ppm/ansible-ppm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial commit

Browse source
This commit is contained in:
Peter 2024-10-16 21:13:17 +02:00
commit 6f50de798b
24 changed files with 1082 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

78
roles/baseline/templates/firewall.j2 Normal file
View file

@ -0,0 +1,78 @@
#!/bin/bash
# {{ ansible_managed }}
# IPv4:
iptables -F
iptables -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j ACCEPT
{% for range in firewall_ssh_ranges %}
{%if range.type=="ipv4" %}
iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
{%endif%}
{%endfor%}
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
# IPv6:
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
{% for range in firewall_ssh_ranges %}
{%if range.type=="ipv6" %}
ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
{%endif%}
{%endfor%}
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Disable all forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
# Customisation:
{# we use run-parts as it guarantees order and ignores backups etc. We use --list as it would otherwise run them concurently, causing iptables to exit with EAGAIN as changing the firewall is not possible by 2 prococesses #}
for i in $(run-parts --list /etc/firewall.d/)
do
$i
done
# Finish off with a block
iptables -A INPUT -j REJECT
ip6tables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT
# {{ansible_managed}}

6
roles/baseline/templates/mosh.j2 Normal file
View file

@ -0,0 +1,6 @@
#!/bin/sh
# {{ansible_managed}}
# Firewall to allow mosh sessions
ip6tables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT
iptables -A INPUT -p udp --match multiport --dports 60001:60020 -j ACCEPT