ansible-roles
/
common
1
0
Fork 0
Code Issues 2 Releases Activity

Remove iptables 

Extracted to the separate role:
https://github.com/kotovalexarian/ansible-role-iptables
This commit is contained in:
Alex Kotov 2021-09-15 05:05:56 +05:00
parent efe6a044ed
commit 89eec02d71
Signed by: kotovalexarian
GPG Key ID: 553C0EBBEB5D5F08
9 changed files with 0 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
defaults/main.yml
View File

@ -1,14 +1,6 @@
---
common__basics__additional_packages: []
common__iptables__state: install
common__iptables__drop_by_default: false
common__iptables__allow_output_ifaces: []
common__iptables__v4_filter_prepend: null
common__iptables__v4_filter_append: null
common__iptables__v6_filter_prepend: null
common__iptables__v6_filter_append: null
common__certbot__state: install
common__certbot__run: true
common__certbot__email: 'user@example.com'

6
handlers/main.yml
View File

@ -5,12 +5,6 @@
name: sshd
state: restarted
- name: common | Load iptables rules for IPv4
shell: 'cat {{ common__iptables__conf_ipv4 }} | iptables-restore'
- name: common | Load iptables rules for IPv6
shell: 'cat {{ common__iptables__conf_ipv6 }} | ip6tables-restore'
- name: common | Restart Nginx
systemd:
daemon_reload: true

30
tasks/iptables/install.yml
View File

@ -1,30 +0,0 @@
---
- name: Install iptables-persistent
apt:
name: iptables-persistent
- name: Create directory for iptables configuration
file:
state: directory
path: '{{ common__iptables__conf_dir }}'
mode: 'u=rwx,go=rx'
owner: root
group: root
- name: Install iptables rules for IPv4
template:
src: templates/iptables/rules.v4
dest: '{{ common__iptables__conf_ipv4 }}'
mode: 'u=rw,go=r'
owner: root
group: root
notify: common | Load iptables rules for IPv4
- name: Install iptables rules for IPv6
template:
src: templates/iptables/rules.v6
dest: '{{ common__iptables__conf_ipv6 }}'
mode: 'u=rw,go=r'
owner: root
group: root
notify: common | Load iptables rules for IPv6

13
tasks/iptables/purge.yml
View File

@ -1,13 +0,0 @@
---
- name: Purge iptables-persistent
apt:
state: absent
purge: true
name:
- iptables-persistent
- netfilter-persistent
- name: Delete iptables-persistent configuration
file:
state: absent
path: '{{ common__iptables__conf_dir }}'

8
tasks/iptables/remove.yml
View File

@ -1,8 +0,0 @@
---
- name: Uninstall iptables-persistent
apt:
state: absent
purge: false
name:
- iptables-persistent
- netfilter-persistent

14
tasks/main.yml
View File

@ -4,20 +4,6 @@
- include_tasks: ssh.yml
- meta: flush_handlers
- fail:
msg: 'Invalid `common__iptables__state`: {{ common__iptables__state }}'
when: (common__iptables__state != None) and
(common__iptables__state != 'purge') and
(common__iptables__state != 'remove') and
(common__iptables__state != 'install')
- include_tasks: iptables/purge.yml
when: common__iptables__state == 'purge'
- include_tasks: iptables/remove.yml
when: common__iptables__state == 'remove'
- include_tasks: iptables/install.yml
when: common__iptables__state == 'install'
- meta: flush_handlers
- fail:
msg: 'Invalid `common__certbot__state`: {{ common__certbot__state }}'
when: (common__certbot__state != None) and

53
templates/iptables/rules.v4
View File

@ -1,53 +0,0 @@
########
*filter
########
:INPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
:FORWARD DROP [0:0]
:OUTPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
# Remove all rules from all chains,
# delete all user-defined chains.
-F
-X
{{ common__iptables__v4_filter_prepend }}
# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
-A OUTPUT -o lo -j ACCEPT
# Allow all outgoing traffic.
{% if common__iptables__allow_output_ifaces %}
{% for iface in common__iptables__allow_output_ifaces %}
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
{% endfor %}
{% else %}
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
{% endif %}
# Allow some important ICMP.
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
-A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Deny other ICMP.
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j DROP
# Allow incoming SSH.
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
{{ common__iptables__v4_filter_append }}
COMMIT

64
templates/iptables/rules.v6
View File

@ -1,64 +0,0 @@
########
*filter
########
:INPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
:FORWARD DROP [0:0]
:OUTPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
# Remove all rules from all chains,
# delete all user-defined chains.
-F
-X
{{ common__iptables__v6_filter_prepend }}
# Allow all loopback (lo) traffic and reject anything
# to localhost that does not originate from lo.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s ::/128 -j REJECT
-A OUTPUT -o lo -j ACCEPT
# Allow all outgoing traffic.
{% if common__iptables__allow_output_ifaces %}
{% for iface in common__iptables__allow_output_ifaces %}
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
{% endfor %}
{% else %}
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
{% endif %}
# Allow some important ICMP.
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
# TODO: maybe it's better to only allow these inside private network?
-A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
-A INPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
-A OUTPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
# Deny other ICMPv6.
-A INPUT -p icmpv6 -j DROP
-A OUTPUT -p icmpv6 -j DROP
# Allow incoming SSH.
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
{{ common__iptables__v6_filter_append }}
COMMIT

4
vars/main.yml
View File

@ -6,10 +6,6 @@ common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.
common__certbot__archive_dir: '{{ common__certbot__conf_dir }}/archive'
common__certbot__live_dir: '{{ common__certbot__conf_dir }}/live'
common__iptables__conf_dir: '/etc/iptables'
common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4'
common__iptables__conf_ipv6: '{{ common__iptables__conf_dir }}/rules.v6'
common__nginx__conf_dir: '/etc/nginx'
common__nginx__confd_dir: '{{ common__nginx__conf_dir }}/conf.d'
common__nginx__available_dir: '{{ common__nginx__conf_dir }}/sites-available'