initial commit
This commit is contained in:
parent
dd913c04bc
commit
3529250298
14
files/firewall.service
Normal file
14
files/firewall.service
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Firewall
|
||||||
|
After=network.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
RemainAfterExit=yes
|
||||||
|
ExecStart=/usr/local/bin/firewall start
|
||||||
|
ExecStartPost=/bin/systemctl restart fail2ban.service
|
||||||
|
ExecReload=/usr/local/bin/firewall reload
|
||||||
|
ExecStop=/usr/local/bin/firewall stop
|
||||||
|
User=root
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
5
handlers/main.yml
Normal file
5
handlers/main.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: restart firewall
|
||||||
|
systemd_service:
|
||||||
|
name: postfix
|
||||||
|
state: restarted
|
35
tasks/install.yml
Normal file
35
tasks/install.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
- name: firewall | apt update cache
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 86400 #One day
|
||||||
|
|
||||||
|
- name: firewall | install iptables packages
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- iptables
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: firewall | copy script
|
||||||
|
template:
|
||||||
|
src: "firewall.j2"
|
||||||
|
dest: "/usr/local/bin/firewall"
|
||||||
|
mode: "0755"
|
||||||
|
force: yes
|
||||||
|
notify:
|
||||||
|
- restart firewall
|
||||||
|
|
||||||
|
- name: firewall | copy systemd unit file
|
||||||
|
copy:
|
||||||
|
src: "firewall.service"
|
||||||
|
dest: "/lib/systemd/system/firewall.service"
|
||||||
|
mode: "0644"
|
||||||
|
force: yes
|
||||||
|
notify:
|
||||||
|
- restart firewall
|
||||||
|
|
||||||
|
- name: fireall | enable on boot
|
||||||
|
systemd:
|
||||||
|
name: firewall
|
||||||
|
enabled: yes
|
||||||
|
masked: no
|
6
tasks/main.yml
Normal file
6
tasks/main.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: requirements
|
||||||
|
include_tasks: requirements.yml
|
||||||
|
|
||||||
|
- name: install
|
||||||
|
include_tasks: install.yml
|
5
tasks/requirements.yml
Normal file
5
tasks/requirements.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
- name: firewall | apt update cache
|
||||||
|
apt:
|
||||||
|
update_cache: yes
|
||||||
|
cache_valid_time: 86400
|
166
templates/firewall.j2
Normal file
166
templates/firewall.j2
Normal file
@ -0,0 +1,166 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# firewall script
|
||||||
|
# <ludovic.cartier@brainsys.io>
|
||||||
|
#
|
||||||
|
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||||
|
IPT4=/sbin/iptables
|
||||||
|
IPT6=/sbin/ip6tables
|
||||||
|
NAME=firewall
|
||||||
|
DESC="packet filter"
|
||||||
|
|
||||||
|
PUBIF="{{ ansible_default_ipv4.interface }}"
|
||||||
|
#PRIVATEIF=eth1
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
start)
|
||||||
|
echo -n "Initializing $DESC. \n"
|
||||||
|
### IPv4 ###
|
||||||
|
echo " \033[33mIPv4 : \033[0m"
|
||||||
|
# DROP all incomming traffic
|
||||||
|
$IPT4 -P INPUT DROP
|
||||||
|
$IPT4 -P OUTPUT DROP
|
||||||
|
$IPT4 -P FORWARD DROP
|
||||||
|
echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Unlimited access to loopback
|
||||||
|
$IPT4 -A INPUT -j ACCEPT -i lo
|
||||||
|
$IPT4 -A OUTPUT -j ACCEPT -o lo
|
||||||
|
echo " * Accept all loopback connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Allow full outgoing connection but no incomming stuff
|
||||||
|
$IPT4 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
|
||||||
|
$IPT4 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access"
|
||||||
|
echo " * Don't break IPv4 established connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Allow incoming ICMP ping pong stuff
|
||||||
|
$IPT4 -A INPUT -j ACCEPT -p icmp --icmp-type echo-request
|
||||||
|
$IPT4 -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-reply
|
||||||
|
echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
## Protection rules
|
||||||
|
# SMURF attack protection
|
||||||
|
$IPT4 -A INPUT -p icmp -j DROP
|
||||||
|
$IPT4 -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT
|
||||||
|
# Drop excessive RST packets to avoid smurf attacks
|
||||||
|
$IPT4 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
||||||
|
echo " * IPv4 protection rules : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Admin chain
|
||||||
|
$IPT4 -N ADMIN
|
||||||
|
$IPT4 -A ADMIN -s 51.158.69.165/32 -j ACCEPT -m comment --comment "monit.brainsys.io"
|
||||||
|
$IPT4 -A ADMIN -s 82.66.138.56/32 -j ACCEPT -m comment --comment "wireguard.brainsys.io"
|
||||||
|
echo " * Creating admin chain : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Custom rules
|
||||||
|
