diff --git a/defaults/main.yml b/defaults/main.yml index 8fe5344..498e58b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,17 +2,58 @@ iptables__state: install iptables__drop_by_default: false iptables__allow_output_ifaces: [] +iptables__ssh_port: 22 +iptables__ssh_ifaces: [] -iptables__v4_filter_init: null -iptables__v6_filter_init: null -iptables__all_filter_init: null +############# +# NAT table # +############# -iptables__v4_filter_prepend: null -iptables__v6_filter_prepend: null -iptables__all_filter_prepend: null +iptables__nat_v4: null +iptables__nat_v6: null +iptables__nat_all: null -iptables__v4_filter_append: null -iptables__v6_filter_append: null +################ +# Filter table # +################ -iptables__v4_nat: null -iptables__v6_nat: null +iptables__filter_prepend0_v4: null +iptables__filter_prepend0_v6: null +iptables__filter_prepend0_all: null +iptables__filter_prepend1_v4: null +iptables__filter_prepend1_v6: null +iptables__filter_prepend1_all: null +iptables__filter_prepend2_v4: null +iptables__filter_prepend2_v6: null +iptables__filter_prepend2_all: null + +iptables__filter_append0_v4: null +iptables__filter_append0_v6: null +iptables__filter_append0_all: null +iptables__filter_append1_v4: null +iptables__filter_append1_v6: null +iptables__filter_append1_all: null +iptables__filter_append2_v4: null +iptables__filter_append2_v6: null +iptables__filter_append2_all: null + +iptables__filter_ssh_before_v4: null +iptables__filter_ssh_before_v6: null +iptables__filter_ssh_before_all: null +iptables__filter_ssh_after_v4: null +iptables__filter_ssh_after_v6: null +iptables__filter_ssh_after_all: null + +iptables__filter_loop_before_v4: null +iptables__filter_loop_before_v6: null +iptables__filter_loop_before_all: null +iptables__filter_loop_after_v4: null +iptables__filter_loop_after_v6: null +iptables__filter_loop_after_all: null + +iptables__filter_out_before_v4: null +iptables__filter_out_before_v6: null +iptables__filter_out_before_all: null +iptables__filter_out_after_v4: null +iptables__filter_out_after_v6: null +iptables__filter_out_after_all: null diff --git a/templates/rules.v4 b/templates/rules.v4 index 82bc0f9..141f68a 100644 --- a/templates/rules.v4 +++ b/templates/rules.v4 @@ -1,39 +1,75 @@ -##### +################################################################################ *nat -##### +################################################################################ :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -# Remove all rules from all chains, -# delete all user-defined chains. +# Remove all rules from all chains. -F +# Delete all user-defined chains. -X -{{ iptables__v4_nat }} +{{ iptables__nat_v4 }} +{{ iptables__nat_all }} COMMIT -######## + + +################################################################################ *filter -######## +################################################################################ :INPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0] :FORWARD DROP [0:0] :OUTPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0] -# Remove all rules from all chains, -# delete all user-defined chains. +# Remove all rules from all chains. -F +# Delete all user-defined chains. -X -{{ iptables__v4_filter_init }} -{{ iptables__all_filter_init }} +########## +# Custom # +########## -{{ iptables__v4_filter_prepend }} -{{ iptables__all_filter_prepend }} +{{ iptables__filter_prepend0_v6 }} +{{ iptables__filter_prepend0_all }} +{{ iptables__filter_prepend1_v6 }} +{{ iptables__filter_prepend1_all }} +{{ iptables__filter_prepend2_v6 }} +{{ iptables__filter_prepend2_all }} + +####### +# SSH # +####### + +{{ iptables__filter_ssh_before_v6 }} +{{ iptables__filter_ssh_before_all }} + +# Allow incoming SSH. +{% if iptables__ssh_ifaces %} +{% for iface in iptables__ssh_ifaces %} +-A INPUT -i {{ iface }} -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o {{ iface }} -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +{% endfor %} +{% else %} +-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +{% endif %} + +{{ iptables__filter_ssh_after_v6 }} +{{ iptables__filter_ssh_after_all }} + +############ +# Loopback # +############ + +{{ iptables__filter_loop_before_v6 }} +{{ iptables__filter_loop_before_all }} # Allow all loopback (lo) traffic and reject anything # to localhost that does not originate from lo. @@ -41,6 +77,16 @@ COMMIT -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT -A OUTPUT -o lo -j ACCEPT +{{ iptables__filter_loop_after_v6 }} +{{ iptables__filter_loop_after_all }} + +############ +# Outgoing # +############ + +{{ iptables__filter_out_before_v6 }} +{{ iptables__filter_out_before_all }} + # Allow all outgoing traffic. {% if iptables__allow_output_ifaces %} {% for iface in iptables__allow_output_ifaces %} @@ -52,6 +98,13 @@ COMMIT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT {% endif %} +{{ iptables__filter_out_after_v6 }} +{{ iptables__filter_out_after_all }} + +######## +# ICMP # +######## + # Allow some important ICMP. -A INPUT -p icmp --icmp-type echo-request -j ACCEPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT @@ -66,10 +119,15 @@ COMMIT -A INPUT -p icmp -j DROP -A OUTPUT -p icmp -j DROP -# Allow incoming SSH. --A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +########## +# Custom # +########## -{{ iptables__v4_filter_append }} +{{ iptables__filter_append0_v6 }} +{{ iptables__filter_append0_all }} +{{ iptables__filter_append1_v6 }} +{{ iptables__filter_append1_all }} +{{ iptables__filter_append2_v6 }} +{{ iptables__filter_append2_all }} COMMIT diff --git a/templates/rules.v6 b/templates/rules.v6 index 3c21dd9..e543db2 100644 --- a/templates/rules.v6 +++ b/templates/rules.v6 @@ -1,39 +1,75 @@ -##### +################################################################################ *nat -##### +################################################################################ :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -# Remove all rules from all chains, -# delete all user-defined chains. +# Remove all rules from all chains. -F +# Delete all user-defined chains. -X -{{ iptables__v6_nat }} +{{ iptables__nat_v6 }} +{{ iptables__nat_all }} COMMIT -######## + + +################################################################################ *filter -######## +################################################################################ :INPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0] :FORWARD DROP [0:0] :OUTPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0] -# Remove all rules from all chains, -# delete all user-defined chains. +# Remove all rules from all chains. -F +# Delete all user-defined chains. -X -{{ iptables__v6_filter_init }} -{{ iptables__all_filter_init }} +########## +# Custom # +########## -{{ iptables__v6_filter_prepend }} -{{ iptables__all_filter_prepend }} +{{ iptables__filter_prepend0_v4 }} +{{ iptables__filter_prepend0_all }} +{{ iptables__filter_prepend1_v4 }} +{{ iptables__filter_prepend1_all }} +{{ iptables__filter_prepend2_v4 }} +{{ iptables__filter_prepend2_all }} + +####### +# SSH # +####### + +{{ iptables__filter_ssh_before_v4 }} +{{ iptables__filter_ssh_before_all }} + +# Allow incoming SSH. +{% if iptables__ssh_ifaces %} +{% for iface in iptables__ssh_ifaces %} +-A INPUT -i {{ iface }} -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -o {{ iface }} -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +{% endfor %} +{% else %} +-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +{% endif %} + +{{ iptables__filter_ssh_after_v4 }} +{{ iptables__filter_ssh_after_all }} + +############ +# Loopback # +############ + +{{ iptables__filter_loop_before_v4 }} +{{ iptables__filter_loop_before_all }} # Allow all loopback (lo) traffic and reject anything # to localhost that does not originate from lo. @@ -41,6 +77,16 @@ COMMIT -A INPUT ! -i lo -s ::/128 -j REJECT -A OUTPUT -o lo -j ACCEPT +{{ iptables__filter_loop_after_v4 }} +{{ iptables__filter_loop_after_all }} + +############ +# Outgoing # +############ + +{{ iptables__filter_out_before_v4 }} +{{ iptables__filter_out_before_all }} + # Allow all outgoing traffic. {% if iptables__allow_output_ifaces %} {% for iface in iptables__allow_output_ifaces %} @@ -52,6 +98,13 @@ COMMIT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT {% endif %} +{{ iptables__filter_out_after_v4 }} +{{ iptables__filter_out_after_all }} + +######## +# ICMP # +######## + # Allow some important ICMP. -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT -A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT @@ -77,10 +130,15 @@ COMMIT -A INPUT -p icmpv6 -j DROP -A OUTPUT -p icmpv6 -j DROP -# Allow incoming SSH. --A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT --A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT +########## +# Custom # +########## -{{ iptables__v6_filter_append }} +{{ iptables__filter_append0_v4 }} +{{ iptables__filter_append0_all }} +{{ iptables__filter_append1_v4 }} +{{ iptables__filter_append1_all }} +{{ iptables__filter_append2_v4 }} +{{ iptables__filter_append2_all }} COMMIT