From 7adf079b230f19d09b197c758d931927cadad55c Mon Sep 17 00:00:00 2001 From: Florian RICHER Date: Sun, 21 May 2023 15:19:59 +0200 Subject: [PATCH] Fix Cloud + iptables --- group_vars/all.yml | 2 +- roles/cloud/tasks/base.yml | 7 +++ roles/cloud/tasks/cron.yml | 3 +- roles/iptables/tasks/base.yml | 15 +++--- roles/iptables/templates/firewall.j2 | 74 ++++++++++++++-------------- 5 files changed, 55 insertions(+), 46 deletions(-) diff --git a/group_vars/all.yml b/group_vars/all.yml index 3b11702..de26fe2 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -2,7 +2,7 @@ # Global configuration server: domain: mrdev023.test - ssh_port: 7943 + ssh_port: 22 backup: folder: /backup cron_expression: "* * * * *" diff --git a/roles/cloud/tasks/base.yml b/roles/cloud/tasks/base.yml index c3e2943..1158f10 100644 --- a/roles/cloud/tasks/base.yml +++ b/roles/cloud/tasks/base.yml @@ -12,6 +12,13 @@ dest: cloud/ register: cloud_copy_files_results +- name: Ensure cron.sh as +x permission + ansible.builtin.file: + path: cloud/cron.sh + mode: u=rwx,g=rx,o=rx + modification_time: preserve + access_time: preserve + - name: Copy template conf ansible.builtin.template: backup: true diff --git a/roles/cloud/tasks/cron.yml b/roles/cloud/tasks/cron.yml index be91468..f1b8b58 100644 --- a/roles/cloud/tasks/cron.yml +++ b/roles/cloud/tasks/cron.yml @@ -4,4 +4,5 @@ ansible.builtin.cron: name: "check dirs" minute: "*/5" - job: "cd {{ ansible_env.HOME }}/cloud && ./cron.sh" \ No newline at end of file + job: "cd {{ ansible_env.HOME }}/cloud && ./cron.sh" + become: yes \ No newline at end of file diff --git a/roles/iptables/tasks/base.yml b/roles/iptables/tasks/base.yml index b26e6ae..5734c65 100644 --- a/roles/iptables/tasks/base.yml +++ b/roles/iptables/tasks/base.yml @@ -5,14 +5,15 @@ src: "{{ item.src }}" dest: "{{ item.dest }}" group: root - mode: u=rwx,g=x,o=x + mode: u=rwx,g=rx,o=rx loop: - - { src: 'firewall.j2', dest: '/etc/init.d/firewall' } + - { src: 'firewall.j2', dest: '/usr/bin/firewall' } register: iptables_templates_results become: yes -- name: Ensure Service firewall is Enabled - become: yes - ansible.builtin.service: - name: firewall - enabled: yes \ No newline at end of file +- name: Ensure firewall is load in startup + ansible.builtin.cron: + name: "Firewall" + special_time: "reboot" + job: "/usr/bin/firewall" + become: yes \ No newline at end of file diff --git a/roles/iptables/templates/firewall.j2 b/roles/iptables/templates/firewall.j2 index c06ee5b..bb32de5 100755 --- a/roles/iptables/templates/firewall.j2 +++ b/roles/iptables/templates/firewall.j2 @@ -10,76 +10,76 @@ ### END INIT INFO #Suppression des règles précédentes -iptables -F -iptables -X +/sbin/iptables -F +/sbin/iptables -X ######## # DROP # ######## # Définition du blocage général -iptables -P INPUT DROP -iptables -P OUTPUT DROP -iptables -P FORWARD DROP +/sbin/iptables -P INPUT DROP +/sbin/iptables -P OUTPUT DROP +/sbin/iptables -P FORWARD DROP # Drop des scans XMAS et NULL -iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP -iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +/sbin/iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP +/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP +/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP +/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ########## # ACCEPT # ########## # Conservations des connexions déjà établies -iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Autorisation du loopback (127.0.0.1) -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT +/sbin/iptables -A INPUT -i lo -j ACCEPT +/sbin/iptables -A OUTPUT -o lo -j ACCEPT # Autorisation des échanges avec le serveur DNS (53) -iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT -iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT +/sbin/iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT # NTP (123) -iptables -A INPUT -p udp --sport 123 -j ACCEPT -iptables -A OUTPUT -p udp --dport 123 -j ACCEPT +/sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT +/sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT # HTTP (80) -iptables -A INPUT -p tcp --dport 80 -j ACCEPT -iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT +/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT +/sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT # HTTP MATRIX FEDERATION (8448) -iptables -A INPUT -p tcp --dport 8448 -j ACCEPT -iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT +/sbin/iptables -A INPUT -p tcp --dport 8448 -j ACCEPT +/sbin/iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT # HTTPS (443) -iptables -A INPUT -p tcp --dport 443 -j ACCEPT -iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT +/sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT +/sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # SSH -iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT -iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT +/sbin/iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT +/sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT # ICMP (Ping) -iptables -A INPUT -p icmp -j ACCEPT -iptables -A OUTPUT -p icmp -j ACCEPT +/sbin/iptables -A INPUT -p icmp -j ACCEPT +/sbin/iptables -A OUTPUT -p icmp -j ACCEPT # Parer les attaques de type Déni de Service -iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT -iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT -iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT +/sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT +/sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT +/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT # Parer les scans de ports -iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT +/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Allow all from private network and docker network -iptables -A INPUT -j ACCEPT -d 172.17.0.0/16 -iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16 -iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 -iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 +/sbin/iptables -A INPUT -j ACCEPT -d 172.17.0.0/16 +/sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16 +/sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 +/sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24