Feat(firewall): Configure Debian iptables firewall

diff --git a/playbooks/debian/roles/firewall/README.txt b/playbooks/debian/roles/firewall/README.txt
new file mode 100644 (file)
index 0000000..6f8f7e2
--- /dev/null
+++ b/playbooks/debian/roles/firewall/README.txt
@@ -0,0 +1,3 @@
+Configure Debian iptables firewall.
+
+Allow everything out, limit in, disable forward.

diff --git a/playbooks/debian/roles/firewall/files/etc/init.d/iptables.sh b/playbooks/debian/roles/firewall/files/etc/init.d/iptables.sh
new file mode 100755 (executable)
index 0000000..64fd5c1
--- /dev/null
+++ b/playbooks/debian/roles/firewall/files/etc/init.d/iptables.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides:          iptables.sh
+# Required-Start: $remote_fs $network
+# Required-Stop:  $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: iptables firewall
+### END INIT INFO
+
+# Setup ip firewall
+
+. /etc/network/functions.phd
+
+case "$1" in
+   start)
+      /etc/init.d/fail2ban stop
+
+      # Start afresh
+      $IPTABLES -F
+      $IPTABLES -F -t nat
+      $IPTABLES -F -t mangle
+
+      # Default policies
+      $IPTABLES -P INPUT DROP
+      $IPTABLES -P OUTPUT ACCEPT
+      $IPTABLES -P FORWARD DROP
+
+      start_firewall
+      /etc/init.d/rc.masq
+      /etc/init.d/fail2ban start
+   ;;
+
+   stop)
+      /etc/init.d/fail2ban stop
+
+      $IPTABLES -F
+      $IPTABLES -F -t nat
+      $IPTABLES -F -t mangle
+      $IPTABLES -P INPUT DROP
+      $IPTABLES -P OUTPUT DROP
+      $IPTABLES -P FORWARD DROP
+   ;;
+
+   clear)
+      /etc/init.d/fail2ban stop
+
+      # Flush (delete) all rules
+      $IPTABLES -F
+      $IPTABLES -F -t nat
+      $IPTABLES -F -t mangle
+      $IPTABLES -P INPUT ACCEPT
+      $IPTABLES -P OUTPUT ACCEPT
+      $IPTABLES -P FORWARD ACCEPT
+   ;;
+
+   *)
+      echo "Usage: firewall {start|stop|clear}"
+      exit 1
+esac
+
+exit 0

diff --git a/playbooks/debian/roles/firewall/files/etc/init.d/rc.masq b/playbooks/debian/roles/firewall/files/etc/init.d/rc.masq
new file mode 100755 (executable)
index 0000000..69be427
--- /dev/null
+++ b/playbooks/debian/roles/firewall/files/etc/init.d/rc.masq
@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+# rc.masq - IP Masquerade
+#
+# Load all required IP MASQ modules
+#
+#   NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ modules
+#          are shown below but are commented out from loading.
+
+# Needed to initially load modules
+#
+#/sbin/depmod -a
+
+# Supports the proper masquerading of FTP file transfers using the PORT method
+#
+#/sbin/modprobe ip_masq_ftp
+
+# Supports the masquerading of RealAudio over UDP.  Without this module,
+#       RealAudio WILL function but in TCP mode.  This can cause a reduction
+#       in sound quality
+#
+#/sbin/modprobe ip_masq_raudio
+
+# Supports the masquerading of IRC DCC file transfers
+#
+#/sbin/modprobe ip_masq_irc
+
+
+# Supports the masquerading of Quake and QuakeWorld by default.  This modules is
+#   for for multiple users behind the Linux MASQ server.  If you are going to play
+#   Quake I, II, and III, use the second example.
+#
+#   NOTE:  If you get ERRORs loading the QUAKE module, you are running an old
+#   -----  kernel that has bugs in it.  Please upgrade to the newest kernel.
+#
+#Quake I / QuakeWorld (ports 26000 and 27000)
+#/sbin/modprobe ip_masq_quake
+#
+#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960)
+#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
+
+
+# Supports the masquerading of the CuSeeme video conferencing software
+#
+#/sbin/modprobe ip_masq_cuseeme
+
+#Supports the masquerading of the VDO-live video conferencing software
+#
+#/sbin/modprobe ip_masq_vdolive
+
+
+#CRITICAL:  Enable IP forwarding since it is disabled by default since
+#
+#           Redhat Users:  you may try changing the options in /etc/sysconfig/network from:
+#
+#                       FORWARD_IPV4=false
+#                             to
+#                       FORWARD_IPV4=true
+#
+echo 1 > /proc/sys/net/ipv4/ip_forward
+
+
+# Dynamic IP users:
+#
+#   If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following
+#       option.  This enables dynamic-ip address hacking in IP MASQ, making the life
+#       with Diald and similar programs much easier.
+#
+#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
+
+
+IPTABLES=/sbin/iptables
+
+
+# DHCP:  For people who receive their external IP address from either DHCP or BOOTP
+#        such as ADSL or Cablemodem users, it is necessary to use the following
+#        before the deny command.  The "bootp_client_net_if_name" should be replaced
+#        the name of the link that the DHCP/BOOTP server will put an address on to?
+#        This will be something like "eth0", "eth1", etc.
+#
+#        This example is currently commented out.
+#
+#
+#$IPCHAINS -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp
+
+# Enable simple IP forwarding and Masquerading
+#
+#  NOTE:  The following is an example for an internal LAN address in the 192.168.0.x
+#         network with a 255.255.255.0 or a "24" bit subnet mask.
+#
+#         Please change this network number and subnet mask to match your internal LAN setup
+#

