forked from ISTI-ansible-roles/ansible-roles
Change the iptables rules.v4 template to support specific policies and to automatically reject the traffic for not allowed addresses.
This commit is contained in:
Andrea Dell'Amico
parent
4a4af42f19
commit
8156a3883b
|
|
@ -16,16 +16,16 @@
|
||||||
#https_allowed_hosts:
|
#https_allowed_hosts:
|
||||||
# - 0.0.0.0/0
|
# - 0.0.0.0/0
|
||||||
#
|
#
|
||||||
# Generic tcp and udp access
|
# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
|
||||||
# iptables:
|
# iptables:
|
||||||
# tcp_rules: True
|
# tcp_rules: True
|
||||||
# tcp:
|
# tcp:
|
||||||
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
|
||||||
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
|
||||||
# - { port: '80' }
|
# - { port: '80' }
|
||||||
# udp_rules: True
|
# udp_rules: True
|
||||||
# udp:
|
# udp:
|
||||||
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}' ] }
|
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
|
||||||
|
|
||||||
# munin_server:
|
# munin_server:
|
||||||
# - 146.48.122.15
|
# - 146.48.122.15
|
||||||
|
|
@ -47,6 +47,8 @@ iptables_nat_interfaces:
|
||||||
iptables_input_default_policy: '{{ iptables_default_policy }}'
|
iptables_input_default_policy: '{{ iptables_default_policy }}'
|
||||||
iptables_forward_default_policy: '{{ iptables_default_policy }}'
|
iptables_forward_default_policy: '{{ iptables_default_policy }}'
|
||||||
iptables_banned_default_policy: DROP
|
iptables_banned_default_policy: DROP
|
||||||
|
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
||||||
|
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
||||||
ganglia_enabled: False
|
ganglia_enabled: False
|
||||||
nagios_enabled: False
|
nagios_enabled: False
|
||||||
iptables_open_all_to_isti_nets: False
|
iptables_open_all_to_isti_nets: False
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,7 @@
|
||||||
{% for ip in iptables_ssh_allowed_hosts %}
|
{% for ip in iptables_ssh_allowed_hosts %}
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% else %}
|
{% else %}
|
||||||
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
|
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
|
||||||
|
|
@ -52,20 +53,30 @@
|
||||||
{% for ip in http_allowed_hosts %}
|
{% for ip in http_allowed_hosts %}
|
||||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if https_port is defined %}
|
{% if https_port is defined %}
|
||||||
# https
|
# https
|
||||||
{% if https_allowed_hosts is defined %}
|
{% if https_allowed_hosts is defined %}
|
||||||
{% for ip in https_allowed_hosts %}
|
{% for ip in https_allowed_hosts %}
|
||||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
{% else %}
|
||||||
|
{% if https_managed_hosts is defined %}
|
||||||
|
{% for rule in https_managed_hosts %}
|
||||||
|
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
|
||||||
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
{% if psql_firewall_enabled %}
|
{% if psql_firewall_enabled %}
|
||||||
{% if psql_db_port is defined %}
|
{% if psql_db_port is defined %}
|
||||||
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
||||||
|
|
@ -105,6 +116,8 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% else %}
|
{% else %}
|
||||||
{% if not openldap_slapd_ssl_only %}
|
{% if not openldap_slapd_ssl_only %}
|
||||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
||||||
|
|
@ -140,6 +153,7 @@
|
||||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
||||||
# Someone still uses ftp
|
# Someone still uses ftp
|
||||||
|
|
@ -151,6 +165,9 @@
|
||||||
-A INPUT -m helper --helper ftp -j ACCEPT
|
-A INPUT -m helper --helper ftp -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
#
|
||||||
|
# TODO: add the rules that block traffic from now on
|
||||||
|
#
|
||||||
{% if nagios_enabled is defined %}
|
{% if nagios_enabled is defined %}
|
||||||
{% if nagios_enabled %}
|
{% if nagios_enabled %}
|
||||||
{% if nagios_monitoring_server_ip is defined %}
|
{% if nagios_monitoring_server_ip is defined %}
|
||||||
|
|
@ -160,6 +177,8 @@
|
||||||
# Check ntp from the nagios server
|
# Check ntp from the nagios server
|
||||||
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
|
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
|
||||||
|
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -170,6 +189,7 @@
|
||||||
{% for ip in munin_server %}
|
{% for ip in munin_server %}
|
||||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -192,6 +212,7 @@
|
||||||
{% for ip in prometheus_servers_ip %}
|
{% for ip in prometheus_servers_ip %}
|
||||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -224,6 +245,7 @@
|
||||||
# These are only needed on the machines that act as relay servers
|
# These are only needed on the machines that act as relay servers
|
||||||
#
|
#
|
||||||
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
|
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
|
||||||
|
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
|
||||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||||
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
|
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
|
||||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||||
|
|
@ -253,15 +275,15 @@
|
||||||
{% if tcp_rule.allowed_hosts is defined %}
|
{% if tcp_rule.allowed_hosts is defined %}
|
||||||
{% for ip in tcp_rule.allowed_hosts %}
|
{% for ip in tcp_rule.allowed_hosts %}
|
||||||
{% if ip is string %}
|
{% if ip is string %}
|
||||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% for ip_really in ip %}
|
{% for ip_really in ip %}
|
||||||
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -271,15 +293,15 @@
|
||||||
{% if udp_rule.allowed_hosts is defined %}
|
{% if udp_rule.allowed_hosts is defined %}
|
||||||
{% for ip in udp_rule.allowed_hosts %}
|
{% for ip in udp_rule.allowed_hosts %}
|
||||||
{% if ip is string %}
|
{% if ip is string %}
|
||||||
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% for ip_really in ip %}
|
{% for ip_really in ip %}
|
||||||
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT
|
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -291,6 +313,14 @@
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
|
||||||
|
# ANY rules
|
||||||
|
{% for any_rule in iptables.any %}
|
||||||
|
{% for rule in any_rule.allowed_hosts %}
|
||||||
|
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
|
||||||
|
{% endfor %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
# End of the custom rules
|
# End of the custom rules
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if keepalived_enabled is defined and keepalived_enabled %}
|
{% if keepalived_enabled is defined and keepalived_enabled %}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue