florian.richer/myserver-configuration
1
0
Fork 0
Code Activity

Fix Cloud + iptables

Browse source
This commit is contained in:
Florian RICHER 2023-05-21 15:19:59 +02:00
parent 4ec713038a
commit 7adf079b23
5 changed files with 55 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
group_vars/all.yml
View file

@ -2,7 +2,7 @@
# Global configuration # Global configuration
server: server:
domain: mrdev023.test domain: mrdev023.test
ssh_port: 7943 ssh_port: 22
backup: backup:
folder: /backup folder: /backup
cron_expression: "* * * * *" cron_expression: "* * * * *"

7
roles/cloud/tasks/base.yml
View file

@ -12,6 +12,13 @@
dest: cloud/ dest: cloud/
register: cloud_copy_files_results register: cloud_copy_files_results
- name: Ensure cron.sh as +x permission
ansible.builtin.file:
path: cloud/cron.sh
mode: u=rwx,g=rx,o=rx
modification_time: preserve
access_time: preserve
- name: Copy template conf - name: Copy template conf
ansible.builtin.template: ansible.builtin.template:
backup: true backup: true

3
roles/cloud/tasks/cron.yml
View file

@ -4,4 +4,5 @@
ansible.builtin.cron: ansible.builtin.cron:
name: "check dirs" name: "check dirs"
minute: "*/5" minute: "*/5"
job: "cd {{ ansible_env.HOME }}/cloud && ./cron.sh" job: "cd {{ ansible_env.HOME }}/cloud && ./cron.sh"
become: yes

15
roles/iptables/tasks/base.yml
View file

@ -5,14 +5,15 @@
src: "{{ item.src }}" src: "{{ item.src }}"
dest: "{{ item.dest }}" dest: "{{ item.dest }}"
group: root group: root
mode: u=rwx,g=x,o=x mode: u=rwx,g=rx,o=rx
loop: loop:
- { src: 'firewall.j2', dest: '/etc/init.d/firewall' } - { src: 'firewall.j2', dest: '/usr/bin/firewall' }
register: iptables_templates_results register: iptables_templates_results
become: yes become: yes
- name: Ensure Service firewall is Enabled - name: Ensure firewall is load in startup
become: yes ansible.builtin.cron:
ansible.builtin.service: name: "Firewall"
name: firewall special_time: "reboot"
enabled: yes job: "/usr/bin/firewall"
become: yes

74
roles/iptables/templates/firewall.j2
View file

@ -10,76 +10,76 @@
### END INIT INFO ### END INIT INFO
#Suppression des règles précédentes #Suppression des règles précédentes
iptables -F /sbin/iptables -F
iptables -X /sbin/iptables -X
######## ########
# DROP # # DROP #
######## ########
# Définition du blocage général # Définition du blocage général
iptables -P INPUT DROP /sbin/iptables -P INPUT DROP
iptables -P OUTPUT DROP /sbin/iptables -P OUTPUT DROP
iptables -P FORWARD DROP /sbin/iptables -P FORWARD DROP
# Drop des scans XMAS et NULL # Drop des scans XMAS et NULL
iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
########## ##########
# ACCEPT # # ACCEPT #
########## ##########
# Conservations des connexions déjà établies # Conservations des connexions déjà établies
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autorisation du loopback (127.0.0.1) # Autorisation du loopback (127.0.0.1)
iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT /sbin/iptables -A OUTPUT -o lo -j ACCEPT
# Autorisation des échanges avec le serveur DNS (53) # Autorisation des échanges avec le serveur DNS (53)
iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT /sbin/iptables -A INPUT -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
# NTP (123) # NTP (123)
iptables -A INPUT -p udp --sport 123 -j ACCEPT /sbin/iptables -A INPUT -p udp --sport 123 -j ACCEPT
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT /sbin/iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
# HTTP (80) # HTTP (80)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# HTTP MATRIX FEDERATION (8448) # HTTP MATRIX FEDERATION (8448)
iptables -A INPUT -p tcp --dport 8448 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 8448 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 8448 -j ACCEPT
# HTTPS (443) # HTTPS (443)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
# SSH # SSH
iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport {{ server.ssh_port }} -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT /sbin/iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # ACCEPT SSH OUTPUT LIKE GIT
# ICMP (Ping) # ICMP (Ping)
iptables -A INPUT -p icmp -j ACCEPT /sbin/iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT /sbin/iptables -A OUTPUT -p icmp -j ACCEPT
# Parer les attaques de type Déni de Service # Parer les attaques de type Déni de Service
iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT /sbin/iptables -A FORWARD -p tcp --syn -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT /sbin/iptables -A FORWARD -p udp -m limit --limit 1/second -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT /sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT
# Parer les scans de ports # Parer les scans de ports
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT /sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
# Allow all from private network and docker network # Allow all from private network and docker network
iptables -A INPUT -j ACCEPT -d 172.17.0.0/16 /sbin/iptables -A INPUT -j ACCEPT -d 172.17.0.0/16
iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16 /sbin/iptables -A OUTPUT -j ACCEPT -d 172.17.0.0/16
iptables -A INPUT -j ACCEPT -d 192.168.1.0/24 /sbin/iptables -A INPUT -j ACCEPT -d 192.168.1.0/24
iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24 /sbin/iptables -A OUTPUT -j ACCEPT -d 192.168.1.0/24