From bfa5e5807c1399e150c27e5db68ff3836b981e4f Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Fri, 10 May 2019 16:51:18 +0300 Subject: [PATCH] add iptables role and define firewall rules for mirror group --- group_vars/mirror.yml | 5 ++++ roles/base/tasks/RedHat.yml | 4 +++ roles/iptables/defaults/main.yml | 6 +++++ roles/iptables/handlers/main.yml | 11 +++++++++ roles/iptables/tasks/main.yml | 35 +++++++++++++++++++++++++++ roles/iptables/templates/ip6tables.j2 | 22 +++++++++++++++++ roles/iptables/templates/iptables.j2 | 22 +++++++++++++++++ 7 files changed, 105 insertions(+) create mode 100644 roles/iptables/defaults/main.yml create mode 100644 roles/iptables/handlers/main.yml create mode 100644 roles/iptables/tasks/main.yml create mode 100644 roles/iptables/templates/ip6tables.j2 create mode 100644 roles/iptables/templates/iptables.j2 diff --git a/group_vars/mirror.yml b/group_vars/mirror.yml index b8ccc65..5fa1ea9 100644 --- a/group_vars/mirror.yml +++ b/group_vars/mirror.yml @@ -1,4 +1,9 @@ --- + os_type: centos7 dcentos7atadisk_size: - 1000 + +firewall_in: + - {proto: tcp, port: 22, from: [172.20.20.0/22]} + - {proto: tcp, port: 443, from: [172.20.20.0/22]} diff --git a/roles/base/tasks/RedHat.yml b/roles/base/tasks/RedHat.yml index fb00a77..d43f78f 100644 --- a/roles/base/tasks/RedHat.yml +++ b/roles/base/tasks/RedHat.yml @@ -32,3 +32,7 @@ hour: 3 minute: "{{ 59 | random(seed=inventory_hostname) }}" job: "yum -d 0 -e 0 -y --downloadonly update > /dev/null" + +- name: install os specific roles + include_role: + name: iptables diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml new file mode 100644 index 0000000..51dcfc3 --- /dev/null +++ b/roles/iptables/defaults/main.yml @@ -0,0 +1,6 @@ +--- + +firewall_in: + - {proto: tcp, port: 22} + +firewall_raw: [] diff --git a/roles/iptables/handlers/main.yml b/roles/iptables/handlers/main.yml new file mode 100644 index 0000000..ed8da09 --- /dev/null +++ b/roles/iptables/handlers/main.yml @@ -0,0 +1,11 @@ +--- + +- name: reload iptables + service: + name: iptables + state: reloaded + +- name: reload ip6tables + service: + name: ip6tables + state: reloaded diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml new file mode 100644 index 0000000..fe3f862 --- /dev/null +++ b/roles/iptables/tasks/main.yml @@ -0,0 +1,35 @@ +--- + +- name: remove firewalld + package: + name: firewalld + state: removed + +- name: install iptables packages + package: + name: "{{ item }}" + state: installed + with_items: + - iptables + - iptables-services + +- name: create iptables config from template + template: + src: "{{ item }}.j2" + dest: "/etc/sysconfig/{{ item }}" + mode: 0600 + owner: root + group: root + notify: "reload {{ item }}" + with_items: + - iptables + - ip6tables + +- name: enable iptables service + service: + name: "{{ item }}" + state: started + enabled: true + with_items: + - iptables + - ip6tables diff --git a/roles/iptables/templates/ip6tables.j2 b/roles/iptables/templates/ip6tables.j2 new file mode 100644 index 0000000..65614fb --- /dev/null +++ b/roles/iptables/templates/ip6tables.j2 @@ -0,0 +1,22 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +{% for rule in firewall_raw %} +{{ rule }} +{% endfor %} +{% for rule in firewall_in %} + {% if rule.from is defined %} + {% for from in rule.from | ipv6 %} +-A INPUT -m state --state NEW -m {{ rule.proto }} -p {{ rule.proto }} -s {{ from }} --dport {{ rule.port }} -j ACCEPT + {% endfor %} + {% else %} +-A INPUT -m state --state NEW -m {{ rule.proto }} -p {{ rule.proto }} --dport {{ rule.port }} -j ACCEPT + {% endif %} +{% endfor %} +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT diff --git a/roles/iptables/templates/iptables.j2 b/roles/iptables/templates/iptables.j2 new file mode 100644 index 0000000..c20789f --- /dev/null +++ b/roles/iptables/templates/iptables.j2 @@ -0,0 +1,22 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +{% for rule in firewall_raw %} +{{ rule }} +{% endfor %} +{% for rule in firewall_in %} + {% if rule.from is defined %} + {% for from in rule.from | ipv4 %} +-A INPUT -m state --state NEW -m {{ rule.proto }} -p {{ rule.proto }} -s {{ from }} --dport {{ rule.port }} -j ACCEPT + {% endfor %} + {% else %} +-A INPUT -m state --state NEW -m {{ rule.proto }} -p {{ rule.proto }} --dport {{ rule.port }} -j ACCEPT + {% endif %} +{% endfor %} +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT