From: Oleg Broytman Date: Wed, 24 Jul 2019 03:14:40 +0000 (+0300) Subject: Feat(firewall): Configure Debian iptables firewall X-Git-Url: https://git.phdru.name/?a=commitdiff_plain;h=2f99edf4242d4378f68da2b4d77efb8aa33bd445;p=ansible.git Feat(firewall): Configure Debian iptables firewall --- diff --git a/playbooks/debian/roles/firewall/README.txt b/playbooks/debian/roles/firewall/README.txt new file mode 100644 index 0000000..6f8f7e2 --- /dev/null +++ b/playbooks/debian/roles/firewall/README.txt @@ -0,0 +1,3 @@ +Configure Debian iptables firewall. + +Allow everything out, limit in, disable forward. diff --git a/playbooks/debian/roles/firewall/files/etc/init.d/iptables.sh b/playbooks/debian/roles/firewall/files/etc/init.d/iptables.sh new file mode 100755 index 0000000..64fd5c1 --- /dev/null +++ b/playbooks/debian/roles/firewall/files/etc/init.d/iptables.sh @@ -0,0 +1,62 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: iptables.sh +# Required-Start: $remote_fs $network +# Required-Stop: $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: iptables firewall +### END INIT INFO + +# Setup ip firewall + +. /etc/network/functions.phd + +case "$1" in + start) + /etc/init.d/fail2ban stop + + # Start afresh + $IPTABLES -F + $IPTABLES -F -t nat + $IPTABLES -F -t mangle + + # Default policies + $IPTABLES -P INPUT DROP + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P FORWARD DROP + + start_firewall + /etc/init.d/rc.masq + /etc/init.d/fail2ban start + ;; + + stop) + /etc/init.d/fail2ban stop + + $IPTABLES -F + $IPTABLES -F -t nat + $IPTABLES -F -t mangle + $IPTABLES -P INPUT DROP + $IPTABLES -P OUTPUT DROP + $IPTABLES -P FORWARD DROP + ;; + + clear) + /etc/init.d/fail2ban stop + + # Flush (delete) all rules + $IPTABLES -F + $IPTABLES -F -t nat + $IPTABLES -F -t mangle + $IPTABLES -P INPUT ACCEPT + $IPTABLES -P OUTPUT ACCEPT + $IPTABLES -P FORWARD ACCEPT + ;; + + *) + echo "Usage: firewall {start|stop|clear}" + exit 1 +esac + +exit 0 diff --git a/playbooks/debian/roles/firewall/files/etc/init.d/rc.masq b/playbooks/debian/roles/firewall/files/etc/init.d/rc.masq new file mode 100755 index 0000000..69be427 --- /dev/null +++ b/playbooks/debian/roles/firewall/files/etc/init.d/rc.masq @@ -0,0 +1,92 @@ +#!/bin/sh +# +# rc.masq - IP Masquerade +# +# Load all required IP MASQ modules +# +# NOTE: Only load the IP MASQ modules you need. All current IP MASQ modules +# are shown below but are commented out from loading. + +# Needed to initially load modules +# +#/sbin/depmod -a + +# Supports the proper masquerading of FTP file transfers using the PORT method +# +#/sbin/modprobe ip_masq_ftp + +# Supports the masquerading of RealAudio over UDP. Without this module, +# RealAudio WILL function but in TCP mode. This can cause a reduction +# in sound quality +# +#/sbin/modprobe ip_masq_raudio + +# Supports the masquerading of IRC DCC file transfers +# +#/sbin/modprobe ip_masq_irc + + +# Supports the masquerading of Quake and QuakeWorld by default. This modules is +# for for multiple users behind the Linux MASQ server. If you are going to play +# Quake I, II, and III, use the second example. +# +# NOTE: If you get ERRORs loading the QUAKE module, you are running an old +# ----- kernel that has bugs in it. Please upgrade to the newest kernel. +# +#Quake I / QuakeWorld (ports 26000 and 27000) +#/sbin/modprobe ip_masq_quake +# +#Quake I/II/III / QuakeWorld (ports 26000, 27000, 27910, 27960) +#/sbin/modprobe ip_masq_quake 26000,27000,27910,27960 + + +# Supports the masquerading of the CuSeeme video conferencing software +# +#/sbin/modprobe ip_masq_cuseeme + +#Supports the masquerading of the VDO-live video conferencing software +# +#/sbin/modprobe ip_masq_vdolive + + +#CRITICAL: Enable IP forwarding since it is disabled by default since +# +# Redhat Users: you may try changing the options in /etc/sysconfig/network from: +# +# FORWARD_IPV4=false +# to +# FORWARD_IPV4=true +# +echo 1 > /proc/sys/net/ipv4/ip_forward + + +# Dynamic IP users: +# +# If you get your IP address dynamically from SLIP, PPP, or DHCP, enable this following +# option. This enables dynamic-ip address hacking in IP MASQ, making the life +# with Diald and similar programs much easier. +# +#echo "1" > /proc/sys/net/ipv4/ip_dynaddr + + +IPTABLES=/sbin/iptables + + +# DHCP: For people who receive their external IP address from either DHCP or BOOTP +# such as ADSL or Cablemodem users, it is necessary to use the following +# before the deny command. The "bootp_client_net_if_name" should be replaced +# the name of the link that the DHCP/BOOTP server will put an address on to? +# This will be something like "eth0", "eth1", etc. +# +# This example is currently commented out. +# +# +#$IPCHAINS -A input -j ACCEPT -i bootp_clients_net_if_name -s 0/0 67 -d 0/0 68 -p udp + +# Enable simple IP forwarding and Masquerading +# +# NOTE: The following is an example for an internal LAN address in the 192.168.0.x +# network with a 255.255.255.0 or a "24" bit subnet mask. +# +# Please change this network number and subnet mask to match your internal LAN setup +# diff --git a/playbooks/debian/roles/firewall/files/etc/network/functions.phd b/playbooks/debian/roles/firewall/files/etc/network/functions.phd new file mode 100644 index 0000000..08f3718 --- /dev/null +++ b/playbooks/debian/roles/firewall/files/etc/network/functions.phd @@ -0,0 +1,61 @@ +IPTABLES=/sbin/iptables +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +my_ip() { + MYIP=$1 + + # Allow everything from this host + $IPTABLES -A INPUT -s $MYIP -j ACCEPT + + # Allow ICMP + $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT + + # Allow ports >1024 + $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT + $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT +} + +start_firewall() { + # Allow everything from localhost + $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT + + # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024 + $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP + $IPTABLES -A INPUT -p udp --dport 2049 -j DROP + $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP + $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP + + # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon + $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT + $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT + $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT + + # FTP + $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT + # Allow ftp-data for active connections + #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT + + # Track FTP connections to allow active and passive mode FTP + $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT + + MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}') + for ip in $MY_IP; do my_ip "$ip"; done +} diff --git a/playbooks/debian/roles/firewall/files/etc/network/if-down.d/eth b/playbooks/debian/roles/firewall/files/etc/network/if-down.d/eth new file mode 100755 index 0000000..3e002ca --- /dev/null +++ b/playbooks/debian/roles/firewall/files/etc/network/if-down.d/eth @@ -0,0 +1,2 @@ +#!/bin/sh +exec /etc/init.d/iptables.sh start diff --git a/playbooks/debian/roles/firewall/files/etc/network/if-up.d/eth b/playbooks/debian/roles/firewall/files/etc/network/if-up.d/eth new file mode 100755 index 0000000..3e002ca --- /dev/null +++ b/playbooks/debian/roles/firewall/files/etc/network/if-up.d/eth @@ -0,0 +1,2 @@ +#!/bin/sh +exec /etc/init.d/iptables.sh start diff --git a/playbooks/debian/roles/firewall/tasks/main.yml b/playbooks/debian/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..02d5b20 --- /dev/null +++ b/playbooks/debian/roles/firewall/tasks/main.yml @@ -0,0 +1,27 @@ +- name: Install fail2ban + become: true + apt: + install_recommends: no + name: fail2ban + state: latest + update_cache: yes + +- name: Configure Debian firewall + become: true + copy: + src: etc + dest: / + owner: root + group: root + mode: '0750' + force: no + +- name: Fix permissions for /etc/network/functions + become: true + file: + path: /etc/network/functions.phd + mode: '0640' + +- name: Start Debian firewall + become: true + command: /etc/init.d/iptables.sh start