diff --git a/README.md b/README.md index 234d9c9..aa0cb60 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,13 @@ This role for those who has a good knowledges of iptables and prefer to write co Also, role operates with firewall lists and allows to define group and custom variables for fine tuning of your servers. For example, you can create default lists of rulesets and place them to group_vars or some global variables, then you can specify which rulesets are enabled per hosts or group. +As long IPv6 comes to our live, it's important to have ability to configure IPv6 firewall rules. +You have two separate variables to define IPv4 and IPv6 rules. Please look into `default/main.yml` +Keep in mind, that by variable `iptables_rules_v6_enabled` triggers settings an IPv6 firewall rules. + +In case if you have docker you can enable setting of docker chains by this variables `iptables_roles_v4_docker` and `iptables_roles_v6_docker`. +It can be important in case if you need to hide services running inside docker. Example of Docker rules see in Role variables. + Requirements ------------ @@ -20,8 +27,8 @@ Role Variables Available variables are listed below, along with default values (see defaults/main.yml): ``` -### list of default rulesets - filter table -iptables_rules_default: +### list of IPv4 default rulesets - filter table +iptables_rules_v4_default: initial: - INPUT -i lo -j ACCEPT - INPUT -p icmp --icmp-type echo-request -j ACCEPT @@ -38,6 +45,8 @@ iptables_rules_default: - INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT https: - INPUT -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT + docker: + DOCKER-USER -i {{ iptables_docker_interface }} -p tcp -m tcp --dport 3306 -j DROP reject: - INPUT -j REJECT --reject-with icmp-host-prohibited @@ -46,31 +55,35 @@ iptables_rules_nat_default: snat: - POSTROUTING -s 192.168.0.0/24 -o extInt -j SNAT --to-source my_real_ip +iptables_rules_v6_default: + initial: + - INPUT -i lo -j ACCEPT + - INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + - INPUT -m conntrack --ctstate INVALID -j DROP + - INPUT -s ::1/128 ! -i lo -j DROP + ssh: + - INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT + reject: + - INPUT -j REJECT --reject-with icmp6-adm-prohibited ### list of actual rulesets # Required for combine filter. # Redefine it according to your actual settings -iptables_rules: - whitelist: [] -iptables_rules_nat: - snat: [] - +iptables_rules_v6: + whitelist: [] ### enabled rules -iptables_rules_enabled: +iptables_rules_v6_enabled: - initial - whitelist - ssh - reject - -### enabled rules for nat table -iptables_rules_nat_enabled: [] - ``` You can define as many lists as you want for different groups and servers, and activate them via -`iptables_rules_enabled` variable. +`iptables_rules_v4_enabled` and `iptables_rules_v6_enabled` variables. +Where `iptables_docker_interface` that is an interface, which looks into internet. Dependencies ------------ @@ -91,15 +104,15 @@ Example Playbook Inside *vars/main.yml:* ``` # define lists: -iptables_rules: - whitelist: - - INPUT -s 192.168.33.0/24 -j ACCEPT +iptables_rules_v4: + whitelist: + - INPUT -s 192.168.33.0/24 -j ACCEPT custom: - INPUT -p tcp -m tcp --dport 8443 -m state --state NEW -j ACCEPT # enabled rules order take matter! -iptables_rules_enabled: +iptables_rules_v4_enabled: - initial - whitelist - http @@ -108,6 +121,43 @@ iptables_rules_enabled: - reject ``` +If you use Docker(or other service) +----------------------------------- + +**Important:** in case if you have Docker and you set some rules or no do not set rules, it's important to +restart this service after iptables rules was applied. + +For example you have fail2ban and docker services, which also interact with an iptables: + +``` +--- +- hosts: all + + become: yes + + roles: + - iptables + + tasks: + - name: Populate service facts + service_facts: + + - name: Restart fail2ban # noqa 503 + become: yes + service: + name: fail2ban + state: restarted + when: "'fail2ban' in services" + + - name: Restart docker # noqa 503 + become: yes + service: + name: docker + state: restarted + when: "'docker.service' in services" +``` + +Here we run iptables role and then restart services, in order to restore they iptables rules. License ------- diff --git a/defaults/main.yml b/defaults/main.yml index 21908e7..e16ad47 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,23 +1,35 @@ --- ### list of default rulesets - filter table -iptables_rules_default: {} +iptables_rules_v4_default: {} +iptables_rules_v6_default: {} ### list of default rulesets - nat table -iptables_rules_nat_default: {} +iptables_rules_v4_nat_default: {} ### list of actual rulesets # Required for combine filter. # Redefine it according to your actuall settings -iptables_rules: {} -iptables_rules_nat: {} - +iptables_rules_v4: {} +iptables_rules_v4_nat: {} + +iptables_rules_v6: {} + ### enabled rules -iptables_rules_enabled: [] +iptables_rules_v4_enabled: [] +iptables_rules_v6_enabled: [] ### enabled rules for nat table -iptables_rules_nat_enabled: [] +iptables_rules_v4_nat_enabled: [] + +### +iptables_show_rules_v4: false +iptables_show_rules_v6: false + +### +iptables_roles_v4_docker: false +iptables_rules_v6_docker: false ### -iptables_show_rules: false +# iptables_docker_interface: eth0 diff --git a/tasks/main.yml b/tasks/main.yml index 1798921..ba1295d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Include OS-specific variables. include_vars: "{{ item }}" with_first_found: @@ -13,15 +12,25 @@ when: ansible_os_family == 'Debian' # OS independent tasks -- name: Configure template +- name: Configure template iptables_v6 template: - src: iptables.j2 - dest: "{{ iptables_config }}" + src: iptables_v4.j2 + dest: "{{ iptables_v4_config }}" owner: root group: root mode: 0640 notify: restart iptables +- name: Configure template iptables_v6 + template: + src: iptables_v6.j2 + dest: "{{ iptables_v6_config }}" + owner: root + group: root + mode: 0640 + notify: restart iptables + when: iptables_rules_v6_enabled | length > 0 + - name: Ensure iptables service is enabled service: name: "{{ iptables_service }}" @@ -30,14 +39,19 @@ changed_when: false - block: - - name: Check firewall rules + - name: Check firewall rules_v4 + shell: > + iptables -L -n -v + register: rules_v4 + - debug: var=rules_v4.stdout_lines + - name: Check firewall rules_v6 shell: > - iptables -L -n -v - register: command - - debug: var=command.stdout_lines - when: iptables_show_rules == true + ip6tables -L -n -v + register: rules_v6 + - debug: var=rules_v6.stdout_lines + when: iptables_show_rules_v6 == true #- name: Check firewall config -# shell: cat "{{ iptables_config }}" +# shell: cat "{{ iptables_v4_config }}" # register: command #- debug: msg={{command.stdout_lines}} diff --git a/templates/iptables.j2 b/templates/iptables.j2 deleted file mode 100644 index 6ba484a..0000000 --- a/templates/iptables.j2 +++ /dev/null @@ -1,30 +0,0 @@ -# iptables configuration -# managed by Ansible - -{% if iptables_rules_nat_enabled %} -# Nat-related rules -*nat -:PREROUTING ACCEPT [0:0] -:POSTROUTING ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -{% for group in iptables_rules_nat_enabled %} -{% for rule in (iptables_rules_nat_default|combine(iptables_rules_nat, recursive=True))[group] %} --A {{ rule }} -{% endfor %} -{% endfor %} -COMMIT -# End nat-related rules. -{% endif %} - -# Filter-related rules -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] -{% for group in iptables_rules_enabled %} -{% for rule in (iptables_rules_default|combine(iptables_rules, recursive=True))[group] %} --A {{ rule }} -{% endfor %} -{% endfor %} -COMMIT -# End filter-related rules. diff --git a/templates/iptables_v4.j2 b/templates/iptables_v4.j2 new file mode 100644 index 0000000..481ace2 --- /dev/null +++ b/templates/iptables_v4.j2 @@ -0,0 +1,39 @@ +# iptables configuration +# managed by Ansible + +{% if iptables_rules_v4_nat_enabled %} +# Nat-related rules +*nat +:PREROUTING ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +{% if iptables_rules_v4_docker %} +:DOCKER - [0:0] +{% endif %} +{% for group in iptables_rules_v4_nat_enabled %} +{% for rule in (iptables_rules_v4_nat_default|combine(iptables_rules_v4_nat, recursive=True))[group] %} +-A {{ rule }} +{% endfor %} +{% endfor %} +COMMIT +# End nat-related rules. +{% endif %} + +# Filter-related rules +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +{% if iptables_roles_v4_docker %} +:DOCKER - [0:0] +:DOCKER-ISOLATION-STAGE-1 - [0:0] +:DOCKER-USER - [0:0] +:DOCKER-ISOLATION-STAGE-2 - [0:0] +{% endif %} +{% for group in iptables_rules_v4_enabled %} +{% for rule in (iptables_rules_v4_default|combine(iptables_rules_v4, recursive=True))[group] %} +-A {{ rule }} +{% endfor %} +{% endfor %} +COMMIT +# End filter-related rules. diff --git a/templates/iptables_v6.j2 b/templates/iptables_v6.j2 new file mode 100644 index 0000000..4b1faac --- /dev/null +++ b/templates/iptables_v6.j2 @@ -0,0 +1,21 @@ +# iptables configuration +# managed by Ansible + +# Filter-related rules +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +{% if iptables_rules_v6_docker %} +:DOCKER - [0:0] +:DOCKER-ISOLATION-STAGE-1 - [0:0] +:DOCKER-USER - [0:0] +:DOCKER-ISOLATION-STAGE-2 - [0:0] +{% endif %} +{% for group in iptables_rules_v6_enabled %} +{% for rule in (iptables_rules_v6_default|combine(iptables_rules_v6, recursive=True))[group] %} +-A {{ rule }} +{% endfor %} +{% endfor %} +COMMIT +# End filter-related rules. diff --git a/vars/Debian.yml b/vars/Debian.yml index 92ad0b6..7a4ea3d 100644 --- a/vars/Debian.yml +++ b/vars/Debian.yml @@ -3,4 +3,5 @@ iptables_pkgs: - iptables - iptables-persistent iptables_service: netfilter-persistent -iptables_config: '/etc/iptables/rules.v4' +iptables_v4_config: '/etc/iptables/rules.v4' +iptables_v6_config: '/etc/iptables/rules.v6'