From f4f60a1ff20082b377a9998cd334d21bd58af2c5 Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 11 Jul 2020 12:13:33 +0200 Subject: [PATCH] Update iptables roles, including iptables-persistence --- playbook_general_deploy.yml | 2 +- roles/client_iptables/files/iptables | 2 - roles/client_iptables/handlers/main.yml | 8 ++ roles/client_iptables/tasks/boot.yml | 9 -- roles/client_iptables/tasks/iptables.yml | 114 +++++++++++++++++++---- roles/client_iptables/tasks/main.yml | 2 - roles/client_iptables/tasks/package.yml | 8 ++ roles/client_iptables/tasks/save.yml | 3 - 8 files changed, 114 insertions(+), 34 deletions(-) delete mode 100644 roles/client_iptables/files/iptables create mode 100644 roles/client_iptables/handlers/main.yml delete mode 100644 roles/client_iptables/tasks/boot.yml delete mode 100644 roles/client_iptables/tasks/save.yml diff --git a/playbook_general_deploy.yml b/playbook_general_deploy.yml index e77e83e..1f3c89a 100644 --- a/playbook_general_deploy.yml +++ b/playbook_general_deploy.yml @@ -3,7 +3,7 @@ roles: - auto_reboot - auto_upgrade - #- client_iptables # Role not well defined now + - client_iptables # OK for Debian (iptables-persistent mode) - client_ntp - client_resolvers - client_tools diff --git a/roles/client_iptables/files/iptables b/roles/client_iptables/files/iptables deleted file mode 100644 index 7cec65f..0000000 --- a/roles/client_iptables/files/iptables +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -/sbin/iptables-restore < /etc/iptables.up.rules diff --git a/roles/client_iptables/handlers/main.yml b/roles/client_iptables/handlers/main.yml new file mode 100644 index 0000000..adccb28 --- /dev/null +++ b/roles/client_iptables/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: save iptables v4 rules + shell: iptables-save > /etc/iptables/rules.v4 + listen: persist iptables + +- name: save iptables v6 rules + shell: ip6tables-save > /etc/iptables/rules.v6 + listen: persist iptables diff --git a/roles/client_iptables/tasks/boot.yml b/roles/client_iptables/tasks/boot.yml deleted file mode 100644 index bb15774..0000000 --- a/roles/client_iptables/tasks/boot.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- name: Add load rules at boot - copy: - src: iptables - dest: /etc/network/if-pre-up.d/iptables - owner: root - group: root - mode: 0755 - diff --git a/roles/client_iptables/tasks/iptables.yml b/roles/client_iptables/tasks/iptables.yml index ea8c73c..80991e1 100644 --- a/roles/client_iptables/tasks/iptables.yml +++ b/roles/client_iptables/tasks/iptables.yml @@ -1,37 +1,65 @@ --- -- name: Iptables installed - package: - name: "iptables" - state: present - -- name: Allow related and established connections +- name: Allow related and established connections (IPV4) iptables: + ip_version: ipv4 chain: INPUT - ctstate: ESTABLISHED,RELATED + ctstate: RELATED,ESTABLISHED jump: ACCEPT + notify: + - persist iptables -- name: Allow incoming on localhost interface +- name: Allow related and established connections (IPV6) iptables: + ip_version: ipv6 + chain: INPUT + ctstate: RELATED,ESTABLISHED + jump: ACCEPT + notify: + - persist iptables + +- name: Allow incoming on localhost interface (IPV4) + iptables: + ip_version: ipv4 chain: INPUT in_interface: lo jump: ACCEPT + comment: Accept localhost connection. + notify: + - persist iptables -- name: Allow incoming ICMP +- name: Allow incoming on localhost interface (IPV6) iptables: + ip_version: ipv6 + chain: INPUT + in_interface: lo + jump: ACCEPT + comment: Accept localhost connection. + notify: + - persist iptables + +- name: Allow incoming ICMP (IPV4) + iptables: + ip_version: ipv4 chain: INPUT protocol: icmp jump: ACCEPT + comment: Accept ICMP (ping) connection. + notify: + - persist iptables -- name: Allow new incoming connections on TCP port 22 (SSH). +- name: Allow incoming ICMPv6 (IPV6) iptables: + ip_version: ipv6 chain: INPUT - protocol: tcp - destination_port: 22 + protocol: ipv6-icmp jump: ACCEPT - comment: Accept new connections on port "22". + comment: Accept ICMPv6 (ping) connection. + notify: + - persist iptables -- name: Allow new incoming connections on TCP port (dynamic list). +- name: Allow new incoming connections on TCP port (dynamic list) (IPV4) iptables: + ip_version: ipv4 chain: INPUT protocol: tcp destination_port: "{{ item }}" @@ -39,22 +67,74 @@ comment: Accept new connections on port "{{ item }}". loop: "{{ tcp_authorized_ports }}" when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0) + notify: + - persist iptables -- name: Allow new incoming connections from specific IP (dynamic list). +- name: Allow new incoming connections on TCP port (dynamic list) (IPV6) iptables: + ip_version: ipv6 + chain: INPUT + protocol: tcp + destination_port: "{{ item }}" + jump: ACCEPT + comment: Accept new connections on port "{{ item }}". + loop: "{{ tcp_authorized_ports }}" + when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0) + notify: + - persist iptables + +- name: Allow new incoming connections from specific IP (dynamic list) (IPV4) + iptables: + ip_version: ipv4 chain: INPUT source: "{{ item }}" jump: ACCEPT comment: Accept new connections from IP "{{ item }}". loop: "{{ ip_authorized }}" when: ip_authorized is defined and (ip_authorized|length>0) + notify: + - persist iptables -- name: Set the policy for the FORWARD chain to DROP +- name: Allow new incoming connections from specific IP (dynamic list) (IPV6) iptables: + ip_version: ipv6 + chain: INPUT + source: "{{ item }}" + jump: ACCEPT + comment: Accept new connections from IP "{{ item }}". + loop: "{{ ip_authorized }}" + when: ip_authorized is defined and (ip_authorized|length>0) + notify: + - persist iptables + +- name: Set the policy for the FORWARD chain to DROP (IPV4) + iptables: + ip_version: ipv4 chain: FORWARD policy: DROP + notify: + - persist iptables -- name: Set the policy for the INPUT chain to DROP +- name: Set the policy for the FORWARD chain to DROP (IPV6) iptables: + ip_version: ipv6 + chain: FORWARD + policy: DROP + notify: + - persist iptables + +- name: Set the policy for the INPUT chain to DROP (IPV4) + iptables: + ip_version: ipv4 chain: INPUT policy: DROP + notify: + - persist iptables + +- name: Set the policy for the INPUT chain to DROP (IPV6) + iptables: + ip_version: ipv6 + chain: INPUT + policy: DROP + notify: + - persist iptables diff --git a/roles/client_iptables/tasks/main.yml b/roles/client_iptables/tasks/main.yml index eb9e708..d8f044e 100644 --- a/roles/client_iptables/tasks/main.yml +++ b/roles/client_iptables/tasks/main.yml @@ -3,5 +3,3 @@ - import_tasks: package.yml - import_tasks: iptables.yml -- import_tasks: save.yml -- import_tasks: boot.yml diff --git a/roles/client_iptables/tasks/package.yml b/roles/client_iptables/tasks/package.yml index cb0fda2..a1a7b2a 100644 --- a/roles/client_iptables/tasks/package.yml +++ b/roles/client_iptables/tasks/package.yml @@ -3,3 +3,11 @@ package: name: "iptables" state: present + +- name: iptables-persistent installed + package: + name: "iptables-persistent" + state: present + when: ansible_os_family == "Debian" + notify: + - persist iptables diff --git a/roles/client_iptables/tasks/save.yml b/roles/client_iptables/tasks/save.yml deleted file mode 100644 index 50687c3..0000000 --- a/roles/client_iptables/tasks/save.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- -- name: Save iptables rules - shell: iptables-save > /etc/iptables.up.rules