Update iptables roles, including iptables-persistence

This commit is contained in:
Nemo 2020-07-11 12:13:33 +02:00
parent 16eae4c919
commit f4f60a1ff2
8 changed files with 114 additions and 34 deletions

View file

@ -3,7 +3,7 @@
roles: roles:
- auto_reboot - auto_reboot
- auto_upgrade - auto_upgrade
#- client_iptables # Role not well defined now - client_iptables # OK for Debian (iptables-persistent mode)
- client_ntp - client_ntp
- client_resolvers - client_resolvers
- client_tools - client_tools

View file

@ -1,2 +0,0 @@
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

View file

@ -0,0 +1,8 @@
---
- name: save iptables v4 rules
shell: iptables-save > /etc/iptables/rules.v4
listen: persist iptables
- name: save iptables v6 rules
shell: ip6tables-save > /etc/iptables/rules.v6
listen: persist iptables

View file

@ -1,9 +0,0 @@
---
- name: Add load rules at boot
copy:
src: iptables
dest: /etc/network/if-pre-up.d/iptables
owner: root
group: root
mode: 0755

View file

@ -1,37 +1,65 @@
--- ---
- name: Iptables installed - name: Allow related and established connections (IPV4)
package:
name: "iptables"
state: present
- name: Allow related and established connections
iptables: iptables:
ip_version: ipv4
chain: INPUT chain: INPUT
ctstate: ESTABLISHED,RELATED ctstate: RELATED,ESTABLISHED
jump: ACCEPT jump: ACCEPT
notify:
- persist iptables
- name: Allow incoming on localhost interface - name: Allow related and established connections (IPV6)
iptables: iptables:
ip_version: ipv6
chain: INPUT
ctstate: RELATED,ESTABLISHED
jump: ACCEPT
notify:
- persist iptables
- name: Allow incoming on localhost interface (IPV4)
iptables:
ip_version: ipv4
chain: INPUT chain: INPUT
in_interface: lo in_interface: lo
jump: ACCEPT jump: ACCEPT
comment: Accept localhost connection.
notify:
- persist iptables
- name: Allow incoming ICMP - name: Allow incoming on localhost interface (IPV6)
iptables: iptables:
ip_version: ipv6
chain: INPUT
in_interface: lo
jump: ACCEPT
comment: Accept localhost connection.
notify:
- persist iptables
- name: Allow incoming ICMP (IPV4)
iptables:
ip_version: ipv4
chain: INPUT chain: INPUT
protocol: icmp protocol: icmp
jump: ACCEPT jump: ACCEPT
comment: Accept ICMP (ping) connection.
notify:
- persist iptables
- name: Allow new incoming connections on TCP port 22 (SSH). - name: Allow incoming ICMPv6 (IPV6)
iptables: iptables:
ip_version: ipv6
chain: INPUT chain: INPUT
protocol: tcp protocol: ipv6-icmp
destination_port: 22
jump: ACCEPT jump: ACCEPT
comment: Accept new connections on port "22". comment: Accept ICMPv6 (ping) connection.
notify:
- persist iptables
- name: Allow new incoming connections on TCP port (dynamic list). - name: Allow new incoming connections on TCP port (dynamic list) (IPV4)
iptables: iptables:
ip_version: ipv4
chain: INPUT chain: INPUT
protocol: tcp protocol: tcp
destination_port: "{{ item }}" destination_port: "{{ item }}"
@ -39,22 +67,74 @@
comment: Accept new connections on port "{{ item }}". comment: Accept new connections on port "{{ item }}".
loop: "{{ tcp_authorized_ports }}" loop: "{{ tcp_authorized_ports }}"
when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0) when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
notify:
- persist iptables
- name: Allow new incoming connections from specific IP (dynamic list). - name: Allow new incoming connections on TCP port (dynamic list) (IPV6)
iptables: iptables:
ip_version: ipv6
chain: INPUT
protocol: tcp
destination_port: "{{ item }}"
jump: ACCEPT
comment: Accept new connections on port "{{ item }}".
loop: "{{ tcp_authorized_ports }}"
when: tcp_authorized_ports is defined and (tcp_authorized_ports|length>0)
notify:
- persist iptables
- name: Allow new incoming connections from specific IP (dynamic list) (IPV4)
iptables:
ip_version: ipv4
chain: INPUT chain: INPUT
source: "{{ item }}" source: "{{ item }}"
jump: ACCEPT jump: ACCEPT
comment: Accept new connections from IP "{{ item }}". comment: Accept new connections from IP "{{ item }}".
loop: "{{ ip_authorized }}" loop: "{{ ip_authorized }}"
when: ip_authorized is defined and (ip_authorized|length>0) when: ip_authorized is defined and (ip_authorized|length>0)
notify:
- persist iptables
- name: Set the policy for the FORWARD chain to DROP - name: Allow new incoming connections from specific IP (dynamic list) (IPV6)
iptables: iptables:
ip_version: ipv6
chain: INPUT
source: "{{ item }}"
jump: ACCEPT
comment: Accept new connections from IP "{{ item }}".
loop: "{{ ip_authorized }}"
when: ip_authorized is defined and (ip_authorized|length>0)
notify:
- persist iptables
- name: Set the policy for the FORWARD chain to DROP (IPV4)
iptables:
ip_version: ipv4
chain: FORWARD chain: FORWARD
policy: DROP policy: DROP
notify:
- persist iptables
- name: Set the policy for the INPUT chain to DROP - name: Set the policy for the FORWARD chain to DROP (IPV6)
iptables: iptables:
ip_version: ipv6
chain: FORWARD
policy: DROP
notify:
- persist iptables
- name: Set the policy for the INPUT chain to DROP (IPV4)
iptables:
ip_version: ipv4
chain: INPUT chain: INPUT
policy: DROP policy: DROP
notify:
- persist iptables
- name: Set the policy for the INPUT chain to DROP (IPV6)
iptables:
ip_version: ipv6
chain: INPUT
policy: DROP
notify:
- persist iptables

View file

@ -3,5 +3,3 @@
- import_tasks: package.yml - import_tasks: package.yml
- import_tasks: iptables.yml - import_tasks: iptables.yml
- import_tasks: save.yml
- import_tasks: boot.yml

View file

@ -3,3 +3,11 @@
package: package:
name: "iptables" name: "iptables"
state: present state: present
- name: iptables-persistent installed
package:
name: "iptables-persistent"
state: present
when: ansible_os_family == "Debian"
notify:
- persist iptables

View file

@ -1,3 +0,0 @@
---
- name: Save iptables rules
shell: iptables-save > /etc/iptables.up.rules