You've already forked firewall
handle docker rules & templatize custom rules
This commit is contained in:
Ludovic Cartier
@@ -20,6 +20,7 @@ Role Ansible pour déployer un pare-feu iptables/ip6tables via un script shell e
|
|||||||
Variables par défaut dans [defaults/main.yml](defaults/main.yml).
|
Variables par défaut dans [defaults/main.yml](defaults/main.yml).
|
||||||
|
|
||||||
- firewall_public_interface: interface publique pour les logs optionnels. Si null, utilise ansible_default_ipv4.interface.
|
- firewall_public_interface: interface publique pour les logs optionnels. Si null, utilise ansible_default_ipv4.interface.
|
||||||
|
- firewall_docker_safe: préserve les chaînes Docker lors d'un restart du firewall.
|
||||||
- firewall_admin_sources: liste des CIDR autorisés sur les services admin.
|
- firewall_admin_sources: liste des CIDR autorisés sur les services admin.
|
||||||
- firewall_admin_rules_ipv4: liste des règles IPv4 limitées aux sources admin.
|
- firewall_admin_rules_ipv4: liste des règles IPv4 limitées aux sources admin.
|
||||||
- firewall_public_tcp_ports_ipv4: ports TCP IPv4 ouverts publiquement.
|
- firewall_public_tcp_ports_ipv4: ports TCP IPv4 ouverts publiquement.
|
||||||
@@ -32,6 +33,8 @@ firewall_admin_sources:
|
|||||||
- cidr: "203.0.113.10/32"
|
- cidr: "203.0.113.10/32"
|
||||||
comment: "bastion"
|
comment: "bastion"
|
||||||
|
|
||||||
|
firewall_docker_safe: true
|
||||||
|
|
||||||
firewall_admin_rules_ipv4:
|
firewall_admin_rules_ipv4:
|
||||||
- proto: "udp"
|
- proto: "udp"
|
||||||
dport: 51820
|
dport: 51820
|
||||||
@@ -64,4 +67,5 @@ firewall_public_tcp_ports_ipv6:
|
|||||||
|
|
||||||
- Le script applique une politique restrictive (DROP sur INPUT/OUTPUT/FORWARD) puis ouvre explicitement les flux requis.
|
- Le script applique une politique restrictive (DROP sur INPUT/OUTPUT/FORWARD) puis ouvre explicitement les flux requis.
|
||||||
- Toute erreur de syntaxe shell du template est validée avant déploiement via /bin/sh -n.
|
- Toute erreur de syntaxe shell du template est validée avant déploiement via /bin/sh -n.
|
||||||
|
- En mode docker-safe, les chaînes Docker existantes sont préservées pour éviter de casser la connectivité des conteneurs au restart.
|
||||||
|
|
||||||
|
|||||||
@@ -3,6 +3,10 @@
|
|||||||
# If null, ansible_default_ipv4.interface is used.
|
# If null, ansible_default_ipv4.interface is used.
|
||||||
firewall_public_interface: null
|
firewall_public_interface: null
|
||||||
|
|
||||||
|
# Preserve Docker-managed chains/rules when restarting the firewall.
|
||||||
|
# When true, FORWARD chain is not reset if Docker chains are detected.
|
||||||
|
firewall_docker_safe: true
|
||||||
|
|
||||||
# IPv4 source networks allowed to access admin-restricted services.
|
# IPv4 source networks allowed to access admin-restricted services.
|
||||||
firewall_admin_sources:
|
firewall_admin_sources:
|
||||||
- cidr: "51.158.69.165/32"
|
- cidr: "51.158.69.165/32"
|
||||||
|
|||||||
+64
-12
@@ -11,6 +11,7 @@ NAME=firewall
|
|||||||
DESC="packet filter"
|
DESC="packet filter"
|
||||||
|
|
||||||
PUBIF="{{ firewall_public_interface | default(ansible_default_ipv4.interface | default('eth0')) }}"
|
PUBIF="{{ firewall_public_interface | default(ansible_default_ipv4.interface | default('eth0')) }}"
|
||||||
|
FIREWALL_DOCKER_SAFE="{{ firewall_docker_safe | default(true) | ternary('1', '0') }}"
|
||||||
#PRIVATEIF=eth1
|
#PRIVATEIF=eth1
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
@@ -18,10 +19,28 @@ case "$1" in
|
|||||||
echo -n "Initializing $DESC. \n"
|
echo -n "Initializing $DESC. \n"
|
||||||
### IPv4 ###
|
### IPv4 ###
|
||||||
echo " \033[33mIPv4 : \033[0m"
|
echo " \033[33mIPv4 : \033[0m"
|
||||||
|
|
||||||
|
HAS_DOCKER4=0
|
||||||
|
if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT4 -S DOCKER >/dev/null 2>&1; then
|
||||||
|
HAS_DOCKER4=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Reset only chains managed by this role.
|
||||||
|
$IPT4 -F INPUT
|
||||||
|
$IPT4 -F OUTPUT
|
||||||
|
$IPT4 -F ADMIN >/dev/null 2>&1 || true
|
||||||
|
$IPT4 -X ADMIN >/dev/null 2>&1 || true
|
||||||
|
|
||||||
|
if [ "$HAS_DOCKER4" -eq 0 ]; then
|
||||||
|
$IPT4 -F FORWARD
|
||||||
|
$IPT4 -P FORWARD DROP
|
||||||
|
else
|
||||||
|
echo " * Docker detected, preserving IPv4 FORWARD chain : \033[32m[OK] \033[0m"
|
||||||
|
fi
|
||||||
|
|
||||||
# DROP all incomming traffic
|
# DROP all incomming traffic
|
||||||
$IPT4 -P INPUT DROP
|
$IPT4 -P INPUT DROP
|
||||||
$IPT4 -P OUTPUT DROP
|
$IPT4 -P OUTPUT DROP
|
||||||
$IPT4 -P FORWARD DROP
|
|
||||||
echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m"
|
echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
# Unlimited access to loopback
|
# Unlimited access to loopback
|
||||||
@@ -67,10 +86,26 @@ case "$1" in
|
|||||||
|
|
||||||
### IPv6 ###
|
### IPv6 ###
|
||||||
echo " \033[33mIPv6 : \033[0m"
|
echo " \033[33mIPv6 : \033[0m"
|
||||||
|
|
||||||
|
HAS_DOCKER6=0
|
||||||
|
if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT6 -S DOCKER >/dev/null 2>&1; then
|
||||||
|
HAS_DOCKER6=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Reset only chains managed by this role.
|
||||||
|
$IPT6 -F INPUT
|
||||||
|
$IPT6 -F OUTPUT
|
||||||
|
|
||||||
|
if [ "$HAS_DOCKER6" -eq 0 ]; then
|
||||||
|
$IPT6 -F FORWARD
|
||||||
|
$IPT6 -P FORWARD DROP
|
||||||
|
else
|
||||||
|
echo " * Docker detected, preserving IPv6 FORWARD chain : \033[32m[OK] \033[0m"
|
||||||
|
fi
|
||||||
|
|
||||||
# DROP all incomming traffic
|
# DROP all incomming traffic
|
||||||
$IPT6 -P INPUT DROP
|
$IPT6 -P INPUT DROP
|
||||||
$IPT6 -P OUTPUT DROP
|
$IPT6 -P OUTPUT DROP
|
||||||
$IPT6 -P FORWARD DROP
|
|
||||||
echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m"
|
echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
# Unlimited access to loopback
|
# Unlimited access to loopback
|
||||||
@@ -112,26 +147,43 @@ case "$1" in
|
|||||||
|
|
||||||
stop)
|
stop)
|
||||||
echo -n "Resetting $DESC. \n"
|
echo -n "Resetting $DESC. \n"
|
||||||
|
|
||||||
|
HAS_DOCKER4=0
|
||||||
|
if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT4 -S DOCKER >/dev/null 2>&1; then
|
||||||
|
HAS_DOCKER4=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
HAS_DOCKER6=0
|
||||||
|
if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT6 -S DOCKER >/dev/null 2>&1; then
|
||||||
|
HAS_DOCKER6=1
|
||||||
|
fi
|
||||||
|
|
||||||
### IPv4 ###
|
### IPv4 ###
|
||||||
$IPT4 -F
|
$IPT4 -F INPUT
|
||||||
$IPT4 -X
|
$IPT4 -F OUTPUT
|
||||||
|
$IPT4 -F ADMIN >/dev/null 2>&1 || true
|
||||||
|
$IPT4 -X ADMIN >/dev/null 2>&1 || true
|
||||||
|
if [ "$HAS_DOCKER4" -eq 0 ]; then
|
||||||
|
$IPT4 -F FORWARD
|
||||||
$IPT4 -P FORWARD ACCEPT
|
$IPT4 -P FORWARD ACCEPT
|
||||||
|
else
|
||||||
|
echo " * Docker detected, preserving IPv4 FORWARD chain : \033[32m[OK] \033[0m"
|
||||||
|
fi
|
||||||
$IPT4 -P INPUT ACCEPT
|
$IPT4 -P INPUT ACCEPT
|
||||||
$IPT4 -P OUTPUT ACCEPT
|
$IPT4 -P OUTPUT ACCEPT
|
||||||
$IPT4 -t nat -F
|
|
||||||
$IPT4 -t nat -X
|
|
||||||
$IPT4 -t mangle -F
|
|
||||||
$IPT4 -t mangle -X
|
|
||||||
echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m"
|
echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m"
|
||||||
|
|
||||||
### IPv6 ###
|
### IPv6 ###
|
||||||
$IPT6 -F
|
$IPT6 -F INPUT
|
||||||
$IPT6 -X
|
$IPT6 -F OUTPUT
|
||||||
|
if [ "$HAS_DOCKER6" -eq 0 ]; then
|
||||||
|
$IPT6 -F FORWARD
|
||||||
$IPT6 -P FORWARD ACCEPT
|
$IPT6 -P FORWARD ACCEPT
|
||||||
|
else
|
||||||
|
echo " * Docker detected, preserving IPv6 FORWARD chain : \033[32m[OK] \033[0m"
|
||||||
|
fi
|
||||||
$IPT6 -P INPUT ACCEPT
|
$IPT6 -P INPUT ACCEPT
|
||||||
$IPT6 -P OUTPUT ACCEPT
|
$IPT6 -P OUTPUT ACCEPT
|
||||||
$IPT6 -t mangle -F
|
|
||||||
$IPT6 -t mangle -X
|
|
||||||
echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m"
|
echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m"
|
||||||
echo
|
echo
|
||||||
;;
|
;;
|
||||||
|
|||||||
Reference in New Issue
Block a user