Feat(RedHat): Add RedHat and redhatoids playbooks and roles

[ansible.git] / playbooks / redhat / roles / firewall / files / etc / network / functions.phd

diff --git a/playbooks/redhat/roles/firewall/files/etc/network/functions.phd b/playbooks/redhat/roles/firewall/files/etc/network/functions.phd
new file mode 100644 (file)
index 0000000..08f3718
--- /dev/null
+++ b/playbooks/redhat/roles/firewall/files/etc/network/functions.phd
@@ -0,0 +1,61 @@
+IPTABLES=/sbin/iptables
+PATH=/sbin:/bin:/usr/sbin:/usr/bin
+
+my_ip() {
+   MYIP=$1
+
+   # Allow everything from this host
+   $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+
+   # Allow ICMP
+   $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+
+   # Allow ports >1024
+   $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
+   $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+}
+
+start_firewall() {
+   # Allow everything from localhost
+   $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+
+   # Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
+   $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
+   $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
+   $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
+   $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+
+   # Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
+   $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
+   $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+
+   # FTP
+   $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+   # Allow ftp-data for active connections
+   #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+
+   # Track FTP connections to allow active and passive mode FTP
+   $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --sport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
+   $IPTABLES -A INPUT -p tcp --dport 1024:65535  -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+   MY_IP=$(ip -o -4 addr show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
+   for ip in $MY_IP; do my_ip "$ip"; done
+}