From 1dbe0c92090c87ff12d112672343a17fba7ea23b Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Sat, 11 Jun 2016 15:24:48 +0200 Subject: [PATCH] library/roles/iptables: Manage NAT and different defaults for INPUT and FORWARD chains. --- iptables/defaults/main.yml | 6 +++ iptables/templates/iptables-rules.v4.j2 | 51 +++++++++++++------------ iptables/templates/iptables-rules.v6.j2 | 3 ++ 3 files changed, 35 insertions(+), 25 deletions(-) diff --git a/iptables/defaults/main.yml b/iptables/defaults/main.yml index 9d499b3b..d1f45b7f 100644 --- a/iptables/defaults/main.yml +++ b/iptables/defaults/main.yml @@ -40,6 +40,12 @@ #iptables_default_policy: REJECT iptables_default_policy: ACCEPT +iptables_nat_enabled: False +iptables_nat_specify_interfaces: True +iptables_nat_interfaces: + - eth0 +iptables_input_default_policy: '{{ iptables_default_policy }}' +iptables_forward_default_policy: '{{ iptables_default_policy }}' iptables_banned_default_policy: DROP ganglia_enabled: False nagios_enabled: False diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2 index ad6b7d66..95d93951 100644 --- a/iptables/templates/iptables-rules.v4.j2 +++ b/iptables/templates/iptables-rules.v4.j2 @@ -1,11 +1,10 @@ # -# don't manually modify this file +# {{ ansible_managed }} don't manually modify this file # *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] - # We manage the banned IP/networks list before anything else {% if iptables_banlist is defined %} {% for obj in iptables_banlist %} @@ -20,7 +19,7 @@ {% endif %} {% endfor %} {% endif %} - +# Return traffic and localhost -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT @@ -52,7 +51,6 @@ -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT {% endif %} {% endif %} - {% if https_port is defined %} # https {% if https_allowed_hosts is defined %} @@ -63,7 +61,6 @@ -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT {% endif %} {% endif %} - {% if psql_db_port is defined %} {% if psql_listen_on_ext_int %} # postgresql clients @@ -76,7 +73,6 @@ -A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT -A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP {% endif %} - {% if mysql_db_port is defined %} {% if mysql_listen_on_ext_int %} # mysql clients @@ -89,9 +85,9 @@ -A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT -A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP {% endif %} - {% if openldap_slapd_tcp_port is defined %} {% if openldap_allowed_clients is defined %} +# LDAP {% for addr in openldap_allowed_clients %} {% if not openldap_slapd_ssl_only %} -A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT @@ -105,7 +101,6 @@ -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT {% endif %} {% endif %} - {% if mongodb_allowed_hosts is defined %} # mongodb clients {% for ip in mongodb_allowed_hosts %} @@ -121,14 +116,12 @@ -A INPUT -p tcp -m tcp --dport 27017 -j DROP {% endif %} {% endif %} - {% if dnet_ports is defined %} # dnet services {% for tcp_port in dnet_ports %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT {% endfor %} {% endif %} - {% if dnet_jmx_ports is defined %} # dnet jmx ports. Open to the isti networks only {% for tcp_port in dnet_jmx_ports %} @@ -137,7 +130,6 @@ -A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT {% endfor %} {% endif %} - {% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %} # Someone still uses ftp {% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %} @@ -148,12 +140,11 @@ -A INPUT -m helper --helper ftp -j ACCEPT {% endif %} {% endif %} - {% if nagios_enabled is defined %} {% if nagios_enabled %} {% if nagios_monitoring_server_ip is defined %} -{% for ip in nagios_monitoring_server_ip %} # Nagios NRPE +{% for ip in nagios_monitoring_server_ip %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT # Check ntp from the nagios server -A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT @@ -161,25 +152,21 @@ {% endif %} {% endif %} {% endif %} - {% if configure_munin is defined %} {% if configure_munin %} {% if munin_server %} -{% for ip in munin_server %} # Munin +{% for ip in munin_server %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT {% endfor %} {% endif %} {% endif %} {% endif %} - {% if tomcat_cluster_enabled %} # tomcat cluster -A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT {% endif %} - - {% if ganglia_enabled is defined %} {% if ganglia_enabled %} {% if ganglia_gmond_cluster_port is defined %} @@ -195,7 +182,6 @@ {% endif %} {% endif %} {% endif %} - {% if postfix_relay_server is defined %} {% if postfix_relay_server %} # @@ -224,9 +210,9 @@ {% endif %} {% endif %} {% endif %} - {% if iptables is defined %} {% if iptables.tcp_rules is defined and iptables.tcp_rules %} +# TCP rules {% for tcp_rule in iptables.tcp %} {% if tcp_rule.allowed_hosts is defined %} {% for ip in tcp_rule.allowed_hosts %} @@ -237,8 +223,8 @@ {% endif %} {% endfor %} {% endif %} - {% if iptables.udp_rules is defined and iptables.udp_rules %} +# UDP rules {% for udp_rule in iptables.udp %} {% if udp_rule.allowed_hosts is defined %} {% for ip in udp_rule.allowed_hosts %} @@ -251,14 +237,29 @@ {% endif %} {% endif %} # -# -A INPUT -s 125.24.0.0/14 -j DROP -{% if iptables_default_policy == 'REJECT' %} +{% if iptables_input_default_policy == 'REJECT' %} -A INPUT -j REJECT --reject-with icmp-host-prohibited +{% else %} +-A INPUT -j {{ iptables_input_default_policy }} +{% endif %} +{% if not iptables_nat_enabled %} +{% if iptables_forward_default_policy == 'REJECT' %} -A FORWARD -j REJECT --reject-with icmp-host-prohibited {% else %} --A INPUT -j {{ iptables_default_policy }} --A FORWARD -j {{ iptables_default_policy }} +-A FORWARD -j {{ iptables_forward_default_policy }} +{% endif %} +{% else %} +# NAT is enabled, we need to accept traffic that is forwarded +-A FORWARD -j ACCEPT +# NAT rules +*nat +{% if iptables_nat_specify_interfaces %} +{% for int in iptables_nat_interface %} +-A POSTROUTING -o {{ int }} -j MASQUERADE +{% endfor %} +{% else %} +-A POSTROUTING -j MASQUERADE {% endif %} COMMIT diff --git a/iptables/templates/iptables-rules.v6.j2 b/iptables/templates/iptables-rules.v6.j2 index 204f38b9..f9cab76f 100644 --- a/iptables/templates/iptables-rules.v6.j2 +++ b/iptables/templates/iptables-rules.v6.j2 @@ -1,3 +1,6 @@ +# +# {{ ansible_managed }} don't manually modify this file +# *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0]