infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit ce10fe601d88c4dda86544a5fffc96b6d51b2779
parent b3d1d7f182450c3b9c4937c1fc59be6690dc3ed3
Author: Jul <jul@9o.is>
Date:   Fri, 10 May 2024 13:40:14 +0800

set host iptables

Diffstat:

Mhost/group_vars/all | 1+


Ahost/roles/iptables/handlers/main.yml | 6++++++


Ahost/roles/iptables/tasks/main.yml | 18++++++++++++++++++


Ahost/roles/iptables/templates/iptables-custom-rules.j2 | 76++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


4 files changed, 101 insertions(+), 0 deletions(-)

diff --git a/host/group_vars/all b/host/group_vars/all
@@ -1 +1,2 @@
 openssh_port: 57123
+net_interface: ens3
diff --git a/host/roles/iptables/handlers/main.yml b/host/roles/iptables/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: update iptables
+  shell: |
+    iptables-custom-rules
+    iptables-save > /etc/iptables/rules.v4
+    ip6tables-save > /etc/iptables/rules.v6
diff --git a/host/roles/iptables/tasks/main.yml b/host/roles/iptables/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: install iptables
+  package:
+    name:
+      - iptables
+      - iptables-persistent
+    state: present
+  notify: update iptables
+
+- name: install iptables-custom-rules
+  template:
+    src: iptables-custom-rules.j2
+    dest: /usr/bin/iptables-custom-rules
+    owner: root
+    group: root
+    mode: '0755'
+  notify: update iptables
+
diff --git a/host/roles/iptables/templates/iptables-custom-rules.j2 b/host/roles/iptables/templates/iptables-custom-rules.j2
@@ -0,0 +1,76 @@
+#!/bin/sh
+
+IPT="/sbin/iptables"
+IP6T="/sbin/ip6tables"
+PUB_IF="{{ net_interface }}"
+ 
+$IPT -F
+$IPT -X
+$IPT -t nat -F
+$IPT -t nat -X
+$IPT -t mangle -F
+$IPT -t mangle -X
+
+modprobe ip_conntrack
+ 
+# allow loopback
+$IPT -A INPUT -i lo -j ACCEPT
+$IPT -A OUTPUT -o lo -j ACCEPT
+ 
+# drop all incomming traffic
+$IPT -P INPUT DROP
+$IPT -P OUTPUT DROP
+$IPT -P FORWARD DROP
+$IP6T -P INPUT DROP
+$IP6T -P OUTPUT DROP
+$IP6T -P FORWARD DROP
+
+# block sync
+$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
+$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
+ 
+# block fragments
+$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
+$IPT -A INPUT -i ${PUB_IF} -f -j DROP
+ 
+# block bad stuff
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
+ 
+# block null packets
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP
+
+# block
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+
+# block xmas
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
+
+# block fin packet scans
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP
+
+# block
+$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
+ 
+### state tracking rules
+$IPT -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "DROP INVALID" --log-ip-options --log-tcp-options
+$IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
+$IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+$IPT -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
+ 
+# Allow ssh 
+$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT
+ 
+# Do not log smb/windows sharing packets - too much logging
+$IPT -A INPUT -i ${PUB_IF} -p tcp --dport 137:139 -j REJECT
+$IPT -A INPUT -i ${PUB_IF} -p udp --dport 137:139 -j REJECT
+ 
+# log everything else and drop
+$IPT -A INPUT -j LOG
+$IPT -A FORWARD -j LOG
+$IPT -A INPUT -j DROP
+ 
+exit 0