diff --git a/files/firewall.service b/files/firewall.service new file mode 100644 index 0000000..3e345cc --- /dev/null +++ b/files/firewall.service @@ -0,0 +1,14 @@ +[Unit] +Description=Firewall +After=network.target + +[Service] +RemainAfterExit=yes +ExecStart=/usr/local/bin/firewall start +ExecStartPost=/bin/systemctl restart fail2ban.service +ExecReload=/usr/local/bin/firewall reload +ExecStop=/usr/local/bin/firewall stop +User=root + +[Install] +WantedBy=multi-user.target diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..aa56a8d --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart firewall + systemd_service: + name: postfix + state: restarted diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..4610749 --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,35 @@ +--- +- name: firewall | apt update cache + apt: + update_cache: yes + cache_valid_time: 86400 #One day + +- name: firewall | install iptables packages + apt: + name: + - iptables + state: present + +- name: firewall | copy script + template: + src: "firewall.j2" + dest: "/usr/local/bin/firewall" + mode: "0755" + force: yes + notify: + - restart firewall + +- name: firewall | copy systemd unit file + copy: + src: "firewall.service" + dest: "/lib/systemd/system/firewall.service" + mode: "0644" + force: yes + notify: + - restart firewall + +- name: fireall | enable on boot + systemd: + name: firewall + enabled: yes + masked: no diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..e068007 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- name: requirements + include_tasks: requirements.yml + +- name: install + include_tasks: install.yml diff --git a/tasks/requirements.yml b/tasks/requirements.yml new file mode 100644 index 0000000..7a3a085 --- /dev/null +++ b/tasks/requirements.yml @@ -0,0 +1,5 @@ +--- +- name: firewall | apt update cache + apt: + update_cache: yes + cache_valid_time: 86400 diff --git a/templates/firewall.j2 b/templates/firewall.j2 new file mode 100644 index 0000000..7b922d9 --- /dev/null +++ b/templates/firewall.j2 @@ -0,0 +1,166 @@ +#!/bin/sh +# +# firewall script +# +# + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin +IPT4=/sbin/iptables +IPT6=/sbin/ip6tables +NAME=firewall +DESC="packet filter" + +PUBIF="{{ ansible_default_ipv4.interface }}" +#PRIVATEIF=eth1 + +case "$1" in + start) + echo -n "Initializing $DESC. \n" + ### IPv4 ### + echo " \033[33mIPv4 : \033[0m" + # DROP all incomming traffic + $IPT4 -P INPUT DROP + $IPT4 -P OUTPUT DROP + $IPT4 -P FORWARD DROP + echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m" + + # Unlimited access to loopback + $IPT4 -A INPUT -j ACCEPT -i lo + $IPT4 -A OUTPUT -j ACCEPT -o lo + echo " * Accept all loopback connections : \033[32m[OK] \033[0m" + + # Allow full outgoing connection but no incomming stuff + $IPT4 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED + $IPT4 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access" + echo " * Don't break IPv4 established connections : \033[32m[OK] \033[0m" + + # Allow incoming ICMP ping pong stuff + $IPT4 -A INPUT -j ACCEPT -p icmp --icmp-type echo-request + $IPT4 -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-reply + echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m" + + ## Protection rules + # SMURF attack protection + $IPT4 -A INPUT -p icmp -j DROP + $IPT4 -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT + # Drop excessive RST packets to avoid smurf attacks + $IPT4 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT + echo " * IPv4 protection rules : \033[32m[OK] \033[0m" + + # Admin chain + $IPT4 -N ADMIN + $IPT4 -A ADMIN -s 51.158.69.165/32 -j ACCEPT -m comment --comment "monit.brainsys.io" + $IPT4 -A ADMIN -s 82.66.138.56/32 -j ACCEPT -m comment --comment "wireguard.brainsys.io" + echo " * Creating