Add existing code
This commit is contained in:
commit
91a44682cf
GPG Key ID:
553C0EBBEB5D5F08
|
|
@ -0,0 +1 @@
|
|||
__pycache__/
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2020-2021 Alex Kotov
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
iptables__state: install
|
||||
iptables__drop_by_default: false
|
||||
iptables__allow_output_ifaces: []
|
||||
iptables__v4_filter_prepend: null
|
||||
iptables__v4_filter_append: null
|
||||
iptables__v6_filter_prepend: null
|
||||
iptables__v6_filter_append: null
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: Load iptables rules for IPv4
|
||||
shell: 'cat {{ iptables__conf_ipv4 }} | iptables-restore'
|
||||
|
||||
- name: Load iptables rules for IPv6
|
||||
shell: 'cat {{ iptables__conf_ipv6 }} | ip6tables-restore'
|
||||
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
allow_duplicates: false
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
role_name: iptables
|
||||
author: Alex Kotov
|
||||
description: Common configuration
|
||||
license: MIT
|
||||
min_ansible_version: 2.8
|
||||
|
||||
galaxy_tags:
|
||||
- iptables
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- stretch # Debian 9 Stretch
|
||||
- buster # Debian 10 Buster
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- xenial # Ubuntu 16.04 LTS Xenial Xerus
|
||||
- bionic # Ubuntu 18.04 LTS Bionic Beaver
|
||||
- focal # Ubuntu 20.04 LTS Focal Fossa
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
- name: Install iptables-persistent
|
||||
apt:
|
||||
name: iptables-persistent
|
||||
|
||||
- name: Create directory for iptables configuration
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ iptables__conf_dir }}'
|
||||
mode: 'u=rwx,go=rx'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install iptables rules for IPv4
|
||||
template:
|
||||
src: templates/rules.v4
|
||||
dest: '{{ iptables__conf_ipv4 }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Load iptables rules for IPv4
|
||||
|
||||
- name: Install iptables rules for IPv6
|
||||
template:
|
||||
src: templates/rules.v6
|
||||
dest: '{{ iptables__conf_ipv6 }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
notify: Load iptables rules for IPv6
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- fail:
|
||||
msg: 'Invalid `iptables__state`: {{ iptables__state }}'
|
||||
when: (iptables__state != None) and
|
||||
(iptables__state != 'purge') and
|
||||
(iptables__state != 'remove') and
|
||||
(iptables__state != 'install')
|
||||
- include_tasks: purge.yml
|
||||
when: iptables__state == 'purge'
|
||||
- include_tasks: remove.yml
|
||||
when: iptables__state == 'remove'
|
||||
- include_tasks: install.yml
|
||||
when: iptables__state == 'install'
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
- name: Purge iptables-persistent
|
||||
apt:
|
||||
state: absent
|
||||
purge: true
|
||||
name:
|
||||
- iptables-persistent
|
||||
- netfilter-persistent
|
||||
|
||||
- name: Delete iptables-persistent configuration
|
||||
file:
|
||||
state: absent
|
||||
path: '{{ iptables__conf_dir }}'
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: Uninstall iptables-persistent
|
||||
apt:
|
||||
state: absent
|
||||
purge: false
|
||||
name:
|
||||
- iptables-persistent
|
||||
- netfilter-persistent
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
########
|
||||
*filter
|
||||
########
|
||||
|
||||
:INPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
|
||||
# Remove all rules from all chains,
|
||||
# delete all user-defined chains.
|
||||
-F
|
||||
-X
|
||||
|
||||
{{ iptables__v4_filter_prepend }}
|
||||
|
||||
# Allow all loopback (lo) traffic and reject anything
|
||||
# to localhost that does not originate from lo.
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Allow all outgoing traffic.
|
||||
{% if iptables__allow_output_ifaces %}
|
||||
{% for iface in iptables__allow_output_ifaces %}
|
||||
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
# Allow some important ICMP.
|
||||
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
|
||||
-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
-A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
|
||||
|
||||
# Deny other ICMP.
|
||||
-A INPUT -p icmp -j DROP
|
||||
-A OUTPUT -p icmp -j DROP
|
||||
|
||||
# Allow incoming SSH.
|
||||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
{{ iptables__v4_filter_append }}
|
||||
|
||||
COMMIT
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
########
|
||||
*filter
|
||||
########
|
||||
|
||||
:INPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT {{ 'DROP' if iptables__drop_by_default else 'ACCEPT' }} [0:0]
|
||||
|
||||
# Remove all rules from all chains,
|
||||
# delete all user-defined chains.
|
||||
-F
|
||||
-X
|
||||
|
||||
{{ iptables__v6_filter_prepend }}
|
||||
|
||||
# Allow all loopback (lo) traffic and reject anything
|
||||
# to localhost that does not originate from lo.
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT ! -i lo -s ::/128 -j REJECT
|
||||
-A OUTPUT -o lo -j ACCEPT
|
||||
|
||||
# Allow all outgoing traffic.
|
||||
{% if iptables__allow_output_ifaces %}
|
||||
{% for iface in iptables__allow_output_ifaces %}
|
||||
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
# Allow some important ICMP.
|
||||
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
|
||||
# TODO: maybe it's better to only allow these inside private network?
|
||||
-A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type neighbour-solicitation -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type neighbour-advertisement -j ACCEPT
|
||||
-A INPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
|
||||
-A OUTPUT -p icmpv6 --icmpv6-type redirect -j ACCEPT
|
||||
|
||||
# Deny other ICMPv6.
|
||||
-A INPUT -p icmpv6 -j DROP
|
||||
-A OUTPUT -p icmpv6 -j DROP
|
||||
|
||||
# Allow incoming SSH.
|
||||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||
|
||||
{{ iptables__v6_filter_append }}
|
||||
|
||||
COMMIT
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
iptables__conf_dir: '/etc/iptables'
|
||||
iptables__conf_ipv4: '{{ iptables__conf_dir }}/rules.v4'
|
||||
iptables__conf_ipv6: '{{ iptables__conf_dir }}/rules.v6'
|
||||
Loading…
Reference in New Issue