ppm/ansible-ppm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-ppm/roles/baseline/templates/firewall.j2
Peter 6f50de798b initial commit
2024-10-16 21:13:17 +02:00

78 lines
2.3 KiB
Django/Jinja
Raw Blame History

#!/bin/bash
# {{ ansible_managed }}
# IPv4:
iptables -F
iptables -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j ACCEPT
{% for range in firewall_ssh_ranges %}
{%if range.type=="ipv4" %}
iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
{%endif%}
{%endfor%}
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
# IPv6:
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
{% for range in firewall_ssh_ranges %}
{%if range.type=="ipv6" %}
ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
{%endif%}
{%endfor%}
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Disable all forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
# Customisation:
{# we use run-parts as it guarantees order and ignores backups etc. We use --list as it would otherwise run them concurently, causing iptables to exit with EAGAIN as changing the firewall is not possible by 2 prococesses #}
for i in $(run-parts --list /etc/firewall.d/)
do
$i
done
# Finish off with a block
iptables -A INPUT -j REJECT
ip6tables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT
# {{ansible_managed}}
Reference in a new issue View git blame Copy permalink