- name: Check if the fail2ban service is present
stat: path=/usr/bin/fail2ban-server
register: fail2ban_installed
- name: Restart fail2ban after an iptables restart on Ubuntu Precise
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_p is changed
- name: Restart fail2ban after an iptables restart on Ubunt Trusty
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_t is changed
- name: Restart fail2ban after an iptables restart on debian 7
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_d7 is changed
- name: Restart fail2ban after an iptables restart on Ubuntu Xenial
service: name=fail2ban state=restarted enabled=yes
when:
- fail2ban_installed.stat.exists
- restart_related_x is changed
- name: Check if the docker service is present
stat: path=/usr/bin/dockerd
register: dockerd_installed
- name: Restart docker after an iptables restart on Ubuntu Trusty
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related_t is changed
- name: Restart docker after an iptables restart on Ubuntu Xenial
service: name=docker state=restarted enabled=yes
when:
- dockerd_installed.stat.exists
- restart_related_x is changed
tags: [ 'iptables', 'iptables_rules' ]

View File

@ -1,398 +0,0 @@
#
# {{ ansible_managed }} don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if iptables_banlist is defined %}
# We manage the banned IP/networks list before anything else
{% for obj in iptables_banlist %}
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% elif obj.proto is defined and obj.destport is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% elif obj.proto is defined %}
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% else %}
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
{% endif %}
{% endfor %}
{% endif %}
# Return traffic and localhost
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
{% for ip in iptables_ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% else %}
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if http_port is not defined %}
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
{% endif %}
{% endif %}
{% if http_port is defined %}
# http
{% if http_allowed_hosts is defined %}
{% for ip in http_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if https_port is defined %}
# https
{% if https_allowed_hosts is defined %}
{% for ip in https_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
{% if https_managed_hosts is defined %}
{% for rule in https_managed_hosts %}
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
{% endif %}
{% endif %}
{% endif %}
{% if psql_firewall_enabled %}
{% if psql_db_port is defined %}
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
{% if psql_global_firewall is defined %}
{% for cidr in psql_global_firewall %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% else %}
{% if psql_db_data is defined %}
# postgresql clients
{% for db in psql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% endif %}
{% endif %}
{% endif %}
{% if mysql_firewall_enabled %}
{% if mysql_db_port is defined %}
{% if mysql_listen_on_ext_int %}
# mysql clients
{% for db in mysql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
{% endif %}
{% endif %}
{% if openldap_slapd_tcp_port is defined %}
{% if openldap_allowed_clients is defined %}
# LDAP
{% for addr in openldap_allowed_clients %}
{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if mongodb_allowed_hosts is defined %}
# mongodb clients
{% for ip in mongodb_allowed_hosts %}
{% if mongodb_tcp_port is defined %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
{% else %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
{% endif %}
{% endfor %}
{% if mongodb_tcp_port is defined %}
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
{% else %}
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
{% endif %}
{% endif %}
{% if docker_swarm is defined and docker_swarm %}
{% for cidr in docker_swarm_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
# Someone still uses ftp
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
{% for ip in vsftpd_iptables_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
{% endfor %}
-A INPUT -m helper --helper ftp -j ACCEPT
{% endif %}
{% endif %}
#
# TODO: add the rules that block traffic from now on
#
{% if nagios_enabled is defined %}
{% if nagios_enabled %}
{% if nagios_monitoring_server_ip is defined %}
# Nagios NRPE
{% for ip in nagios_monitoring_server_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
# Check ntp from the nagios server
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% endif %}
{% if zabbix_agent_install is defined and zabbix_agent_install %}
{% if zabbix_agent_passive_checks_status == "enabled" %}
# Zabbix servers that can send passive checks
{% for ip in zabbix_monitoring_servers %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% if configure_munin is defined %}
{% if configure_munin %}
{% if munin_server %}
# Munin
{% for ip in munin_server %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% endif %}
{% if tomcat_cluster_enabled %}
# tomcat cluster
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
{% if tomcat_cluster_multicast_net is defined %}
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
{% endif %}
{% endif %}
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
# orientdb hazelcast multicast rules
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
{% endif %}
# Ganglia
{% if ganglia_enabled is defined and ganglia_enabled %}
{% if ganglia_gmond_cluster_port is defined %}
{% if ganglia_unicast_mode is defined %}
{% if ganglia_unicast_mode %}
{% for net in ganglia_unicast_networks %}
-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
{% endfor %}
{% else %}
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
{% else %}
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
{% endif %}
{% endif %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
{% endif %}
{% endif %}
# Postfix
{% if postfix_relay_server is defined %}
{% if postfix_relay_server %}
#
# These are only needed on the machines that act as relay servers
#
{% for cidr in postfix_relay_server_permitted_networks %}
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% endif %}
{% if postfix_relay_server is defined and not postfix_relay_server %}
{% if postfix_relay_client is defined%}
{% if postfix_relay_client %}
#
# When we are not a relay server but we want send email using our relay
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% endif %}
{% endif %}
{% if iptables is defined %}
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
# TCP rules
{% for tcp_rule in iptables.tcp %}
{% if tcp_rule.allowed_hosts is defined %}
{% for ip in tcp_rule.allowed_hosts %}
{% if ip is string %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% else %}
{% for ip_really in ip %}
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.udp_rules is defined and iptables.udp_rules %}
# UDP rules
{% for udp_rule in iptables.udp %}
{% if udp_rule.allowed_hosts is defined %}
{% for ip in udp_rule.allowed_hosts %}
{% if ip is string %}
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
{% else %}
{% for ip_really in ip %}
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.any_rules is defined and iptables.any_rules %}
# ANY rules
{% for any_rule in iptables.any %}
{% for ip in any_rule.allowed_hosts %}
-A INPUT -s {{ ip }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
# ANY rules
{% for any_rule in iptables.any %}
{% for rule in any_rule.allowed_hosts %}
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
{% endfor %}
{% endfor %}
{% endif %}
# End of the custom rules
{% endif %}
# Prometheus exporters
{% if prometheus_enabled is defined and prometheus_enabled %}
{% if prometheus_servers_ip is defined %}
{% for ip in prometheus_servers_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
{% endif %}
{% endif %}
{% if keepalived_enabled is defined and keepalived_enabled %}
# Keepalived rules. Protocol vrrp, 112
{% if not keepalived_use_unicast %}
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
{% else %}
{% endif %}
-A INPUT -p vrrp -j ACCEPT
-A OUTPUT -p vrrp -j ACCEPT
{% endif %}
#
# INPUT POLICY
{% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_input_default_policy }}
{% endif %}
#
# FORWARD rules and POLICY
{% if iptables_post_nat_enabled %}
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
{% for rule in iptables_nat_rules %}
-A FORWARD {{ rule.options }} -j ACCEPT
{% endfor %}
{% endif %}
{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A FORWARD -j {{ iptables_forward_default_policy }}
{% endif %}
COMMIT
{% if iptables_nat_enabled %}
# This should be obsoleted
# NAT rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if iptables_nat_specify_interfaces %}
{% for int in iptables_nat_interfaces %}
-A POSTROUTING -o {{ int }} -j MASQUERADE
{% endfor %}
{% else %}
-A POSTROUTING -j MASQUERADE
{% endif %}
COMMIT
{% endif %}
{% if iptables_post_nat_enabled %}
# NAT rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% for rule in iptables_nat_rules %}
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
{% endfor %}
COMMIT
{% endif %}

View File

@ -1,15 +0,0 @@
#
# {{ ansible_managed }} don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
{% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp6-addr-unreachable
-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
{% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
{% endif %}
COMMIT

View File

@ -2,7 +2,10 @@
dependencies:
- role: '../../library/roles/deb-apt-setup'
- { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" }
- role: 'basic-system-setup'
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup.git
version: master
name: basic-system-setup
state: latest
- role: '../../library/roles/motd'
- role: '../../library/roles/ntp'
- role: '../../library/roles/linux-kernel-sysctl'