florian.richer/myserver-configuration
1
0
Fork 0
Code Issues 1 Activity

[IPTABLES] Restore from config file

Browse source
This commit is contained in:
Florian RICHER 2023-05-21 11:31:41 +02:00
parent ede7570e68
commit 4ec713038a
17 changed files with 23 additions and 417 deletions
Download patch file Download diff file Expand all files Collapse all files

57
roles/iptables/tasks/accept_dns.yml
View file

@ -1,57 +0,0 @@
---
- name: Accept OUTPUT udp dport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
ctstate:
- NEW
- RELATED
- ESTABLISHED
destination_port: 53
jump: ACCEPT
comment: Accept OUTPUT udp dport 53
state: present
become: yes
- name: Accept INPUT udp sport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
ctstate:
- NEW
- RELATED
- ESTABLISHED
source_port: 53
jump: ACCEPT
comment: Accept OUTPUT udp sport 53
state: present
become: yes
- name: Accept OUTPUT tcp dport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
ctstate:
- NEW
- RELATED
- ESTABLISHED
destination_port: 53
jump: ACCEPT
comment: Accept OUTPUT tcp dport 53
state: present
become: yes
- name: Accept INPUT tcp sport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
ctstate:
- NEW
- RELATED
- ESTABLISHED
source_port: 53
jump: ACCEPT
comment: Accept OUTPUT tcp sport 53
state: present
become: yes

19
roles/iptables/tasks/accept_established.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT established
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Accept INPUT established
state: present
become: yes
- name: Accept OUTPUT established
ansible.builtin.iptables:
chain: OUTPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Accept OUTPUT established
state: present
become: yes

41
roles/iptables/tasks/accept_http.yml
View file

@ -1,41 +0,0 @@
---
- name: Accept INPUT 80
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 80
jump: ACCEPT
comment: Accept INPUT 80
state: present
become: yes
- name: Accept INPUT 443
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 443
jump: ACCEPT
comment: Accept INPUT 443
state: present
become: yes
- name: Accept OUTPUT 80
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 80
jump: ACCEPT
comment: Accept OUTPUT 80
state: present
become: yes
- name: Accept OUTPUT 443
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 443
jump: ACCEPT
comment: Accept OUTPUT 443
state: present
become: yes

19
roles/iptables/tasks/accept_loopback.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT loopback
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
comment: Accept INPUT loopback
state: present
become: yes
- name: Accept OUTPUT loopback
ansible.builtin.iptables:
chain: OUTPUT
out_interface: lo
jump: ACCEPT
comment: Accept OUTPUT loopback
state: present
become: yes

21
roles/iptables/tasks/accept_matrix.yml
View file

@ -1,21 +0,0 @@
---
- name: Accept INPUT 8448
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 8448
jump: ACCEPT
comment: Accept INPUT 8448
state: present
become: yes
- name: Accept OUTPUT 8448
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 8448
jump: ACCEPT
comment: Accept OUTPUT 8448
state: present
become: yes

21
roles/iptables/tasks/accept_ntp.yml
View file

@ -1,21 +0,0 @@
---
- name: Accept INPUT 123
ansible.builtin.iptables:
chain: INPUT
protocol: udp
source_port: 123
jump: ACCEPT
comment: Accept INPUT 123
state: present
become: yes
- name: Accept OUTPUT 123
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
destination_port: 123
jump: ACCEPT
comment: Accept OUTPUT 123
state: present
become: yes

19
roles/iptables/tasks/accept_ping.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT icmp
ansible.builtin.iptables:
chain: INPUT
protocol: icmp
jump: ACCEPT
comment: Accept INPUT icmp
state: present
become: yes
- name: Accept OUTPUT icmp
ansible.builtin.iptables:
chain: OUTPUT
protocol: icmp
jump: ACCEPT
comment: Accept OUTPUT icmp
state: present
become: yes

19
roles/iptables/tasks/accept_private_networks.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT 192.168.1.0/24
ansible.builtin.iptables:
chain: INPUT
destination: 192.168.1.0/24
jump: ACCEPT
comment: Accept INPUT established
state: present
become: yes
- name: Accept OUTPUT 192.168.1.0/24
ansible.builtin.iptables:
chain: OUTPUT
destination: 192.168.1.0/24
jump: ACCEPT
comment: Accept OUTPUT established
state: present
become: yes

21
roles/iptables/tasks/accept_ssh.yml
View file

@ -1,21 +0,0 @@
---
- name: Accept INPUT 7943
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 7943
jump: ACCEPT
comment: Accept INPUT 7943
state: present
become: yes
- name: Accept OUTPUT 22
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 22
jump: ACCEPT
comment: Accept OUTPUT 22
state: present
become: yes

18
roles/iptables/tasks/base.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: Copy conf
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
group: root
mode: u=rwx,g=x,o=x
loop:
- { src: 'firewall.j2', dest: '/etc/init.d/firewall' }
register: iptables_templates_results
become: yes
- name: Ensure Service firewall is Enabled
become: yes
ansible.builtin.service:
name: firewall
enabled: yes

33
roles/iptables/tasks/block_basic_ddos.yml
View file

@ -1,33 +0,0 @@
---
- name: Accept FORWARD with tcp limit 1/second and syn
ansible.builtin.iptables:
chain: FORWARD
protocol: tcp
syn: match
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with tcp limit 1/second and syn
state: present
become: yes
- name: Accept FORWARD with udp limit 1/second
ansible.builtin.iptables:
chain: FORWARD
protocol: udp
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with udp limit 1/second
state: present
become: yes
- name: Accept FORWARD with icmp limit 1/second
ansible.builtin.iptables:
chain: FORWARD
protocol: icmp
icmp_type: echo-request
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with icmp limit 1/second
state: present
become: yes

19
roles/iptables/tasks/block_port_scan.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept FORWARD with tcp limit 1/second and tcp_flags
ansible.builtin.iptables:
chain: FORWARD
protocol: tcp
tcp_flags:
flags:
- SYN
- ACK
- FIN
- RST
flags_set:
- RST
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with tcp limit 1/second and tcp_flags
state: present
become: yes

25
roles/iptables/tasks/drop_all_by_default.yml
View file

@ -1,25 +0,0 @@
---
- name: Block all INPUT by default
ansible.builtin.iptables:
chain: INPUT
policy: DROP
comment: Block all INPUT by default
state: present
become: yes
- name: Block all OUTPUT by default
ansible.builtin.iptables:
chain: OUTPUT
policy: DROP
comment: Block all OUTPUT by default
state: present
become: yes
- name: Block all FORWARD by default
ansible.builtin.iptables:
chain: FORWARD
policy: DROP
comment: Block all FORWARD by default
state: present
become: yes

59
roles/iptables/tasks/drop_scans_xmas_null.yml
View file

@ -1,59 +0,0 @@
---
- name: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags:
- FIN
- URG
- PSH
flags_set:
- FIN
- URG
- PSH
jump: DROP
comment: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
state: present
become: yes
- name: Drop des scans XMAS et NULL (ALL ALL)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags: ALL
flags_set: ALL
jump: DROP
comment: Drop des scans XMAS et NULL (ALL ALL)
state: present
become: yes
- name: Drop des scans XMAS et NULL (ALL NONE)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags: ALL
flags_set: NONE
jump: DROP
comment: Drop des scans XMAS et NULL (ALL NONE)
state: present
become: yes
- name: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags:
- SYN
- RST
flags_set:
- SYN
- RST
jump: DROP
comment: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
state: present
become: yes

42
roles/iptables/tasks/main.yml
View file

@ -1,42 +1,4 @@
---
- ansible.builtin.import_tasks: accept_established.yml
name: accept_established
- ansible.builtin.import_tasks: accept_loopback.yml
name: accept_loopback
- ansible.builtin.import_tasks: accept_dns.yml
name: accept_dns
- ansible.builtin.import_tasks: accept_http.yml
name: accept_http
- ansible.builtin.import_tasks: accept_ssh.yml
name: accept_ssh
- ansible.builtin.import_tasks: accept_ntp.yml
name: accept_ntp
- ansible.builtin.import_tasks: accept_matrix.yml
name: accept_matrix
- ansible.builtin.import_tasks: accept_icmp.yml
name: accept_icmp
- ansible.builtin.import_tasks: block_basic_ddos.yml
name: block_basic_ddos
- ansible.builtin.import_tasks: block_port_scan.yml
name: block_port_scan
- ansible.builtin.import_tasks: accept_private_networks.yml
name: accept_private_networks
# Add drop after to avoid lock system during configuration
- ansible.builtin.import_tasks: drop_scans_xmas_null.yml
name: drop_scans_xmas_null
- ansible.builtin.import_tasks: drop_all_by_default.yml
name: drop_all_by_default
- ansible.builtin.import_tasks: base.yml
name: base

85
roles/iptables/templates/firewall.j2 Executable file
View file

@ -0,0 +1,85 @@
#!/bin/sh
### BEGIN INIT INFO
# Provides: firewall rules
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start daemon at boot time
# Description: Enable service provided by daemon.
### END INIT INFO
#Suppression des règles précédentes
iptables -F
iptables -X
########
# DROP #
########
# Définition du blocage général
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Drop des scans XMAS et NULL
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
##########
# ACCEPT #
##########
# Conservations des connexions déjà établies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autorisation du loopback (127.0.0.1)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Autorisation des échanges avec le serveur DNS (53)
iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# NTP (123)
iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# HTTP (80)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# HTTP MATRIX FEDERATION (8448)
iptables -A INPUT -p tcp --dport 8448 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT
# HTTPS (443)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT
# ICMP (Ping)
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# Parer les attaques de type Déni de Service
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
# Parer les scans de ports
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Allow all from private network and docker network
iptables -A INPUT -j ACCEPT -d 172.17.0.0/16
iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16
iptables -A INPUT -j ACCEPT -d 192.168.1.0/24
iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24