Remove iptables
Extracted to the separate role: https://github.com/kotovalexarian/ansible-role-iptables
This commit is contained in:
parent
efe6a044ed
commit
89eec02d71
|
@ -1,14 +1,6 @@
|
|||
---
|
||||
common__basics__additional_packages: []
|
||||
|
||||
common__iptables__state: install
|
||||
common__iptables__drop_by_default: false
|
||||
common__iptables__allow_output_ifaces: []
|
||||
common__iptables__v4_filter_prepend: null
|
||||
common__iptables__v4_filter_append: null
|
||||
common__iptables__v6_filter_prepend: null
|
||||
common__iptables__v6_filter_append: null
|
||||
|
||||
common__certbot__state: install
|
||||
common__certbot__run: true
|
||||
common__certbot__email: 'user@example.com'
|
||||
|
|
|
@ -5,12 +5,6 @@
|
|||
name: sshd
|
||||
state: restarted
|
||||
|
||||
- name: common | Load iptables rules for IPv4
|
||||
shell: 'cat {{ common__iptables__conf_ipv4 }} | iptables-restore'
|
||||
|
||||
- name: common | Load iptables rules for IPv6
|
||||
shell: 'cat {{ common__iptables__conf_ipv6 }} | ip6tables-restore'
|
||||
|
||||
- name: common | Restart Nginx
|
||||
systemd:
|
||||
daemon_reload: true
|
||||
|
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
- name: Install iptables-persistent
|
||||
apt:
|
||||
name: iptables-persistent
|
||||
|
||||
- name: Create directory for iptables configuration
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ common__iptables__conf_dir }}'
|
||||
mode: 'u=rwx,go=rx'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install iptables rules for IPv4
|
||||
template:
|
||||
src: templates/iptables/rules.v4
|
||||
dest: '{{ common__iptables__conf_ipv4 }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: common | Load iptables rules for IPv4
|
||||
|
||||
- name: Install iptables rules for IPv6
|
||||
template:
|
||||
src: templates/iptables/rules.v6
|
||||
dest: '{{ common__iptables__conf_ipv6 }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: common | Load iptables rules for IPv6
|
|
@ -1,13 +0,0 @@
|
|||
---
|
||||
- name: Purge iptables-persistent
|
||||
apt:
|
||||
state: absent
|
||||
purge: true
|
||||
name:
|
||||
- iptables-persistent
|
||||
- netfilter-persistent
|
||||
|
||||
- name: Delete iptables-persistent configuration
|
||||
file:
|
||||
state: absent
|
||||
path: '{{ common__iptables__conf_dir }}'
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
- name: Uninstall iptables-persistent
|
||||
apt:
|
||||
state: absent
|
||||
purge: false
|
||||
name:
|
||||
- iptables-persistent
|
||||
- netfilter-persistent
|
|
@ -4,20 +4,6 @@
|
|||
- include_tasks: ssh.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- fail:
|
||||
msg: 'Invalid `common__iptables__state`: {{ common__iptables__state }}'
|
||||
when: (common__iptables__state != None) and
|
||||
(common__iptables__state != 'purge') and
|
||||
(common__iptables__state != 'remove') and
|
||||
(common__iptables__state != 'install')
|
||||
- include_tasks: iptables/purge.yml
|
||||
when: common__iptables__state == 'purge'
|
||||
- include_tasks: iptables/remove.yml
|
||||
when: common__iptables__state == 'remove'
|
||||
- include_tasks: iptables/install.yml
|
||||
when: common__iptables__state == 'install'
|
||||
- meta: flush_handlers
|
||||
|
||||
- fail:
|
||||
msg: 'Invalid `common__certbot__state`: {{ common__certbot__state }}'
|
||||
when: (common__certbot__state != None) and
|
||||
|
|
|
@ -1,53 +0,0 @@
|
|||
########
|
||||
*filter
|
||||
########
|
||||
|
||||
:INPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
|
||||
# Remove all rules from all chains,
|
||||
# delete all user-defined chains.
|
||||
-F
|
||||
-X
|
||||
|
||||
{{ common__iptables__v4_filter_prepend }}
|
||||
|
||||
# Allow all loopback (lo) traffic and reject anything
|
||||
# to localhost that does not originate from lo.
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Allow all outgoing traffic.
|
||||
{% if common__iptables__allow_output_ifaces %}
|
||||
{% for iface in common__iptables__allow_output_ifaces %}
|
||||
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
# Allow some important ICMP.
|
||||
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
|
||||
# Deny other ICMP.
|
||||
-A INPUT -p icmp -j DROP
|
||||
-A OUTPUT -p icmp -j DROP
|
||||
|
||||
# Allow incoming SSH.
|
||||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
{{ common__iptables__v4_filter_append }}
|
||||
|
||||
COMMIT
|
|
@ -1,64 +0,0 @@
|
|||
########
|
||||
*filter
|
||||
########
|
||||
|
||||
:INPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT {{ 'DROP' if common__iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
|
||||
# Remove all rules from all chains,
|
||||
# delete all user-defined chains.
|
||||
-F
|
||||
-X
|
||||
|
||||
{{ common__iptables__v6_filter_prepend }}
|
||||
|
||||
# Allow all loopback (lo) traffic and reject anything
|
||||
# to localhost that does not originate from lo.
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT ! -i lo -s ::/128 -j REJECT
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Allow all outgoing traffic.
|
||||
{% if common__iptables__allow_output_ifaces %}
|
||||
{% for iface in common__iptables__allow_output_ifaces %}
|
||||
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
# Allow some important ICMP.
|
||||
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
||||
# TODO: maybe it's better to only allow these inside private network?
|
||||
-A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
|
||||
|
||||
# Deny other ICMPv6.
|
||||
-A INPUT -p icmpv6 -j DROP
|
||||
-A OUTPUT -p icmpv6 -j DROP
|
||||
|
||||
# Allow incoming SSH.
|
||||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
{{ common__iptables__v6_filter_append }}
|
||||
|
||||
COMMIT
|
|
@ -6,10 +6,6 @@ common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.
|
|||
common__certbot__archive_dir: '{{ common__certbot__conf_dir }}/archive'
|
||||
common__certbot__live_dir: '{{ common__certbot__conf_dir }}/live'
|
||||
|
||||
common__iptables__conf_dir: '/etc/iptables'
|
||||
common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4'
|
||||
common__iptables__conf_ipv6: '{{ common__iptables__conf_dir }}/rules.v6'
|
||||
|
||||
common__nginx__conf_dir: '/etc/nginx'
|
||||
common__nginx__confd_dir: '{{ common__nginx__conf_dir }}/conf.d'
|
||||
common__nginx__available_dir: '{{ common__nginx__conf_dir }}/sites-available'
|
||||
|
|
Loading…
Reference in New Issue