From fcd5694fa8f421755ecf7f88f7aa20bb01809845 Mon Sep 17 00:00:00 2001
From: Florian RICHER <florian.richer@unova.fr>
Date: Sat, 20 May 2023 23:54:16 +0200
Subject: [PATCH] [IPTABLES] Add rules (Not tested)

---
 roles/iptables/tasks/accept_dns.yml           | 57 ++++++++++++++++++
 roles/iptables/tasks/accept_established.yml   | 19 ++++++
 roles/iptables/tasks/accept_http.yml          | 41 +++++++++++++
 roles/iptables/tasks/accept_loopback.yml      | 19 ++++++
 roles/iptables/tasks/accept_matrix.yml        | 21 +++++++
 roles/iptables/tasks/accept_ntp.yml           | 21 +++++++
 roles/iptables/tasks/accept_ping.yml          | 19 ++++++
 .../tasks/accept_private_networks.yml         | 19 ++++++
 roles/iptables/tasks/accept_ssh.yml           | 21 +++++++
 roles/iptables/tasks/block_basic_ddos.yml     | 33 +++++++++++
 roles/iptables/tasks/block_port_scan.yml      | 19 ++++++
 roles/iptables/tasks/drop_all_by_default.yml  | 25 ++++++++
 roles/iptables/tasks/drop_scans_xmas_null.yml | 59 +++++++++++++++++++
 roles/iptables/tasks/main.yml                 | 42 +++++++++++++
 14 files changed, 415 insertions(+)
 create mode 100644 roles/iptables/tasks/accept_dns.yml
 create mode 100644 roles/iptables/tasks/accept_established.yml
 create mode 100644 roles/iptables/tasks/accept_http.yml
 create mode 100644 roles/iptables/tasks/accept_loopback.yml
 create mode 100644 roles/iptables/tasks/accept_matrix.yml
 create mode 100644 roles/iptables/tasks/accept_ntp.yml
 create mode 100644 roles/iptables/tasks/accept_ping.yml
 create mode 100644 roles/iptables/tasks/accept_private_networks.yml
 create mode 100644 roles/iptables/tasks/accept_ssh.yml
 create mode 100644 roles/iptables/tasks/block_basic_ddos.yml
 create mode 100644 roles/iptables/tasks/block_port_scan.yml
 create mode 100644 roles/iptables/tasks/drop_all_by_default.yml
 create mode 100644 roles/iptables/tasks/drop_scans_xmas_null.yml
 create mode 100644 roles/iptables/tasks/main.yml

diff --git a/roles/iptables/tasks/accept_dns.yml b/roles/iptables/tasks/accept_dns.yml
new file mode 100644
index 0000000..97685f3
--- /dev/null
+++ b/roles/iptables/tasks/accept_dns.yml
@@ -0,0 +1,57 @@
+---
+
+- name: Accept OUTPUT udp dport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: udp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    destination_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT udp dport 53
+    state: present
+  become: yes
+
+- name: Accept INPUT udp sport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: udp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    source_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT udp sport 53
+    state: present
+  become: yes
+
+- name: Accept OUTPUT tcp dport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    destination_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT tcp dport 53
+    state: present
+  become: yes
+
+- name: Accept INPUT tcp sport 53
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    ctstate:
+      - NEW
+      - RELATED
+      - ESTABLISHED
+    source_port: 53
+    jump: ACCEPT
+    comment: Accept OUTPUT tcp sport 53
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_established.yml b/roles/iptables/tasks/accept_established.yml
new file mode 100644
index 0000000..7b600b6
--- /dev/null
+++ b/roles/iptables/tasks/accept_established.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT established
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    comment: Accept INPUT established
+    state: present
+  become: yes
+
+- name: Accept OUTPUT established
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    comment: Accept OUTPUT established
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_http.yml b/roles/iptables/tasks/accept_http.yml
new file mode 100644
index 0000000..d856052
--- /dev/null
+++ b/roles/iptables/tasks/accept_http.yml
@@ -0,0 +1,41 @@
+---
+
+- name: Accept INPUT 80
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 80
+    jump: ACCEPT
+    comment: Accept INPUT 80
+    state: present
+  become: yes
+
+- name: Accept INPUT 443
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 443
+    jump: ACCEPT
+    comment: Accept INPUT 443
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 80
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 80
