X-Git-Url: https://git.phdru.name/?a=blobdiff_plain;f=playbooks%2Fdebian%2Froles%2Ffirewall%2Ffiles%2Fetc%2Fnetwork%2Ffunctions.phd;fp=playbooks%2Fdebian%2Froles%2Ffirewall%2Ffiles%2Fetc%2Fnetwork%2Ffunctions.phd;h=0000000000000000000000000000000000000000;hb=424c41462e9f4f38fdf666f2180342a8268a95c7;hp=08f37183f99af308ae327fb47d2946692cc34395;hpb=412c5f3f80f4aadecce7e27f6d0f8616a665f48d;p=ansible.git

diff --git a/playbooks/debian/roles/firewall/files/etc/network/functions.phd b/playbooks/debian/roles/firewall/files/etc/network/functions.phd
deleted file mode 100644
index 08f3718..0000000
--- a/playbooks/debian/roles/firewall/files/etc/network/functions.phd
+++ /dev/null
@@ -1,61 +0,0 @@
-IPTABLES=/sbin/iptables
-PATH=/sbin:/bin:/usr/sbin:/usr/bin
-
-my_ip() {
-   MYIP=$1
-
-   # Allow everything from this host
-   $IPTABLES -A INPUT -s $MYIP -j ACCEPT
-
-   # Allow ICMP
-   $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
-
-   # Allow ports >1024
-   $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
-   $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
-}
-
-start_firewall() {
-   # Allow everything from localhost
-   $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
-
-   # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
-   $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
-   $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
-   $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
-   $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
-
-   # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
-   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
-   $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
-
-   # FTP
-   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
-   # Allow ftp-data for active connections
-   #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
-
-   # Track FTP connections to allow active and passive mode FTP
-   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --sport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
-   $IPTABLES -A INPUT -p tcp --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-   MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
-   for ip in $MY_IP; do my_ip "$ip"; done
-}