initial commit

files/firewall.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Firewall
+After=network.target
+
+[Service]
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/firewall start
+ExecStartPost=/bin/systemctl restart fail2ban.service
+ExecReload=/usr/local/bin/firewall reload
+ExecStop=/usr/local/bin/firewall stop
+User=root
+
+[Install]
+WantedBy=multi-user.target

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart firewall
+  systemd_service: 
+    name: postfix 
+    state: restarted

tasks/install.yml

@@ -0,0 +1,35 @@
+---
+- name: firewall | apt update cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 86400 #One day
+
+- name: firewall | install iptables packages
+  apt:
+    name:
+      - iptables
+    state: present
+
+- name: firewall | copy script
+  template:
+    src: "firewall.j2"
+    dest: "/usr/local/bin/firewall"
+    mode: "0755"
+    force: yes
+  notify:
+    - restart firewall
+
+- name: firewall | copy systemd unit file
+  copy:
+    src: "firewall.service"
+    dest: "/lib/systemd/system/firewall.service"
+    mode: "0644"
+    force: yes
+  notify:
+    - restart firewall
+
+- name: fireall | enable on boot
+  systemd: 
+    name: firewall
+    enabled: yes
+    masked: no

tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: requirements
+  include_tasks: requirements.yml
+
+- name: install
+  include_tasks: install.yml

tasks/requirements.yml

@@ -0,0 +1,5 @@
+---
+- name: firewall | apt update cache
+  apt:
+    update_cache: yes
+    cache_valid_time: 86400

