From 139b3068dc0daf07e51c3cedfaed76fcf62886f7 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 10 Jul 2020 19:08:47 +0200 Subject: [PATCH] the iptables and firewalld roles have been merged into 'linux-firewall'. --- .../centos-common/meta/main.yml | 16 +- .../deb-ubuntu-common/meta/main.yml | 16 +- .../centos/roles/firewalld/defaults/main.yml | 19 - library/centos/roles/firewalld/files/mosh.xml | 16 - .../roles/firewalld/files/traceroute.xml | 7 - .../centos/roles/firewalld/handlers/main.yml | 16 - .../firewalld/tasks/disable_firewalld.yml | 5 - .../roles/firewalld/tasks/firewalld_rules.yml | 91 ---- library/centos/roles/firewalld/tasks/main.yml | 7 - library/roles/iptables/defaults/main.yml | 63 --- library/roles/iptables/handlers/main.yml | 25 -- library/roles/iptables/meta/main.yml | 4 - library/roles/iptables/tasks/main.yml | 127 ------ .../iptables/templates/iptables-rules.v4.j2 | 398 ------------------ .../iptables/templates/iptables-rules.v6.j2 | 15 - .../roles/ubuntu-deb-general/meta/main.yml | 5 +- 16 files changed, 30 insertions(+), 800 deletions(-) delete mode 100644 library/centos/roles/firewalld/defaults/main.yml delete mode 100644 library/centos/roles/firewalld/files/mosh.xml delete mode 100644 library/centos/roles/firewalld/files/traceroute.xml delete mode 100644 library/centos/roles/firewalld/handlers/main.yml delete mode 100644 library/centos/roles/firewalld/tasks/disable_firewalld.yml delete mode 100644 library/centos/roles/firewalld/tasks/firewalld_rules.yml delete mode 100644 library/centos/roles/firewalld/tasks/main.yml delete mode 100644 library/roles/iptables/defaults/main.yml delete mode 100644 library/roles/iptables/handlers/main.yml delete mode 100644 library/roles/iptables/meta/main.yml delete mode 100644 library/roles/iptables/tasks/main.yml delete mode 100644 library/roles/iptables/templates/iptables-rules.v4.j2 delete mode 100644 library/roles/iptables/templates/iptables-rules.v6.j2 diff --git a/library/bootstrap-roles/centos-common/meta/main.yml b/library/bootstrap-roles/centos-common/meta/main.yml index 7977f760..615739d8 100644 --- a/library/bootstrap-roles/centos-common/meta/main.yml +++ b/library/bootstrap-roles/centos-common/meta/main.yml @@ -6,9 +6,19 @@ dependencies: - role: '../../library/roles/sshd_config' - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } - { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client } - - role: '../../library/centos/roles/firewalld' + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git + version: master + name: linux-firewall + state: latest + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git + version: master + name: letsencrypt-acme-sh-client + state: latest + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git + version: master + name: zabbix-agent + state: latest + when: zabbix_agent_install is defined and zabbix_agent_install - role: '../../library/centos/roles/fail2ban' - { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" } - - { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install } - - { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install } - { role: '../../library/centos/roles/prometheus-node-exporter', when: prometheus_enabled } diff --git a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml index a4cc33f3..f3d25fc9 100644 --- a/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml +++ b/library/bootstrap-roles/deb-ubuntu-common/meta/main.yml @@ -4,9 +4,19 @@ dependencies: - role: '../../library/roles/rsyslog' - { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" } - role: '../../library/roles/tmpreaper' - - role: '../../library/roles/iptables' + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git + version: master + name: linux-firewall + state: latest - { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks } - role: '../../library/roles/sshd_config' - - { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install } - - { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install } + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git + version: master + name: letsencrypt-acme-sh-client + state: latest + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git + version: master + name: zabbix-agent + state: latest + when: zabbix_agent_install is defined and zabbix_agent_install - { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled } diff --git a/library/centos/roles/firewalld/defaults/main.yml b/library/centos/roles/firewalld/defaults/main.yml deleted file mode 100644 index 04cf069a..00000000 --- a/library/centos/roles/firewalld/defaults/main.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -firewalld_enabled: True -firewalld_default_zone: public -firewalld_ssh_enabled_on_default_zone: True - -firewalld_rules: -# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' } -# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' } -# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' } - -#firewalld_new_services: -# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' } - -# We execute direct rules as they are written -# firewalld_direct_rules: -# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' } - -# firewalld_zones_interfaces: -# - { interface: 'eth1', zone: 'internal' } diff --git a/library/centos/roles/firewalld/files/mosh.xml b/library/centos/roles/firewalld/files/mosh.xml deleted file mode 100644 index eccc3d79..00000000 --- a/library/centos/roles/firewalld/files/mosh.xml +++ /dev/null @@ -1,16 +0,0 @@ - - - Mosh SSH service - This allows mosh to send and receive datagram connections. - - - - - - - - - - - - diff --git a/library/centos/roles/firewalld/files/traceroute.xml b/library/centos/roles/firewalld/files/traceroute.xml deleted file mode 100644 index 7d2ad903..00000000 --- a/library/centos/roles/firewalld/files/traceroute.xml +++ /dev/null @@ -1,7 +0,0 @@ - - - ports needed by traceroute - This allows the host to be reached by traceroute. - - - diff --git a/library/centos/roles/firewalld/handlers/main.yml b/library/centos/roles/firewalld/handlers/main.yml deleted file mode 100644 index ebb482ec..00000000 --- a/library/centos/roles/firewalld/handlers/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- name: Enable and start firewalld - service: name=firewalld state=started enabled=yes - when: firewalld_enabled - -- name: Reload firewall config - command: firewall-cmd --reload - notify: Restart fail2ban - when: firewalld_enabled - -- name: Restart fail2ban - service: name=fail2ban state=restarted - when: - - fail2ban_enabled is defined and fail2ban_enabled - - centos_install_epel - diff --git a/library/centos/roles/firewalld/tasks/disable_firewalld.yml b/library/centos/roles/firewalld/tasks/disable_firewalld.yml deleted file mode 100644 index 24b4d9e4..00000000 --- a/library/centos/roles/firewalld/tasks/disable_firewalld.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Ensure that the firewalld service is stopped and disabled if we do not want it - service: name=firewalld state=stopped enabled=no - when: not firewalld_enabled | bool - tags: [ 'iptables', 'firewall', 'firewalld' ] diff --git a/library/centos/roles/firewalld/tasks/firewalld_rules.yml b/library/centos/roles/firewalld/tasks/firewalld_rules.yml deleted file mode 100644 index b8c7b1c4..00000000 --- a/library/centos/roles/firewalld/tasks/firewalld_rules.yml +++ /dev/null @@ -1,91 +0,0 @@ ---- -- block: - - name: Ensure that the service is enabled and started - service: name=firewalld state=started enabled=yes - notify: Restart fail2ban - - - name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses - firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True - when: firewalld_ssh_enabled_on_default_zone | bool - - - name: Set the firewalld default zone. - command: firewall-cmd --set-default-zone={{ firewalld_default_zone }} - - - name: Add sources to the availability zones, if any - firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True - with_items: '{{ firewalld_src_rules | default([]) }}' - - - name: Assign interfaces to firewalld zones if needed - firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True - with_items: '{{ firewalld_zones_interfaces | default([]) }}' - when: - - firewalld_zones_interfaces is defined - - item.interface is defined - - item.zone is defined - - - name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent - firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True - with_items: '{{ firewalld_rules }}' - when: - - firewalld_rules is defined - - item.service is defined - - - name: Save the ports firewalld rules that need to be permanent - firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True - with_items: '{{ firewalld_rules }}' - when: - - firewalld_rules is defined - - item.port is defined - - item.protocol is defined - - - name: Save the rich_rules firewalld rules that need to be permanent - firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True - with_items: '{{ firewalld_rules }}' - when: - - firewalld_rules is defined - - item.rich_rule is defined - notify: Reload firewall config - - - name: Enable the firewall-cmd direct passthrough rules - shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }} - with_items: '{{ firewalld_direct_rules }}' - args: - creates: /etc/firewalld/.