diff --git a/playbooks/debian/roles/firewall/files/etc/network/functions.phd b/playbooks/debian/roles/firewall/files/etc/network/functions.phd
new file mode 100644 (file)
index 0000000..08f3718
--- /dev/null
+++ b/playbooks/debian/roles/firewall/files/etc/network/functions.phd
@@ -0,0 +1,61 @@
+IPTABLES=/sbin/iptables
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+my_ip() {
+   MYIP=$1
+
+   # Allow everything from this host
+   $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+
+   # Allow ICMP
+   $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+
+   # Allow ports >1024
+   $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
+   $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+}
+
+start_firewall() {
+   # Allow everything from localhost
+   $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+
+   # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
+   $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
+   $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
+   $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
+   $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+
+   # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
+   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+
+   # FTP
+   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+   # Allow ftp-data for active connections
+   #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+
+   # Track FTP connections to allow active and passive mode FTP
+   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --sport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+   MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
+   for ip in $MY_IP; do my_ip "$ip"; done
+}

diff --git a/playbooks/debian/roles/firewall/files/etc/network/if-down.d/eth b/playbooks/debian/roles/firewall/files/etc/network/if-down.d/eth
new file mode 100755 (executable)
index 0000000..3e002ca
--- /dev/null
+++ b/playbooks/debian/roles/firewall/files/etc/network/if-down.d/eth
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /etc/init.d/iptables.sh start

diff --git a/playbooks/debian/roles/firewall/files/etc/network/if-up.d/eth b/playbooks/debian/roles/firewall/files/etc/network/if-up.d/eth
new file mode 100755 (executable)
index 0000000..3e002ca
--- /dev/null
+++ b/playbooks/debian/roles/firewall/files/etc/network/if-up.d/eth
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /etc/init.d/iptables.sh start

diff --git a/playbooks/debian/roles/firewall/tasks/main.yml b/playbooks/debian/roles/firewall/tasks/main.yml
new file mode 100644 (file)
index 0000000..02d5b20
--- /dev/null
+++ b/playbooks/debian/roles/firewall/tasks/main.yml
@@ -0,0 +1,27 @@
+- name: Install fail2ban
+  become: true
+  apt:
+    install_recommends: no
+    name: fail2ban
+    state: latest
+    update_cache: yes
+
+- name: Configure Debian firewall
+  become: true
+  copy:
+    src: etc
+    dest: /
+    owner: root
+    group: root
+    mode: '0750'
+    force: no
+
+- name: Fix permissions for /etc/network/functions
+  become: true
+  file:
+    path: /etc/network/functions.phd
+    mode: '0640'
+
+- name: Start Debian firewall
+  become: true
+  command: /etc/init.d/iptables.sh start