florian.richer/myserver-configuration
1
0
Fork 0
Code Activity

[IPTABLES] Restore from config file

Browse source
This commit is contained in:
Florian RICHER 2023-05-21 11:31:41 +02:00
parent ede7570e68
commit 4ec713038a
17 changed files with 23 additions and 417 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
group_vars/all.yml
View file

@ -2,6 +2,7 @@
# Global configuration # Global configuration
server: server:
domain: mrdev023.test domain: mrdev023.test
ssh_port: 7943
backup: backup:
folder: /backup folder: /backup
cron_expression: "* * * * *" cron_expression: "* * * * *"

57
roles/iptables/tasks/accept_dns.yml
View file

@ -1,57 +0,0 @@
---
- name: Accept OUTPUT udp dport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
ctstate:
- NEW
- RELATED
- ESTABLISHED
destination_port: 53
jump: ACCEPT
comment: Accept OUTPUT udp dport 53
state: present
become: yes
- name: Accept INPUT udp sport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
ctstate:
- NEW
- RELATED
- ESTABLISHED
source_port: 53
jump: ACCEPT
comment: Accept OUTPUT udp sport 53
state: present
become: yes
- name: Accept OUTPUT tcp dport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
ctstate:
- NEW
- RELATED
- ESTABLISHED
destination_port: 53
jump: ACCEPT
comment: Accept OUTPUT tcp dport 53
state: present
become: yes
- name: Accept INPUT tcp sport 53
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
ctstate:
- NEW
- RELATED
- ESTABLISHED
source_port: 53
jump: ACCEPT
comment: Accept OUTPUT tcp sport 53
state: present
become: yes

19
roles/iptables/tasks/accept_established.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT established
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Accept INPUT established
state: present
become: yes
- name: Accept OUTPUT established
ansible.builtin.iptables:
chain: OUTPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Accept OUTPUT established
state: present
become: yes

41
roles/iptables/tasks/accept_http.yml
View file

@ -1,41 +0,0 @@
---
- name: Accept INPUT 80
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 80
jump: ACCEPT
comment: Accept INPUT 80
state: present
become: yes
- name: Accept INPUT 443
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 443
jump: ACCEPT
comment: Accept INPUT 443
state: present
become: yes
- name: Accept OUTPUT 80
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 80
jump: ACCEPT
comment: Accept OUTPUT 80
state: present
become: yes
- name: Accept OUTPUT 443
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 443
jump: ACCEPT
comment: Accept OUTPUT 443
state: present
become: yes

19
roles/iptables/tasks/accept_loopback.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT loopback
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
comment: Accept INPUT loopback
state: present
become: yes
- name: Accept OUTPUT loopback
ansible.builtin.iptables:
chain: OUTPUT
out_interface: lo
jump: ACCEPT
comment: Accept OUTPUT loopback
state: present
become: yes

21
roles/iptables/tasks/accept_matrix.yml
View file

@ -1,21 +0,0 @@
---
- name: Accept INPUT 8448
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 8448
jump: ACCEPT
comment: Accept INPUT 8448
state: present
become: yes
- name: Accept OUTPUT 8448
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 8448
jump: ACCEPT
comment: Accept OUTPUT 8448
state: present
become: yes

21
roles/iptables/tasks/accept_ntp.yml
View file

@ -1,21 +0,0 @@
---
- name: Accept INPUT 123
ansible.builtin.iptables:
chain: INPUT
protocol: udp
source_port: 123
jump: ACCEPT
comment: Accept INPUT 123
state: present
become: yes
- name: Accept OUTPUT 123
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
destination_port: 123
jump: ACCEPT
comment: Accept OUTPUT 123
state: present
become: yes

19
roles/iptables/tasks/accept_ping.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT icmp
ansible.builtin.iptables:
chain: INPUT
protocol: icmp
jump: ACCEPT
comment: Accept INPUT icmp
state: present
become: yes
- name: Accept OUTPUT icmp
ansible.builtin.iptables:
chain: OUTPUT
protocol: icmp
jump: ACCEPT
comment: Accept OUTPUT icmp
state: present
become: yes

19
roles/iptables/tasks/accept_private_networks.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept INPUT 192.168.1.0/24
ansible.builtin.iptables:
chain: INPUT
destination: 192.168.1.0/24
jump: ACCEPT
comment: Accept INPUT established
state: present
become: yes
- name: Accept OUTPUT 192.168.1.0/24
ansible.builtin.iptables:
chain: OUTPUT
destination: 192.168.1.0/24
jump: ACCEPT
comment: Accept OUTPUT established
state: present
become: yes

21
roles/iptables/tasks/accept_ssh.yml
View file

@ -1,21 +0,0 @@
---
- name: Accept INPUT 7943
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
destination_port: 7943
jump: ACCEPT
comment: Accept INPUT 7943
state: present
become: yes
- name: Accept OUTPUT 22
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: 22
jump: ACCEPT
comment: Accept OUTPUT 22
state: present
become: yes