{{ item.label }} - when: - - firewalld_direct_rules is defined - - item.action is defined - - - name: Set the firewall-cmd direct passthrough rules as permanent ones - command: firewall-cmd --direct --permanent --passthrough {{ item.action }} - with_items: '{{ firewalld_direct_rules }}' - when: - - firewalld_direct_rules is defined - - item.action is defined - - - name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file - command: firewall-cmd --new-service={{ item.name }} --permanent - args: - creates: '/etc/firewalld/services/{{ item.name }}.xml' - with_items: '{{ firewalld_new_services }}' - when: firewalld_new_services is defined - notify: Reload firewall config - - - name: Install the custom firewall services - copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml - with_items: '{{ firewalld_new_services }}' - when: firewalld_new_services is defined - notify: Reload firewall config - - - name: Manage the custom services firewalld rules. - firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True - with_items: '{{ firewalld_new_services }}' - when: - - firewalld_new_services is defined - - item.name is defined - notify: Reload firewall config - - # Last one to not take ourselves out - - name: Set the firewalld default zone. - command: firewall-cmd --set-default-zone={{ firewalld_default_zone }} - - tags: [ 'iptables', 'firewall', 'firewalld' ] diff --git a/library/centos/roles/firewalld/tasks/main.yml b/library/centos/roles/firewalld/tasks/main.yml deleted file mode 100644 index 9bef238b..00000000 --- a/library/centos/roles/firewalld/tasks/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- import_tasks: firewalld_rules.yml - when: firewalld_enabled | bool - -- import_tasks: disable_firewalld.yml - when: not firewalld_enabled | bool - diff --git a/library/roles/iptables/defaults/main.yml b/library/roles/iptables/defaults/main.yml deleted file mode 100644 index bc5707dc..00000000 --- a/library/roles/iptables/defaults/main.yml +++ /dev/null @@ -1,63 +0,0 @@ ---- -iptables_deb_pkgs: - - iptables - - iptables-persistent - -# -# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables -# -#pg_allowed_hosts: -# - 146.48.123.17/32 -# - 146.48.122.110/32 -# -#munin_server: -# - 146.48.122.15 -# - 146.48.87.88 -#http_port: 80 -#http_allowed_hosts: -# - 1.2.3.4/24 -#https_port: 443 -#https_allowed_hosts: -# - 0.0.0.0/0 -# -# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT' -# iptables: -# tcp_rules: True -# tcp: -# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] } -# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] } -# - { port: '80' } -# udp_rules: True -# udp: -# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] } - -# munin_server: -# - 146.48.122.15 -# - 146.48.87.88 - -#nagios_monitoring_server_ip: 146.48.123.23 -#mongodb: -# start_server: 'yes' -# tcp_port: 27017 -# allowed_hosts: -# - 146.48.123.100/32 - -#iptables_default_policy: REJECT -iptables_default_policy: ACCEPT -iptables_nat_enabled: False -iptables_nat_specify_interfaces: True -iptables_post_nat_enabled: False -iptables_nat_interfaces: - - '{{ ansible_default_ipv4.interface }}' -iptables_input_default_policy: '{{ iptables_default_policy }}' -iptables_forward_default_policy: '{{ iptables_default_policy }}' -iptables_banned_default_policy: DROP -iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited' -iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited' -ganglia_enabled: False -nagios_enabled: False -iptables_open_all_to_isti_nets: False -tomcat_cluster_enabled: False -# Another variable needs to be defined before the db rules are set -psql_firewall_enabled: True -mysql_firewall_enabled: True diff --git a/library/roles/iptables/handlers/main.yml b/library/roles/iptables/handlers/main.yml deleted file mode 100644 index 1012da73..00000000 --- a/library/roles/iptables/handlers/main.