+    jump: ACCEPT
+    comment: Accept OUTPUT 80
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 443
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 443
+    jump: ACCEPT
+    comment: Accept OUTPUT 443
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_loopback.yml b/roles/iptables/tasks/accept_loopback.yml
new file mode 100644
index 0000000..9674567
--- /dev/null
+++ b/roles/iptables/tasks/accept_loopback.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT loopback
+  ansible.builtin.iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+    comment: Accept INPUT loopback
+    state: present
+  become: yes
+
+- name: Accept OUTPUT loopback
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    out_interface: lo
+    jump: ACCEPT
+    comment: Accept OUTPUT loopback
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_matrix.yml b/roles/iptables/tasks/accept_matrix.yml
new file mode 100644
index 0000000..49d237d
--- /dev/null
+++ b/roles/iptables/tasks/accept_matrix.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Accept INPUT 8448
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 8448
+    jump: ACCEPT
+    comment: Accept INPUT 8448
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 8448
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 8448
+    jump: ACCEPT
+    comment: Accept OUTPUT 8448
+    state: present
+  become: yes
diff --git a/roles/iptables/tasks/accept_ntp.yml b/roles/iptables/tasks/accept_ntp.yml
new file mode 100644
index 0000000..be678e0
--- /dev/null
+++ b/roles/iptables/tasks/accept_ntp.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Accept INPUT 123
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    source_port: 123
+    jump: ACCEPT
+    comment: Accept INPUT 123
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 123
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: udp
+    destination_port: 123
+    jump: ACCEPT
+    comment: Accept OUTPUT 123
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_ping.yml b/roles/iptables/tasks/accept_ping.yml
new file mode 100644
index 0000000..9124983
--- /dev/null
+++ b/roles/iptables/tasks/accept_ping.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT icmp
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    jump: ACCEPT
+    comment: Accept INPUT icmp
+    state: present
+  become: yes
+
+- name: Accept OUTPUT icmp
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: icmp
+    jump: ACCEPT
+    comment: Accept OUTPUT icmp
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_private_networks.yml b/roles/iptables/tasks/accept_private_networks.yml
new file mode 100644
index 0000000..d7081e3
--- /dev/null
+++ b/roles/iptables/tasks/accept_private_networks.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Accept INPUT 192.168.1.0/24
+  ansible.builtin.iptables:
+    chain: INPUT
+    destination: 192.168.1.0/24
+    jump: ACCEPT
+    comment: Accept INPUT established
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 192.168.1.0/24
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    destination: 192.168.1.0/24
+    jump: ACCEPT
+    comment: Accept OUTPUT established
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/accept_ssh.yml b/roles/iptables/tasks/accept_ssh.yml
new file mode 100644
index 0000000..3904bea
--- /dev/null
+++ b/roles/iptables/tasks/accept_ssh.yml
@@ -0,0 +1,21 @@
+---
+
+- name: Accept INPUT 7943
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: 7943
+    jump: ACCEPT
+    comment: Accept INPUT 7943
+    state: present
+  become: yes
+
+- name: Accept OUTPUT 22
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: 22
+    jump: ACCEPT
+    comment: Accept OUTPUT 22
+    state: present
+  become: yes
diff --git a/roles/iptables/tasks/block_basic_ddos.yml b/roles/iptables/tasks/block_basic_ddos.yml
new file mode 100644
index 0000000..fc97815
--- /dev/null
+++ b/roles/iptables/tasks/block_basic_ddos.yml
@@ -0,0 +1,33 @@
+---
+
+- name: Accept FORWARD with tcp limit 1/second and syn
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: tcp
+    syn: match
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with tcp limit 1/second and syn
+    state: present
+  become: yes
+
+- name: Accept FORWARD with udp limit 1/second
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: udp
