From 4ec713038af96353d21b58e0160d01ff75b47566 Mon Sep 17 00:00:00 2001 From: Florian RICHER Date: Sun, 21 May 2023 11:31:41 +0200 Subject: [PATCH] [IPTABLES] Restore from config file --- group_vars/all.yml | 1 + roles/iptables/tasks/accept_dns.yml | 57 ------------------ roles/iptables/tasks/accept_established.yml | 19 ------ roles/iptables/tasks/accept_http.yml | 41 ------------- roles/iptables/tasks/accept_loopback.yml | 19 ------ roles/iptables/tasks/accept_matrix.yml | 21 ------- roles/iptables/tasks/accept_ntp.yml | 21 ------- roles/iptables/tasks/accept_ping.yml | 19 ------ .../tasks/accept_private_networks.yml | 19 ------ roles/iptables/tasks/accept_ssh.yml | 21 ------- roles/iptables/tasks/base.yml | 18 ++++++ roles/iptables/tasks/block_basic_ddos.yml | 33 ----------- roles/iptables/tasks/block_port_scan.yml | 19 ------ roles/iptables/tasks/drop_all_by_default.yml | 25 -------- roles/iptables/tasks/drop_scans_xmas_null.yml | 59 ------------------- roles/iptables/tasks/main.yml | 42 +------------ .../iptables/templates/firewall.j2 | 6 +- 17 files changed, 23 insertions(+), 417 deletions(-) delete mode 100644 roles/iptables/tasks/accept_dns.yml delete mode 100644 roles/iptables/tasks/accept_established.yml delete mode 100644 roles/iptables/tasks/accept_http.yml delete mode 100644 roles/iptables/tasks/accept_loopback.yml delete mode 100644 roles/iptables/tasks/accept_matrix.yml delete mode 100644 roles/iptables/tasks/accept_ntp.yml delete mode 100644 roles/iptables/tasks/accept_ping.yml delete mode 100644 roles/iptables/tasks/accept_private_networks.yml delete mode 100644 roles/iptables/tasks/accept_ssh.yml create mode 100644 roles/iptables/tasks/base.yml delete mode 100644 roles/iptables/tasks/block_basic_ddos.yml delete mode 100644 roles/iptables/tasks/block_port_scan.yml delete mode 100644 roles/iptables/tasks/drop_all_by_default.yml delete mode 100644 roles/iptables/tasks/drop_scans_xmas_null.yml rename firewall => roles/iptables/templates/firewall.j2 (93%) diff --git a/group_vars/all.yml b/group_vars/all.yml index 942f772..3b11702 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -2,6 +2,7 @@ # Global configuration server: domain: mrdev023.test + ssh_port: 7943 backup: folder: /backup cron_expression: "* * * * *" diff --git a/roles/iptables/tasks/accept_dns.yml b/roles/iptables/tasks/accept_dns.yml deleted file mode 100644 index 97685f3..0000000 --- a/roles/iptables/tasks/accept_dns.yml +++ /dev/null @@ -1,57 +0,0 @@ ---- - -- name: Accept OUTPUT udp dport 53 - ansible.builtin.iptables: - chain: OUTPUT - protocol: udp - ctstate: - - NEW - - RELATED - - ESTABLISHED - destination_port: 53 - jump: ACCEPT - comment: Accept OUTPUT udp dport 53 - state: present - become: yes - -- name: Accept INPUT udp sport 53 - ansible.builtin.iptables: - chain: OUTPUT - protocol: udp - ctstate: - - NEW - - RELATED - - ESTABLISHED - source_port: 53 - jump: ACCEPT - comment: Accept OUTPUT udp sport 53 - state: present - become: yes - -- name: Accept OUTPUT tcp dport 53 - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - ctstate: - - NEW - - RELATED - - ESTABLISHED - destination_port: 53 - jump: ACCEPT - comment: Accept OUTPUT tcp dport 53 - state: present - become: yes - -- name: Accept INPUT tcp sport 53 - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - ctstate: - - NEW - - RELATED - - ESTABLISHED - source_port: 53 - jump: ACCEPT - comment: Accept OUTPUT tcp sport 53 - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_established.yml b/roles/iptables/tasks/accept_established.yml deleted file mode 100644 index 7b600b6..0000000 --- a/roles/iptables/tasks/accept_established.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Accept INPUT established - ansible.builtin.iptables: - chain: INPUT - ctstate: ESTABLISHED,RELATED - jump: ACCEPT - comment: Accept INPUT established - state: present - become: yes - -- name: Accept OUTPUT established - ansible.builtin.iptables: - chain: OUTPUT - ctstate: ESTABLISHED,RELATED - jump: ACCEPT - comment: Accept OUTPUT established - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_http.yml b/roles/iptables/tasks/accept_http.yml deleted file mode 100644 index d856052..0000000 --- a/roles/iptables/tasks/accept_http.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- - -- name: Accept INPUT 80 - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 80 - jump: ACCEPT - comment: Accept INPUT 80 - state: present - become: yes - -- name: Accept INPUT 443 - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 443 - jump: ACCEPT - comment: Accept INPUT 443 - state: present - become: yes - -- name: Accept OUTPUT 80 - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - destination_port: 80 - jump: ACCEPT - comment: Accept OUTPUT 80 - state: present - become: yes - -- name: Accept OUTPUT 443 - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - destination_port: 443 - jump: ACCEPT - comment: Accept OUTPUT 443 - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_loopback.yml b/roles/iptables/tasks/accept_loopback.yml deleted file mode 100644 index 9674567..0000000 --- a/roles/iptables/tasks/accept_loopback.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Accept INPUT loopback - ansible.builtin.iptables: - chain: INPUT - in_interface: lo - jump: ACCEPT - comment: Accept INPUT loopback - state: present - become: yes - -- name: Accept OUTPUT loopback - ansible.builtin.iptables: - chain: OUTPUT - out_interface: lo - jump: ACCEPT - comment: Accept OUTPUT loopback - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_matrix.yml b/roles/iptables/tasks/accept_matrix.yml deleted file mode 100644 index 49d237d..0000000 --- a/roles/iptables/tasks/accept_matrix.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Accept INPUT 8448 - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 8448 - jump: ACCEPT - comment: Accept INPUT 8448 - state: present - become: yes - -- name: Accept OUTPUT 8448 - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - destination_port: 8448 - jump: ACCEPT - comment: Accept OUTPUT 8448 - state: present - become: yes diff --git a/roles/iptables/tasks/accept_ntp.yml b/roles/iptables/tasks/accept_ntp.yml deleted file mode 100644 index be678e0..0000000 --- a/roles/iptables/tasks/accept_ntp.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Accept INPUT 123 - ansible.builtin.iptables: - chain: INPUT - protocol: udp - source_port: 123 - jump: ACCEPT - comment: Accept INPUT 123 - state: present - become: yes - -- name: Accept OUTPUT 123 - ansible.builtin.iptables: - chain: OUTPUT - protocol: udp - destination_port: 123 - jump: ACCEPT - comment: Accept OUTPUT 123 - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_ping.yml b/roles/iptables/tasks/accept_ping.yml deleted file mode 100644 index 9124983..0000000 --- a/roles/iptables/tasks/accept_ping.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Accept INPUT icmp - ansible.builtin.iptables: - chain: INPUT - protocol: icmp - jump: ACCEPT - comment: Accept INPUT icmp - state: present - become: yes - -- name: Accept OUTPUT icmp - ansible.builtin.iptables: - chain: OUTPUT - protocol: icmp - jump: ACCEPT - comment: Accept OUTPUT icmp - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_private_networks.yml b/roles/iptables/tasks/accept_private_networks.yml deleted file mode 100644 index d7081e3..0000000 --- a/roles/iptables/tasks/accept_private_networks.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Accept INPUT 192.168.1.0/24 - ansible.builtin.iptables: - chain: INPUT - destination: 192.168.1.0/24 - jump: ACCEPT - comment: Accept INPUT established - state: present - become: yes - -- name: Accept OUTPUT 192.168.1.0/24 - ansible.builtin.iptables: - chain: OUTPUT - destination: 192.168.1.0/24 - jump: ACCEPT - comment: Accept OUTPUT established - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/accept_ssh.yml b/roles/iptables/tasks/accept_ssh.yml deleted file mode 100644 index 3904bea..0000000 --- a/roles/iptables/tasks/accept_ssh.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- - -- name: Accept INPUT 7943 - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - destination_port: 7943 - jump: ACCEPT - comment: Accept INPUT 7943 - state: present - become: yes - -- name: Accept OUTPUT 22 - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - destination_port: 22 - jump: ACCEPT - comment: Accept OUTPUT 22 - state: present - become: yes diff --git a/roles/iptables/tasks/base.yml b/roles/iptables/tasks/base.yml new file mode 100644 index 0000000..b26e6ae --- /dev/null +++ b/roles/iptables/tasks/base.yml @@ -0,0 +1,18 @@ +--- + +- name: Copy conf + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + group: root + mode: u=rwx,g=x,o=x + loop: + - { src: 'firewall.j2', dest: '/etc/init.d/firewall' } + register: iptables_templates_results + become: yes + +- name: Ensure Service firewall is Enabled + become: yes + ansible.builtin.service: + name: firewall + enabled: yes \ No newline at end of file diff --git a/roles/iptables/tasks/block_basic_ddos.yml b/roles/iptables/tasks/block_basic_ddos.yml deleted file mode 100644 index fc97815..0000000 --- a/roles/iptables/tasks/block_basic_ddos.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- - -- name: Accept FORWARD with tcp limit 1/second and syn - ansible.builtin.iptables: - chain: FORWARD - protocol: tcp - syn: match - limit: 1/second - jump: ACCEPT - comment: Accept FORWARD with tcp limit 1/second and syn - state: present - become: yes - -- name: Accept FORWARD with udp limit 1/second - ansible.builtin.iptables: - chain: FORWARD - protocol: udp - limit: 1/second - jump: ACCEPT - comment: Accept FORWARD with udp limit 1/second - state: present - become: yes - -- name: Accept FORWARD with icmp limit 1/second - ansible.builtin.iptables: - chain: FORWARD - protocol: icmp - icmp_type: echo-request - limit: 1/second - jump: ACCEPT - comment: Accept FORWARD with icmp limit 1/second - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/block_port_scan.yml b/roles/iptables/tasks/block_port_scan.yml deleted file mode 100644 index 7d3f785..0000000 --- a/roles/iptables/tasks/block_port_scan.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- - -- name: Accept FORWARD with tcp limit 1/second and tcp_flags - ansible.builtin.iptables: - chain: FORWARD - protocol: tcp - tcp_flags: - flags: - - SYN - - ACK - - FIN - - RST - flags_set: - - RST - limit: 1/second - jump: ACCEPT - comment: Accept FORWARD with tcp limit 1/second and tcp_flags - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/drop_all_by_default.yml b/roles/iptables/tasks/drop_all_by_default.yml deleted file mode 100644 index d8cb439..0000000 --- a/roles/iptables/tasks/drop_all_by_default.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- - -- name: Block all INPUT by default - ansible.builtin.iptables: - chain: INPUT - policy: DROP - comment: Block all INPUT by default - state: present - become: yes - -- name: Block all OUTPUT by default - ansible.builtin.iptables: - chain: OUTPUT - policy: DROP - comment: Block all OUTPUT by default - state: present - become: yes - -- name: Block all FORWARD by default - ansible.builtin.iptables: - chain: FORWARD - policy: DROP - comment: Block all FORWARD by default - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/drop_scans_xmas_null.yml b/roles/iptables/tasks/drop_scans_xmas_null.yml deleted file mode 100644 index 02af0c4..0000000 --- a/roles/iptables/tasks/drop_scans_xmas_null.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- - -- name: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH) - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - tcp_flags: - flags: - - FIN - - URG - - PSH - flags_set: - - FIN - - URG - - PSH - jump: DROP - comment: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH) - state: present - become: yes - -- name: Drop des scans XMAS et NULL (ALL ALL) - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - tcp_flags: - flags: ALL - flags_set: ALL - jump: DROP - comment: Drop des scans XMAS et NULL (ALL ALL) - state: present - become: yes - -- name: Drop des scans XMAS et NULL (ALL NONE) - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - tcp_flags: - flags: ALL - flags_set: NONE - jump: DROP - comment: Drop des scans XMAS et NULL (ALL NONE) - state: present - become: yes - -- name: Drop des scans XMAS et NULL (SYN,RST SYN,RST) - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - tcp_flags: - flags: - - SYN - - RST - flags_set: - - SYN - - RST - jump: DROP - comment: Drop des scans XMAS et NULL (SYN,RST SYN,RST) - state: present - become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 216468c..3f670ac 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -1,42 +1,4 @@ --- -- ansible.builtin.import_tasks: accept_established.yml - name: accept_established - -- ansible.builtin.import_tasks: accept_loopback.yml - name: accept_loopback - -- ansible.builtin.import_tasks: accept_dns.yml - name: accept_dns - -- ansible.builtin.import_tasks: accept_http.yml - name: accept_http - -- ansible.builtin.import_tasks: accept_ssh.yml - name: accept_ssh - -- ansible.builtin.import_tasks: accept_ntp.yml - name: accept_ntp - -- ansible.builtin.import_tasks: accept_matrix.yml - name: accept_matrix - -- ansible.builtin.import_tasks: accept_icmp.yml - name: accept_icmp - -- ansible.builtin.import_tasks: block_basic_ddos.yml - name: block_basic_ddos - -- ansible.builtin.import_tasks: block_port_scan.yml - name: block_port_scan - -- ansible.builtin.import_tasks: accept_private_networks.yml - name: accept_private_networks - -# Add drop after to avoid lock system during configuration - -- ansible.builtin.import_tasks: drop_scans_xmas_null.yml - name: drop_scans_xmas_null - -- ansible.builtin.import_tasks: drop_all_by_default.yml - name: drop_all_by_default \ No newline at end of file +- ansible.builtin.import_tasks: base.yml + name: base \ No newline at end of file diff --git a/firewall b/roles/iptables/templates/firewall.j2 similarity index 93% rename from firewall rename to roles/iptables/templates/firewall.j2 index a488556..c06ee5b 100755 --- a/firewall +++ b/roles/iptables/templates/firewall.j2 @@ -62,11 +62,9 @@ iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT -# SSH (7943) -iptables -A INPUT -p tcp --dport 7943 -j ACCEPT -iptables -A OUTPUT -p tcp --dport 7943 -j ACCEPT +# SSH +iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT -iptables -A OUTPUT -p tcp --dport 2277 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GITLAB UNOVA # ICMP (Ping) iptables -A INPUT -p icmp -j ACCEPT