$IPT4 -A INPUT -j ADMIN -p udp --dport 51820 --syn -m comment --comment "admin - IPv4 wireguard"
|
||||||
|
#$IPT4 -A INPUT -j ADMIN -p tcp --dport 22 --syn -m comment --comment "admin - IPv4 ssh"
|
||||||
|
$IPT4 -A INPUT -j ADMIN -p tcp --dport 873 --syn -m comment --comment "admin - IPv4 rsync"
|
||||||
|
$IPT4 -A INPUT -j ADMIN -p tcp --dport 5666 --syn -m comment --comment "admin - IPv4 nrpe"
|
||||||
|
$IPT4 -A INPUT -j ADMIN -p tcp --dport 4949 --syn -m comment --comment "admin - IPv4 munin-node"
|
||||||
|
$IPT4 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv4 ssh"
|
||||||
|
$IPT4 -A INPUT -j ACCEPT -p tcp --dport 80 -m comment --comment "IPv4 http"
|
||||||
|
$IPT4 -A INPUT -j ACCEPT -p tcp --dport 443 -m comment --comment "IPv4 https"
|
||||||
|
echo " * Custom IPv4 rules : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# REJECT everything else
|
||||||
|
$IPT4 -A INPUT -j REJECT --reject-with tcp-reset -p tcp
|
||||||
|
$IPT4 -A INPUT -j REJECT -p udp
|
||||||
|
echo " * Reject everything else : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
### IPv6 ###
|
||||||
|
echo " \033[33mIPv6 : \033[0m"
|
||||||
|
# DROP all incomming traffic
|
||||||
|
$IPT6 -P INPUT DROP
|
||||||
|
$IPT6 -P OUTPUT DROP
|
||||||
|
$IPT6 -P FORWARD DROP
|
||||||
|
echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Unlimited access to loopback
|
||||||
|
$IPT6 -A INPUT -j ACCEPT -i lo
|
||||||
|
$IPT6 -A OUTPUT -j ACCEPT -o lo
|
||||||
|
echo " * Accept all loopback connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Allow full outgoing connection but no incomming stuff
|
||||||
|
$IPT6 -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
|
||||||
|
$IPT6 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access"
|
||||||
|
echo " * Don't break IPv6 established connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Allow incoming ICMP ping pong stuff
|
||||||
|
#$IPT6 -A INPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-request
|
||||||
|
#$IPT6 -A OUTPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-reply
|
||||||
|
$IPT6 -A INPUT -j ACCEPT -p icmpv6
|
||||||
|
$IPT6 -A OUTPUT -j ACCEPT -p icmpv6
|
||||||
|
echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
## Protection rules
|
||||||
|
# SMURF attack protection
|
||||||
|
$IPT6 -A INPUT -p icmpv6 -j DROP
|
||||||
|
$IPT6 -A INPUT -p icmpv6 -m limit --limit 2/second -j ACCEPT
|
||||||
|
# Drop excessive RST packets to avoid smurf attacks
|
||||||
|
$IPT6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
|
||||||
|
echo " * IPv6 protection rules : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Custom rules
|
||||||
|
$IPT6 -A INPUT -j ACCEPT -p tcp --dport 80 --syn -m comment --comment "IPv6 http"
|
||||||
|
$IPT6 -A INPUT -j ACCEPT -p tcp --dport 443 --syn -m comment --comment "IPv6 https"
|
||||||
|
#$IPT6 -A INPUT -j ACCEPT -p tcp --dport 22 -m comment --comment "IPv6 ssh"
|
||||||
|
#$IPT6 -A INPUT -j ACCEPT -p tcp --dport 25 -m comment --comment "IPv6 smtp"
|
||||||
|
echo " * Custom IPv6 rules : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# REJECT everything else
|
||||||
|
$IPT6 -A INPUT -j REJECT --reject-with tcp-reset -p tcp
|
||||||
|
$IPT6 -A INPUT -j REJECT -p udp
|
||||||
|
echo " * Reject everything else : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
# Log everything else
|
||||||
|
#$IPT6 -A INPUT -i $PUBIF -j LOG --log-prefix "Firewall IPv6 : "
|
||||||
|
;;
|
||||||
|
|
||||||
|
stop)
|
||||||
|
echo -n "Resetting $DESC. \n"
|
||||||
|
### IPv4 ###
|
||||||
|
$IPT4 -F
|
||||||
|
$IPT4 -X
|
||||||
|
$IPT4 -P FORWARD ACCEPT
|
||||||
|
$IPT4 -P INPUT ACCEPT
|
||||||
|
$IPT4 -P OUTPUT ACCEPT
|
||||||
|
$IPT4 -t nat -F
|
||||||
|
$IPT4 -t nat -X
|
||||||
|
$IPT4 -t mangle -F
|
||||||
|
$IPT4 -t mangle -X
|
||||||
|
echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
|
### IPv6 ###
|
||||||
|
$IPT6 -F
|
||||||
|
$IPT6 -X
|
||||||
|
$IPT6 -P FORWARD ACCEPT
|
||||||
|
$IPT6 -P INPUT ACCEPT
|
||||||
|
$IPT6 -P OUTPUT ACCEPT
|
||||||
|
$IPT6 -t mangle -F
|
||||||
|
$IPT6 -t mangle -X
|
||||||
|
echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m"
|
||||||
|
echo
|
||||||
|
;;
|
||||||
|
|
||||||
|
restart|force-reload)
|
||||||
|
$0 stop
|
||||||
|
$0 start
|
||||||
|
;;
|
||||||
|
|
||||||
|
status)
|
||||||
|
echo "\033[33mIPv4 chains and rules : \033[0m"
|
||||||
|
$IPT4 -L -n -v
|
||||||
|
echo
|
||||||
|
echo "\033[33mIPv6 chains and rules : \033[0m"
|
||||||
|
$IPT6 -L -n -v
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
echo "Usage: firewall {start|stop|restart|force-reload|status}" >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
Loading…
x
Reference in New Issue
Block a user