ppm/ansible-ppm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ansible-ppm/roles/baseline/templates/firewall.j2
Peter 03d9493e7a support closed ssh range
2026-05-30 19:30:12 +02:00

95 lines
2.8 KiB
Django/Jinja
Raw Blame History

#!/bin/bash
# This file is managed by ansible, do not modify!
# IPv4:
iptables -F
iptables -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp -j ACCEPT
{% if firewall_ssh_ranges is defined %}
{% for range in firewall_ssh_ranges %}
{%if range.type=="ipv4" %}
iptables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
{%endif%}
{%endfor%}
{% else %}
# This server has an open ssh policy
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
{% endif %}
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state INVALID -j DROP
# IPv6:
ip6tables -F
ip6tables -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -P INPUT ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m state --state INVALID -j DROP
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m limit --limit 1/s --limit-burst 2 -p icmpv6 --icmpv6-type echo-request -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP
ip6tables -A INPUT -p icmpv6 -j ACCEPT
{% if firewall_ssh_ranges is defined %}
{% for range in firewall_ssh_ranges %}
{%if range.type=="ipv6" %}
ip6tables -A INPUT -p tcp --dport 22 -s {{range.range}} -j ACCEPT # {{range.name}}
{%endif%}
{%endfor%}
{% else %}
# This server has an open ssh policy
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
{% endif %}
ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A OUTPUT -m state --state INVALID -j DROP
# Disable all forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
# Customisation:
{# we use run-parts as it guarantees order and ignores backups etc. We use --list as it would otherwise run them concurently, causing iptables to exit with EAGAIN as changing the firewall is not possible by 2 prococesses #}
for i in $(run-parts --list /etc/firewall.d/)
do
$i
done
# Finish off with a block
iptables -A INPUT -j REJECT
ip6tables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
ip6tables -A FORWARD -j REJECT
# Now *if* fail2ban has been installed, we would have destroyed it's setup.
# Restart it
if [ -e /etc/fail2ban/fail2ban.conf ]
then
systemctl restart fail2ban || true
fi
# This file is managed by ansible, do not modify!
Reference in a new issue View git blame Copy permalink