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: Start the iptables service - service: name=iptables-persistent state=restarted enabled=yes - notify: Restart fail2ban - -- name: Start the netfilter service - service: name=netfilter-persistent state=restarted enabled=yes - when: is_debian8 - notify: Restart fail2ban - -- name: Flush the iptables rules - command: /etc/init.d/iptables-persistent flush - ignore_errors: true - -- name: Start the iptables service on Ubuntu < 12.04 - command: /etc/init.d/iptables-persistent start - ignore_errors: true - -- name: Stop the iptables service on Ubuntu < 12.04 - command: /etc/init.d/iptables-persistent stop - ignore_errors: true - -- name: Restart fail2ban after an iptables restart - service: name=fail2ban state=restarted enabled=yes - when: has_fail2ban diff --git a/library/roles/iptables/meta/main.yml b/library/roles/iptables/meta/main.yml deleted file mode 100644 index 52371505..00000000 --- a/library/roles/iptables/meta/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -dependencies: - - { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client } - - { role: '../../library/roles/postfix-relay', when: postfix_relay_server is defined and postfix_relay_server } diff --git a/library/roles/iptables/tasks/main.yml b/library/roles/iptables/tasks/main.yml deleted file mode 100644 index 5441f837..00000000 --- a/library/roles/iptables/tasks/main.yml +++ /dev/null @@ -1,127 +0,0 @@ ---- -- block: - - name: Install the needed iptables packages - apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800 - - - name: Create the /etc/iptables directory when needed - file: dest=/etc/iptables state=directory owner=root group=root mode=0755 - when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - - - name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640 - with_items: - - rules.v4 - when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6 - notify: Start the iptables service on Ubuntu < 12.04 - - - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_precise - register: install_iptables_rules_precise - - - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_trusty - register: install_iptables_rules_trusty - - - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_debian7 - register: install_iptables_rules_deb7 - - - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: is_debian8 - register: install_netfilter_rules - - - name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04 - template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640 - with_items: - - rules.v4 - - rules.v6 - when: - - ansible_distribution == 'Ubuntu' - - ansible_distribution_major_version >= '16' - register: install_netfilter_rules - - - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks - service: name=iptables-persistent state=restarted enabled=yes - register: restart_related_p - notify: Restart fail2ban after an iptables restart - when: install_iptables_rules_precise is changed - - - name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks - service: name=iptables-persistent state=restarted enabled=yes - register: restart_related_t - notify: Restart fail2ban after an iptables restart - when: install_iptables_rules_trusty is changed - - - name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks - service: name=iptables-persistent state=restarted enabled=yes - register: restart_related_d7 - notify: Restart fail2ban after an iptables restart - when: install_iptables_rules_deb7 is changed - - - name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks - service: name=netfilter-persistent state=restarted enabled=yes - register: restart_related_x - notify: Restart fail2ban after an iptables restart - when: install_netfilter_rules is changed - - - name: Check if the fail2ban service is present - stat: path=/usr/bin/fail2ban-server - register: fail2ban_installed - - - name: Restart fail2ban after an iptables restart on Ubuntu Precise - service: name=fail2ban state=restarted enabled=yes - when: - - fail2ban_installed.stat.exists - - restart_related_p is changed - - - name: Restart fail2ban after an iptables restart on Ubunt Trusty - service: name=fail2ban state=restarted enabled=yes - when: - - fail2ban_installed.stat.exists - - restart_related_t is changed - - - name: Restart fail2ban after an iptables restart on debian 7 - service: name=fail2ban state=restarted enabled=yes - when: - - fail2ban_installed.stat.exists - - restart_related_d7 is changed - - - name: Restart fail2ban after an iptables restart on Ubuntu Xenial - service: name=fail2ban state=restarted enabled=yes - when: - - fail2ban_installed.stat.exists - - restart_related_x is changed - - - name: Check if the docker service is present - stat: path=/usr/bin/dockerd - register: dockerd_installed - - - name: Restart docker after an iptables restart on Ubuntu Trusty - service: name=docker state=restarted enabled=yes - when: - - dockerd_installed.stat.exists - - restart_related_t is changed - - - name: Restart docker after an iptables restart on Ubuntu Xenial - service: name=docker state=restarted enabled=yes - when: - - dockerd_installed.stat.exists - - restart_related_x is changed - - tags: [ 'iptables', 'iptables_rules' ] diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2 