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with udp limit 1/second
+    state: present
+  become: yes
+
+- name: Accept FORWARD with icmp limit 1/second
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: icmp
+    icmp_type: echo-request
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with icmp limit 1/second
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/block_port_scan.yml b/roles/iptables/tasks/block_port_scan.yml
new file mode 100644
index 0000000..7d3f785
--- /dev/null
+++ b/roles/iptables/tasks/block_port_scan.yml
@@ -0,0 +1,19 @@
+---
+
+- name: Accept FORWARD with tcp limit 1/second and tcp_flags
+  ansible.builtin.iptables:
+    chain: FORWARD
+    protocol: tcp
+    tcp_flags:
+      flags:
+        - SYN
+        - ACK
+        - FIN
+        - RST
+      flags_set:
+        - RST
+    limit: 1/second
+    jump: ACCEPT
+    comment: Accept FORWARD with tcp limit 1/second and tcp_flags
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/drop_all_by_default.yml b/roles/iptables/tasks/drop_all_by_default.yml
new file mode 100644
index 0000000..d8cb439
--- /dev/null
+++ b/roles/iptables/tasks/drop_all_by_default.yml
@@ -0,0 +1,25 @@
+---
+
+- name: Block all INPUT by default
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: DROP
+    comment: Block all INPUT by default
+    state: present
+  become: yes
+
+- name: Block all OUTPUT by default
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    policy: DROP
+    comment: Block all OUTPUT by default
+    state: present
+  become: yes
+
+- name: Block all FORWARD by default
+  ansible.builtin.iptables:
+    chain: FORWARD
+    policy: DROP
+    comment: Block all FORWARD by default
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/drop_scans_xmas_null.yml b/roles/iptables/tasks/drop_scans_xmas_null.yml
new file mode 100644
index 0000000..02af0c4
--- /dev/null
+++ b/roles/iptables/tasks/drop_scans_xmas_null.yml
@@ -0,0 +1,59 @@
+---
+
+- name: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags:
+        - FIN
+        - URG
+        - PSH
+      flags_set:
+        - FIN
+        - URG
+        - PSH
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (FIN,URG,PSH FIN,URG,PSH)
+    state: present
+  become: yes
+
+- name: Drop des scans XMAS et NULL (ALL ALL)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags: ALL
+      flags_set: ALL
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (ALL ALL)
+    state: present
+  become: yes
+
+- name: Drop des scans XMAS et NULL (ALL NONE)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags: ALL
+      flags_set: NONE
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (ALL NONE)
+    state: present
+  become: yes
+
+- name: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    tcp_flags:
+      flags:
+        - SYN
+        - RST
+      flags_set:
+        - SYN
+        - RST
+    jump: DROP
+    comment: Drop des scans XMAS et NULL (SYN,RST SYN,RST)
+    state: present
+  become: yes
\ No newline at end of file
diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml
new file mode 100644
index 0000000..216468c
--- /dev/null
+++ b/roles/iptables/tasks/main.yml
@@ -0,0 +1,42 @@
+---
+
+- ansible.builtin.import_tasks: accept_established.yml
+  name: accept_established
+
+- ansible.builtin.import_tasks: accept_loopback.yml
+  name: accept_loopback
+
+- ansible.builtin.import_tasks: accept_dns.yml
+  name: accept_dns
+
+- ansible.builtin.import_tasks: accept_http.yml
+  name: accept_http
+
+- ansible.builtin.import_tasks: accept_ssh.yml
+  name: accept_ssh
+
+- ansible.builtin.import_tasks: accept_ntp.yml
+  name: accept_ntp
+
+- ansible.builtin.import_tasks: accept_matrix.yml
+  name: accept_matrix
+
+- ansible.builtin.import_tasks: accept_icmp.yml
+  name: accept_icmp
+
+- ansible.builtin.import_tasks: block_basic_ddos.yml
+  name: block_basic_ddos
+
+- ansible.builtin.import_tasks: block_port_scan.yml
+  name: block_port_scan
+
+- ansible.builtin.import_tasks: accept_private_networks.yml
+  name: accept_private_networks
+
+# Add drop after to avoid lock system during configuration
+
+- ansible.builtin.import_tasks: drop_scans_xmas_null.yml
+  name: drop_scans_xmas_null
+
+- ansible.builtin.import_tasks: drop_all_by_default.yml
+  name: drop_all_by_default
\ No newline at end of file