admin chain : \033[32m[OK] \033[0m" + + # Custom rules + $IPT4 -A INPUT -j ADMIN -p udp --dport 51820 --syn -m comment --comment "admin - IPv4 wireguard" + #$IPT4 -A INPUT -j ADMIN -p tcp --dport 22 --syn -m comment --comment "admin - IPv4 ssh" + $IPT4 -A INPUT -j ADMIN -p tcp --dport 873 --syn -m comment --comment "admin - IPv4 rsync" + $IPT4 -A INPUT -j ADMIN -p tcp --dport 5666 --syn -m comment --comment "admin - IPv4 nrpe" + $IPT4 -A INPUT -j ADMIN -p tcp --dport 4949 --syn -m comment --comment "admin - IPv4 munin-node" + $IPT4 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv4 ssh" + $IPT4 -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "IPv4 http" + $IPT4 -A INPUT -j ACCEPT -p tcp --dport 443 -m comment --comment "IPv4 https" + echo " * Custom IPv4 rules : \033[32m[OK] \033[0m" + + # REJECT everything else + $IPT4 -A INPUT -j REJECT --reject-with tcp-reset -p tcp + $IPT4 -A INPUT -j REJECT -p udp + echo " * Reject everything else : \033[32m[OK] \033[0m" + + ### IPv6 ### + echo " \033[33mIPv6 : \033[0m" + # DROP all incomming traffic + $IPT6 -P INPUT DROP + $IPT6 -P OUTPUT DROP + $IPT6 -P FORWARD DROP + echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m" + + # Unlimited access to loopback + $IPT6 -A INPUT -j ACCEPT -i lo + $IPT6 -A OUTPUT -j ACCEPT -o lo + echo " * Accept all loopback connections : \033[32m[OK] \033[0m" + + # Allow full outgoing connection but no incomming stuff + $IPT6 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED + $IPT6 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access" + echo " * Don't break IPv6 established connections : \033[32m[OK] \033[0m" + + # Allow incoming ICMP ping pong stuff + #$IPT6 -A INPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-request + #$IPT6 -A OUTPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-reply + $IPT6 -A INPUT -j ACCEPT -p icmpv6 + $IPT6 -A OUTPUT -j ACCEPT -p icmpv6 + echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m" + + ## Protection rules + # SMURF attack protection + $IPT6 -A INPUT -p icmpv6 -j DROP + $IPT6 -A INPUT -p icmpv6 -m limit --limit 2/second -j ACCEPT + # Drop excessive RST packets to avoid smurf attacks + $IPT6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT + echo " * IPv6 protection rules : \033[32m[OK] \033[0m" + + # Custom rules + $IPT6 -A INPUT -j ACCEPT -p tcp --dport 80 --syn -m comment --comment "IPv6 http" + $IPT6 -A INPUT -j ACCEPT -p tcp --dport 443 --syn -m comment --comment "IPv6 https" + #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv6 ssh" + #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 25 -m comment --comment "IPv6 smtp" + echo " * Custom IPv6 rules : \033[32m[OK] \033[0m" + + # REJECT everything else + $IPT6 -A INPUT -j REJECT --reject-with tcp-reset -p tcp + $IPT6 -A INPUT -j REJECT -p udp + echo " * Reject everything else : \033[32m[OK] \033[0m" + + # Log everything else + #$IPT6 -A INPUT -i $PUBIF -j LOG --log-prefix "Firewall IPv6 : " + ;; + + stop) + echo -n "Resetting $DESC. \n" + ### IPv4 ### + $IPT4 -F + $IPT4 -X + $IPT4 -P FORWARD ACCEPT + $IPT4 -P INPUT ACCEPT + $IPT4 -P OUTPUT ACCEPT + $IPT4 -t nat -F + $IPT4 -t nat -X + $IPT4 -t mangle -F + $IPT4 -t mangle -X + echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m" + + ### IPv6 ### + $IPT6 -F + $IPT6 -X + $IPT6 -P FORWARD ACCEPT + $IPT6 -P INPUT ACCEPT + $IPT6 -P OUTPUT ACCEPT + $IPT6 -t mangle -F + $IPT6 -t mangle -X + echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m" + echo + ;; + + restart|force-reload) + $0 stop + $0 start + ;; + + status) + echo "\033[33mIPv4 chains and rules : \033[0m" + $IPT4 -L -n -v + echo + echo "\033[33mIPv6 chains and rules : \033[0m" + $IPT6 -L -n -v + ;; + + *) + echo "Usage: firewall {start|stop|restart|force-reload|status}" >&2 + exit 1 + ;; +esac + +exit 0