deleted file mode 100644 index 8520f085..00000000 --- a/library/roles/iptables/templates/iptables-rules.v4.j2 +++ /dev/null @@ -1,398 +0,0 @@ -# -# {{ ansible_managed }} don't manually modify this file -# -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -{% if iptables_banlist is defined %} -# We manage the banned IP/networks list before anything else -{% for obj in iptables_banlist %} -{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %} --A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} -{% elif obj.proto is defined and obj.destport is defined %} --A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} -{% elif obj.proto is defined %} --A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} -{% else %} --A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} -{% endif %} -{% endfor %} -{% endif %} -# Return traffic and localhost --A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT -# -{% if iptables_managed_ssh is defined and iptables_managed_ssh %} -{% if iptables_ssh_allowed_hosts is defined %} -# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses -{% for ip in iptables_ssh_allowed_hosts %} --A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited -{% endif %} -{% else %} -# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses --A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -{% endif %} -{% if http_port is not defined %} -{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} --A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -{% endif %} -{% endif %} -{% if http_port is defined %} -# http -{% if http_allowed_hosts is defined %} -{% for ip in http_allowed_hosts %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited -{% else %} --A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT -{% endif %} -{% endif %} - -{% if https_port is defined %} -# https -{% if https_allowed_hosts is defined %} -{% for ip in https_allowed_hosts %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited -{% else %} -{% if https_managed_hosts is defined %} -{% for rule in https_managed_hosts %} --A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }} -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }} -{% else %} --A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT -{% endif %} -{% endif %} -{% endif %} -{% if psql_firewall_enabled %} -{% if psql_db_port is defined %} -{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %} -{% if psql_global_firewall is defined %} -{% for cidr in psql_global_firewall %} --A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT -{% endfor %} --A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP -{% else %} -{% if psql_db_data is defined %} -# postgresql clients -{% for db in psql_db_data %} -{% for ip in db.allowed_hosts %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT -{% endfor %} -{% endfor %} -{% endif %} -{% endif %} --A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT --A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP -{% endif %} -{% endif %} -{% endif %} -{% if mysql_firewall_enabled %} -{% if mysql_db_port is defined %} -{% if mysql_listen_on_ext_int %} -# mysql clients -{% for db in mysql_db_data %} -{% for ip in db.allowed_hosts %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT -{% endfor %} -{% endfor %} -{% endif %} --A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT --A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP -{% endif %} -{% endif %} -{% if openldap_slapd_tcp_port is defined %} -{% if openldap_allowed_clients is defined %} -# LDAP -{% for addr in openldap_allowed_clients %} -{% if not openldap_slapd_ssl_only %} --A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT -{% endif %} --A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited -{% else %} -{% if not openldap_slapd_ssl_only %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT -{% endif %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT -{% endif %} -{% endif %} -{% if mongodb_allowed_hosts is defined %} -# mongodb clients -{% for ip in mongodb_allowed_hosts %} -{% if mongodb_tcp_port is defined %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT -{% else %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT -{% endif %} -{% endfor %} -{% if mongodb_tcp_port is defined %} --A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP -{% else %} --A INPUT -p tcp -m tcp --dport 27017 -j DROP -{% endif %} -{% endif %} - -{% if docker_swarm is defined and docker_swarm %} -{% for cidr in docker_swarm_allowed_hosts %} --A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT --A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT --A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT --A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT -{% endfor %} --A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited --A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited --A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited --A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited -{% endif %} - -{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %} -# Someone still uses ftp -{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %} -{% for ip in vsftpd_iptables_allowed_hosts %} --A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT --A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT -{% endfor %} --A INPUT -m helper --helper ftp -j ACCEPT -{% endif %} -{% endif %} -# -# TODO: add the rules that block traffic from now on -# -{% if nagios_enabled is defined %} -{% if nagios_enabled %} -{% if nagios_monitoring_server_ip is defined %} -# Nagios NRPE -{% for ip in nagios_monitoring_server_ip %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT -# Check ntp from the nagios server --A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited --A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited -{% endif %} -{% endif %} -{% endif %} -{% if zabbix_agent_install is defined and zabbix_agent_install %} -{% if zabbix_agent_passive_checks_status == "enabled" %} -# Zabbix servers that can send passive checks -{% for ip in zabbix_monitoring_servers %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited -{% endif %} -{% endif %} - -{% if configure_munin is defined %} -{% if configure_munin %} -{% if munin_server %} -# Munin -{% for ip in munin_server %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited -{% endif %} -{% endif %} -{% endif %} -{% if tomcat_cluster_enabled %} -# tomcat cluster --A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT -{% if tomcat_cluster_multicast_net is defined %} --A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT -{% endif %} -{% endif %} -{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %} -# orientdb hazelcast multicast rules --A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT --A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT -{% endif %} -# Ganglia -{% if ganglia_enabled is defined and ganglia_enabled %} -{% if ganglia_gmond_cluster_port is defined %} -{% if ganglia_unicast_mode is defined %} -{% if ganglia_unicast_mode %} -{% for net in ganglia_unicast_networks %} --A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT -{% endfor %} -{% else %} -{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %} --A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT -{% else %} --A INPUT -m pkttype --pkt-type multicast -j ACCEPT --A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT -{% endif %} -{% endif %} -{% endif %} --A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT --A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT -{% endif %} -{% endif %} -# Postfix -{% if postfix_relay_server is defined %} -{% if postfix_relay_server %} -# -# These are only needed on the machines that act as relay servers -# -{% for cidr in postfix_relay_server_permitted_networks %} --A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT -{% endfor %} --A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited --A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -{% if postfix_use_relay_host is defined and postfix_use_relay_host %} --A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT -{% else %} --A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT -{% endif %} --A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid --A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP -{% endif %} -{% endif %} -{% if postfix_relay_server is defined and not postfix_relay_server %} -{% if postfix_relay_client is defined%} -{% if postfix_relay_client %} -# -# When we are not a relay server but we want send email using our relay --A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT --A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT --A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid --A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP -{% endif %} -{% endif %} -{% endif %} -{% if iptables is defined %} -{% if iptables.tcp_rules is defined and iptables.tcp_rules %} -# TCP rules -{% for tcp_rule in iptables.tcp %} -{% if tcp_rule.allowed_hosts is defined %} -{% for ip in tcp_rule.allowed_hosts %} -{% if ip is string %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} -{% else %} -{% for ip_really in ip %} --A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} -{% endfor %} -{% endif %} -{% endfor %} -{% else %} --A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} -{% endif %} -{% endfor %} -{% endif %} -{% if iptables.udp_rules is defined and iptables.udp_rules %} -# UDP rules -{% for udp_rule in iptables.udp %} -{% if udp_rule.allowed_hosts is defined %} -{% for ip in udp_rule.allowed_hosts %} -{% if ip is string %} --A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} -{% else %} -{% for ip_really in ip %} --A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} -{% endfor %} -{% endif %} -{% endfor %} -{% else %} --A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} -{% endif %} -{% endfor %} -{% endif %} -{% if iptables.any_rules is defined and iptables.any_rules %} -# ANY rules -{% for any_rule in iptables.any %} -{% for ip in any_rule.allowed_hosts %} --A INPUT -s {{ ip }} -j ACCEPT -{% endfor %} -{% endfor %} -{% endif %} -{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %} -# ANY rules -{% for any_rule in iptables.any %} -{% for rule in any_rule.allowed_hosts %} --A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }} -{% endfor %} -{% endfor %} -{% endif %} -# End of the custom rules -{% endif %} -# Prometheus exporters -{% if prometheus_enabled is defined and prometheus_enabled %} -{% if prometheus_servers_ip is defined %} -{% for ip in prometheus_servers_ip %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT -{% endfor %} --A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited -{% else %} --A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT -{% endif %} -{% endif %} -{% if keepalived_enabled is defined and keepalived_enabled %} -# Keepalived rules. Protocol vrrp, 112 -{% if not keepalived_use_unicast %} --A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT --A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT -{% else %} -{% endif %} --A INPUT -p vrrp -j ACCEPT --A OUTPUT -p vrrp -j ACCEPT -{% endif %} -# -# INPUT POLICY -{% if iptables_input_default_policy == 'REJECT' %} --A INPUT -j REJECT --reject-with icmp-host-prohibited -{% else %} --A INPUT -j {{ iptables_input_default_policy }} -{% endif %} -# -# FORWARD rules and POLICY -{% if iptables_post_nat_enabled %} --A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -{% for rule in iptables_nat_rules %} --A FORWARD {{ rule.options }} -j ACCEPT -{% endfor %} -{% endif %} -{% if iptables_forward_default_policy == 'REJECT' %} --A FORWARD -j REJECT --reject-with icmp-host-prohibited -{% else %} --A FORWARD -j {{ iptables_forward_default_policy }} -{% endif %} -COMMIT -{% if iptables_nat_enabled %} -# This should be obsoleted -# NAT rules -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -{% if iptables_nat_specify_interfaces %} -{% for int in iptables_nat_interfaces %} --A POSTROUTING -o {{ int }} -j MASQUERADE -{% endfor %} -{% else %} --A POSTROUTING -j MASQUERADE -{% endif %} -COMMIT -{% endif %} - -{% if iptables_post_nat_enabled %} -# NAT rules -*nat -:PREROUTING ACCEPT [0:0] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -{% for rule in iptables_nat_rules %} --A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }} -{% endfor %} -COMMIT -{% endif %} diff --git a/library/roles/iptables/templates/iptables-rules.v6.j2 b/library/roles/iptables/templates/iptables-rules.v6.j2 deleted file mode 100644 index f9cab76f..00000000 --- a/library/roles/iptables/templates/iptables-rules.v6.j2 +++ /dev/null @@ -1,15 +0,0 @@ -# -# {{ ansible_managed }} don't manually modify this file -# -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -{% if iptables_default_policy == 'REJECT' %} --A INPUT -j REJECT --reject-with icmp6-addr-unreachable --A FORWARD -j REJECT --reject-with icmp6-addr-unreachable -{% else %} --A INPUT -j {{ iptables_default_policy }} --A FORWARD -j {{ iptables_default_policy }} -{% endif %} -COMMIT diff --git a/library/roles/ubuntu-deb-general/meta/main.yml b/library/roles/ubuntu-deb-general/meta/main.yml index 4a05223d..90c559e6 100644 --- a/library/roles/ubuntu-deb-general/meta/main.yml +++ b/library/roles/ubuntu-deb-general/meta/main.yml @@ -2,7 +2,10 @@ dependencies: - role: '../../library/roles/deb-apt-setup' - { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" } - - role: 'basic-system-setup' + - src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup.git + version: master + name: basic-system-setup + state: latest - role: '../../library/roles/motd' - role: '../../library/roles/ntp' - role: '../../library/roles/linux-kernel-sysctl'