myserver-configuration/roles/iptables/templates/firewall.j2

#!/bin/sh
### BEGIN INIT INFO
# Provides:          firewall rules
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO

#Suppression des règles précédentes
/sbin/iptables -F
/sbin/iptables -X

########
# DROP #
########

# Définition du blocage général
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP

# Drop des scans XMAS et NULL
/sbin/iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

##########
# ACCEPT #
##########

# Conservations des connexions déjà établies
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Autorisation du loopback (127.0.0.1)
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Autorisation des échanges avec le serveur DNS (53)
/sbin/iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT

# NTP (123)
/sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT
/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

# HTTP (80)
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

# HTTP MATRIX FEDERATION (8448)
# /sbin/iptables -A INPUT -p tcp --dport 8448 -j ACCEPT
# /sbin/iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT

# HTTPS (443)
/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# SSH
/sbin/iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH INPUT THROUGH TRAEFIK
/sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT

# ICMP (Ping)
/sbin/iptables -A INPUT -p icmp -j ACCEPT
/sbin/iptables -A OUTPUT -p icmp -j ACCEPT

# Parer les attaques de type Déni de Service
/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

# Parer les scans de ports
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Allow all from private network and docker network
/sbin/iptables -A INPUT -j ACCEPT -d 172.17.0.0/16
/sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16
/sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24
/sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24

# VPN
/sbin/iptables -A INPUT -p udp --dport {{ server.vpn.port }} -j ACCEPT
First commit 2022-10-25 13:34:44 +02:00			`#!/bin/sh`
			`### BEGIN INIT INFO`
			`# Provides: firewall rules`
			`# Required-Start: $remote_fs $syslog`
			`# Required-Stop: $remote_fs $syslog`
			`# Default-Start: 2 3 4 5`
			`# Default-Stop: 0 1 6`
			`# Short-Description: Start daemon at boot time`
			`# Description: Enable service provided by daemon.`
			`### END INIT INFO`

			`#Suppression des règles précédentes`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -F`
			`/sbin/iptables -X`
First commit 2022-10-25 13:34:44 +02:00
			`########`
			`# DROP #`
			`########`

			`# Définition du blocage général`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -P INPUT DROP`
			`/sbin/iptables -P OUTPUT DROP`
			`/sbin/iptables -P FORWARD DROP`
First commit 2022-10-25 13:34:44 +02:00
			`# Drop des scans XMAS et NULL`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP`
			`/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP`
			`/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP`
			`/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP`
First commit 2022-10-25 13:34:44 +02:00
			`##########`
			`# ACCEPT #`
			`##########`

			`# Conservations des connexions déjà établies`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
			`/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
			`# Autorisation du loopback (127.0.0.1)`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -i lo -j ACCEPT`
			`/sbin/iptables -A OUTPUT -o lo -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
			`# Autorisation des échanges avec le serveur DNS (53)`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT`
			`/sbin/iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT`
			`/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT`
			`/sbin/iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
			`# NTP (123)`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT`
			`/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
			`# HTTP (80)`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT`
			`/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
Update matrix 2022-12-01 19:42:17 +01:00			`# HTTP MATRIX FEDERATION (8448)`
Remove matrix federation port Signed-off-by: florian.richer <florian.richer@protonmail.com> 2024-01-27 21:58:28 +01:00			`# /sbin/iptables -A INPUT -p tcp --dport 8448 -j ACCEPT`
			`# /sbin/iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT`
Update matrix 2022-12-01 19:42:17 +01:00
First commit 2022-10-25 13:34:44 +02:00			`# HTTPS (443)`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT`
			`/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
[IPTABLES] Restore from config file 2023-05-21 11:31:41 +02:00			`# SSH`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT`
add gitlab 2023-09-25 22:01:57 +02:00			`/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH INPUT THROUGH TRAEFIK`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT`
First commit 2022-10-25 13:34:44 +02:00
			`# ICMP (Ping)`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -p icmp -j ACCEPT`
			`/sbin/iptables -A OUTPUT -p icmp -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
			`# Parer les attaques de type Déni de Service`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT`
			`/sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT`
			`/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT`
First commit 2022-10-25 13:34:44 +02:00
			`# Parer les scans de ports`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT`
Fix home-assistant 2023-01-05 20:13:40 +01:00
			`# Allow all from private network and docker network`
Fix Cloud + iptables 2023-05-21 15:19:59 +02:00			`/sbin/iptables -A INPUT -j ACCEPT -d 172.17.0.0/16`
			`/sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16`
			`/sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24`
			`/sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24`
Add wireguard 2023-09-24 12:28:25 +02:00
			`# VPN`
			`/sbin/iptables -A INPUT -p udp --dport {{ server.vpn.port }} -j ACCEPT`