18
roles/iptables/tasks/base.yml Normal file
View file

@ -0,0 +1,18 @@
---
- name: Copy conf
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
group: root
mode: u=rwx,g=x,o=x
loop:
- { src: 'firewall.j2', dest: '/etc/init.d/firewall' }
register: iptables_templates_results
become: yes
- name: Ensure Service firewall is Enabled
become: yes
ansible.builtin.service:
name: firewall
enabled: yes

33
roles/iptables/tasks/block_basic_ddos.yml
View file

@ -1,33 +0,0 @@
---
- name: Accept FORWARD with tcp limit 1/second and syn
ansible.builtin.iptables:
chain: FORWARD
protocol: tcp
syn: match
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with tcp limit 1/second and syn
state: present
become: yes
- name: Accept FORWARD with udp limit 1/second
ansible.builtin.iptables:
chain: FORWARD
protocol: udp
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with udp limit 1/second
state: present
become: yes
- name: Accept FORWARD with icmp limit 1/second
ansible.builtin.iptables:
chain: FORWARD
protocol: icmp
icmp_type: echo-request
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with icmp limit 1/second
state: present
become: yes

19
roles/iptables/tasks/block_port_scan.yml
View file

@ -1,19 +0,0 @@
---
- name: Accept FORWARD with tcp limit 1/second and tcp_flags
ansible.builtin.iptables:
chain: FORWARD
protocol: tcp
tcp_flags:
flags:
- SYN
- ACK
- FIN
- RST
flags_set:
- RST
limit: 1/second
jump: ACCEPT
comment: Accept FORWARD with tcp limit 1/second and tcp_flags
state: present
become: yes

25
roles/iptables/tasks/drop_all_by_default.yml
View file

@ -1,25 +0,0 @@
---
- name: Block all INPUT by default
ansible.builtin.iptables:
chain: INPUT
policy: DROP
comment: Block all INPUT by default
state: present
become: yes
- name: Block all OUTPUT by default
ansible.builtin.iptables:
chain: OUTPUT
policy: DROP
comment: Block all OUTPUT by default
state: present
become: yes
- name: Block all FORWARD by default
ansible.builtin.iptables:
chain: FORWARD
policy: DROP
comment: Block all FORWARD by default
state: present
become: yes

59
roles/iptables/tasks/drop_scans_xmas_null.yml
View file

@ -1,59 +0,0 @@
---
- name: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags:
- FIN
- URG
- PSH
flags_set:
- FIN
- URG
- PSH
jump: DROP
comment: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
state: present
become: yes
- name: Drop des scans XMAS et NULL (ALL ALL)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags: ALL
flags_set: ALL
jump: DROP
comment: Drop des scans XMAS et NULL (ALL ALL)
state: present
become: yes
- name: Drop des scans XMAS et NULL (ALL NONE)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags: ALL
flags_set: NONE
jump: DROP
comment: Drop des scans XMAS et NULL (ALL NONE)
state: present
become: yes
- name: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
tcp_flags:
flags:
- SYN
- RST
flags_set:
- SYN
- RST
jump: DROP
comment: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
state: present
become: yes

42
roles/iptables/tasks/main.yml
View file

@ -1,42 +1,4 @@
--- ---
- ansible.builtin.import_tasks: accept_established.yml - ansible.builtin.import_tasks: base.yml
name: accept_established name: base
- ansible.builtin.import_tasks: accept_loopback.yml
name: accept_loopback
- ansible.builtin.import_tasks: accept_dns.yml
name: accept_dns
- ansible.builtin.import_tasks: accept_http.yml
name: accept_http
- ansible.builtin.import_tasks: accept_ssh.yml
name: accept_ssh
- ansible.builtin.import_tasks: accept_ntp.yml
name: accept_ntp
- ansible.builtin.import_tasks: accept_matrix.yml
name: accept_matrix
- ansible.builtin.import_tasks: accept_icmp.yml
name: accept_icmp
- ansible.builtin.import_tasks: block_basic_ddos.yml
name: block_basic_ddos
- ansible.builtin.import_tasks: block_port_scan.yml
name: block_port_scan
- ansible.builtin.import_tasks: accept_private_networks.yml
name: accept_private_networks
# Add drop after to avoid lock system during configuration
- ansible.builtin.import_tasks: drop_scans_xmas_null.yml
name: drop_scans_xmas_null
- ansible.builtin.import_tasks: drop_all_by_default.yml
name: drop_all_by_default

6
firewall → roles/iptables/templates/firewall.j2
View file

@ -62,11 +62,9 @@ iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# SSH (7943) # SSH
iptables -A INPUT -p tcp --dport 7943 -j ACCEPT iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT
iptables -A OUTPUT -p tcp --dport 7943 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT
iptables -A OUTPUT -p tcp --dport 2277 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GITLAB UNOVA
# ICMP (Ping) # ICMP (Ping)
iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT