infra-ansible
ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
commit a56c5ab5a720424eb46aaa6cfb148165582071e8 parent dcc097bab430845a58f61be57675e1729a52bb74 Author: Jul <jul@9o.is> Date: Tue, 14 May 2024 16:55:34 +0800 remove iptables firewall Diffstat:
| D | host/roles/firewall/handlers/main.yml | | | 6 | ------ |
| D | host/roles/firewall/tasks/main.yml | | | 18 | ------------------ |
| D | host/roles/firewall/templates/iptables-custom-rules.j2 | | | 77 | ----------------------------------------------------------------------------- |
| M | host/site.yml | | | 3 | --- |
4 files changed, 0 insertions(+), 104 deletions(-)
diff --git a/host/roles/firewall/handlers/main.yml b/host/roles/firewall/handlers/main.yml @@ -1,6 +0,0 @@ ---- -- name: update iptables - shell: | - iptables-custom-rules - iptables-save > /etc/iptables/rules.v4 - ip6tables-save > /etc/iptables/rules.v6 diff --git a/host/roles/firewall/tasks/main.yml b/host/roles/firewall/tasks/main.yml @@ -1,18 +0,0 @@ ---- -- name: install iptables - package: - name: - - iptables - - iptables-persistent - state: present - notify: update iptables - -- name: install iptables-custom-rules - template: - src: iptables-custom-rules.j2 - dest: /usr/bin/iptables-custom-rules - owner: root - group: root - mode: '0755' - notify: update iptables - diff --git a/host/roles/firewall/templates/iptables-custom-rules.j2 b/host/roles/firewall/templates/iptables-custom-rules.j2 @@ -1,77 +0,0 @@ -#!/bin/sh - -IPT="/sbin/iptables" -IP6T="/sbin/ip6tables" -PUB_IF="{{ static_interface }}" - -$IPT -F -$IPT -X -$IPT -t nat -F -$IPT -t nat -X -$IPT -t mangle -F -$IPT -t mangle -X - -modprobe ip_conntrack - -# allow loopback -$IPT -A INPUT -i lo -j ACCEPT -$IPT -A OUTPUT -o lo -j ACCEPT - -# drop all incomming traffic -$IPT -P INPUT DROP -$IPT -P OUTPUT DROP -$IPT -P FORWARD DROP -$IP6T -P INPUT DROP -$IP6T -P OUTPUT DROP -$IP6T -P FORWARD DROP - -# block sync -$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync" -$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP - -# block fragments -$IPT -A INPUT -i ${PUB_IF} -f -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets" -$IPT -A INPUT -i ${PUB_IF} -f -j DROP - -# block bad stuff -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP - -# block null packets -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets" -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP - -# block -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP - -# block xmas -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets" -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP - -# block fin packet scans -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan" -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP - -# block -$IPT -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP - -### state tracking rules -$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options -$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP -$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -$IPT -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT - -# Allowed service ports -$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT -$IPT -A INPUT -i ${PUB_IF} -p udp --destination-port {{ wireguard_port }} -m conntrack --ctstate NEW -j ACCEPT - -# Do not log smb/windows sharing packets - too much logging -$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 137:139 -j REJECT -$IPT -A INPUT -i ${PUB_IF} -p udp --dport 137:139 -j REJECT - -# log everything else and drop -$IPT -A INPUT -j LOG -$IPT -A FORWARD -j LOG -$IPT -A INPUT -j DROP - -exit 0 diff --git a/host/site.yml b/host/site.yml @@ -18,9 +18,6 @@ - role: wireguard tags: wireguard - - role: firewall - tags: firewall - - name: Kubernetes hosts: servers tags: kubes