templates/firewall.j2

@@ -0,0 +1,166 @@
+#!/bin/sh
+# 
+# firewall script
+# <ludovic.cartier@brainsys.io>
+#
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+IPT4=/sbin/iptables
+IPT6=/sbin/ip6tables
+NAME=firewall
+DESC="packet filter"
+
+PUBIF="{{ ansible_default_ipv4.interface }}"
+#PRIVATEIF=eth1
+
+case "$1" in
+  start)
+        echo -n "Initializing $DESC. \n"
+	### IPv4 ###
+	echo " \033[33mIPv4 : \033[0m"
+	# DROP all incomming traffic
+        $IPT4 -P INPUT DROP
+	$IPT4 -P OUTPUT DROP
+	$IPT4 -P FORWARD DROP
+	echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m"
+
+	# Unlimited access to loopback
+        $IPT4 -A INPUT  -j ACCEPT -i lo
+        $IPT4 -A OUTPUT -j ACCEPT -o lo
+	echo " * Accept all loopback connections : \033[32m[OK] \033[0m"
+
+	# Allow full outgoing connection but no incomming stuff
+        $IPT4 -A INPUT  -j ACCEPT -m state --state ESTABLISHED,RELATED
+	$IPT4 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access"
+	echo " * Don't break IPv4 established connections : \033[32m[OK] \033[0m"
+
+	# Allow incoming ICMP ping pong stuff
+        $IPT4 -A INPUT  -j ACCEPT -p icmp --icmp-type echo-request
+        $IPT4 -A OUTPUT -j ACCEPT -p icmp --icmp-type echo-reply
+        echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
+
+	## Protection rules
+	# SMURF attack protection
+	$IPT4 -A INPUT -p icmp -j DROP
+	$IPT4 -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT
+	# Drop excessive RST packets to avoid smurf attacks
+	$IPT4 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
+	echo " * IPv4 protection rules : \033[32m[OK] \033[0m"
+
+        # Admin chain
+        $IPT4 -N ADMIN
+        $IPT4 -A ADMIN -s 51.158.69.165/32 -j ACCEPT -m comment --comment "monit.brainsys.io"
+        $IPT4 -A ADMIN -s 82.66.138.56/32  -j ACCEPT -m comment --comment "wireguard.brainsys.io"
+        echo " * Creating admin chain : \033[32m[OK] \033[0m"
+
+	# Custom rules
+        $IPT4 -A INPUT  -j ADMIN  -p udp --dport 51820 --syn -m comment --comment "admin - IPv4 wireguard"
+        #$IPT4 -A INPUT  -j ADMIN  -p tcp --dport 22    --syn -m comment --comment "admin - IPv4 ssh"
+        $IPT4 -A INPUT  -j ADMIN  -p tcp --dport 873   --syn -m comment --comment "admin - IPv4 rsync"
+        $IPT4 -A INPUT  -j ADMIN  -p tcp --dport 5666  --syn -m comment --comment "admin - IPv4 nrpe"
+        $IPT4 -A INPUT  -j ADMIN  -p tcp --dport 4949  --syn -m comment --comment "admin - IPv4 munin-node"
+        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport 22 	     -m comment --comment "IPv4 ssh"
+        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport 80 	     -m comment --comment "IPv4 http"
+        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport 443 	     -m comment --comment "IPv4 https"
+	echo " * Custom IPv4 rules : \033[32m[OK] \033[0m"
+
+	# REJECT everything else
+        $IPT4 -A INPUT  -j REJECT --reject-with tcp-reset -p tcp
+        $IPT4 -A INPUT  -j REJECT -p udp
+	echo " * Reject everything else : \033[32m[OK] \033[0m"
+
+	### IPv6 ###
+	echo " \033[33mIPv6 : \033[0m"
+	# DROP all incomming traffic
+	$IPT6 -P INPUT DROP
+	$IPT6 -P OUTPUT DROP
+	$IPT6 -P FORWARD DROP
+        echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m"
+
+        # Unlimited access to loopback
+        $IPT6 -A INPUT  -j ACCEPT -i lo
+        $IPT6 -A OUTPUT -j ACCEPT -o lo
+        echo " * Accept all loopback connections : \033[32m[OK] \033[0m"
+
+        # Allow full outgoing connection but no incomming stuff
+        $IPT6 -A INPUT  -j ACCEPT -m state --state ESTABLISHED,RELATED
+        $IPT6 -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -m comment --comment "Authorize all established output access"
+        echo " * Don't break IPv6 established connections : \033[32m[OK] \033[0m"
+
+        # Allow incoming ICMP ping pong stuff
+        #$IPT6 -A INPUT  -j ACCEPT -p icmpv6 --icmpv6-type echo-request
+        #$IPT6 -A OUTPUT -j ACCEPT -p icmpv6 --icmpv6-type echo-reply
+        $IPT6 -A INPUT  -j ACCEPT -p icmpv6
+        $IPT6 -A OUTPUT -j ACCEPT -p icmpv6
+        echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
+
+        ## Protection rules
+        # SMURF attack protection
+        $IPT6 -A INPUT -p icmpv6 -j DROP
+        $IPT6 -A INPUT -p icmpv6 -m limit --limit 2/second -j ACCEPT
+        # Drop excessive RST packets to avoid smurf attacks
+        $IPT6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
+        echo " * IPv6 protection rules : \033[32m[OK] \033[0m"
+
+        # Custom rules
+        $IPT6 -A INPUT -j ACCEPT -p tcp --dport 80  --syn -m comment --comment "IPv6 http"
+        $IPT6 -A INPUT -j ACCEPT -p tcp --dport 443 --syn -m comment --comment "IPv6 https"
+        #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 22        -m comment --comment "IPv6 ssh"
+        #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 25        -m comment --comment "IPv6 smtp"
+        echo " * Custom IPv6 rules : \033[32m[OK] \033[0m"
+
+        # REJECT everything else
+        $IPT6 -A INPUT  -j REJECT --reject-with tcp-reset -p tcp
+        $IPT6 -A INPUT  -j REJECT -p udp
+        echo " * Reject everything else : \033[32m[OK] \033[0m"
+
+        # Log everything else
+        #$IPT6 -A INPUT -i $PUBIF -j LOG --log-prefix "Firewall IPv6 : "
+        ;;
+
+  stop)
+        echo -n "Resetting $DESC. \n"
+        ### IPv4 ###
+        $IPT4 -F
+        $IPT4 -X
+        $IPT4 -P FORWARD ACCEPT
+        $IPT4 -P INPUT ACCEPT
+        $IPT4 -P OUTPUT ACCEPT
+        $IPT4 -t nat -F
+        $IPT4 -t nat -X
+        $IPT4 -t mangle -F
+        $IPT4 -t mangle -X
+        echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m"
+
+        ### IPv6 ###
+        $IPT6 -F
+        $IPT6 -X
+        $IPT6 -P FORWARD ACCEPT
+        $IPT6 -P INPUT ACCEPT
+        $IPT6 -P OUTPUT ACCEPT
+        $IPT6 -t mangle -F
+        $IPT6 -t mangle -X
+        echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m"
+        echo
+        ;;
+
+  restart|force-reload)
+        $0 stop
+        $0 start
+        ;;
+
+  status)
+        echo "\033[33mIPv4 chains and rules : \033[0m"
+        $IPT4 -L -n -v
+        echo
+        echo "\033[33mIPv6 chains and rules : \033[0m"
+        $IPT6 -L -n -v
+        ;;
+
+  *)
+        echo "Usage: firewall {start|stop|restart|force-reload|status}" >&2
+        exit 1
+        ;;
+esac
+
+exit 0