From 2a77515f5b771a15b8981bc77ea8d9503cb738d0 Mon Sep 17 00:00:00 2001 From: 0xdeadcode Date: Sun, 27 Oct 2024 01:07:04 +0000 Subject: [PATCH 1/3] feat: implement firewall --- roles/firewall/defaults/main.yml | 4 +++ roles/firewall/tasks/main.yml | 36 +++++++++++++++++++ .../templates/etc/iptables-restore.apply | 21 +++++++++++ ...tart_network.yaml => restart-network.yaml} | 0 4 files changed, 61 insertions(+) create mode 100644 roles/firewall/defaults/main.yml create mode 100644 roles/firewall/tasks/main.yml create mode 100644 roles/firewall/templates/etc/iptables-restore.apply rename roles/vega_core/tasks/{restart_network.yaml => restart-network.yaml} (100%) diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml new file mode 100644 index 0000000..cc8fb8a --- /dev/null +++ b/roles/firewall/defaults/main.yml @@ -0,0 +1,4 @@ +--- +firewall_chain_name: VEGA +firewall_open_tcp: [] +firewall_open_udp: [] diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml new file mode 100644 index 0000000..7ad16a4 --- /dev/null +++ b/roles/firewall/tasks/main.yml @@ -0,0 +1,36 @@ +--- +# How it works? +# OUTPUT: allowed everywhere +# INPUT: blocked all except 22 and specific ports + +- name: Uninstall unsupported firewalls + ansible.builtin.apt: + pkg: + - ufw + - firewalld + state: absent + +- name: Install iptables + ansible.builtin.apt: + pkg: + - iptables + - iptables-persistent + state: present + +- name: Template restore file + ansible.builtin.template: + src: "etc/iptables-restore.apply" + dest: "/etc/iptables-restore.apply" + owner: "root" + group: "root" + mode: "0644" + register: iptables_restore_file + +- name: Restore firewall state from a file + community.general.iptables_state: + state: restored + path: /etc/iptables-restore.apply + noflush: false + async: "{{ ansible_timeout }}" + poll: 0 + when: iptables_restore_file.changed # noqa: no-handler diff --git a/roles/firewall/templates/etc/iptables-restore.apply b/roles/firewall/templates/etc/iptables-restore.apply new file mode 100644 index 0000000..b98fe0f --- /dev/null +++ b/roles/firewall/templates/etc/iptables-restore.apply @@ -0,0 +1,21 @@ +*filter +:INPUT DROP [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:VEGATCP - [0:0] +:VEGAUDP - [0:0] +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -p udp -m udp --dport 53 -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -p tcp -j VEGATCP +-A INPUT -p tcp -j VEGAUDP + +{% for port in firewall_open_tcp %} +-A VEGATCP -p tcp -m tcp --dport {{ port|int }} -j ACCEPT +{% endfor %} + +{% for port in firewall_open_udp %} +-A VEGAUDP -p udp -m udp --dport {{ port|int }} -j ACCEPT +{% endfor %} +COMMIT diff --git a/roles/vega_core/tasks/restart_network.yaml b/roles/vega_core/tasks/restart-network.yaml similarity index 100% rename from roles/vega_core/tasks/restart_network.yaml rename to roles/vega_core/tasks/restart-network.yaml From 8a0d80a9854386f33db56a97640e81a99f360fad Mon Sep 17 00:00:00 2001 From: 0xdeadcode Date: Sun, 27 Oct 2024 01:08:08 +0000 Subject: [PATCH 2/3] feat: remove unused variables --- roles/firewall/defaults/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/firewall/defaults/main.yml b/roles/firewall/defaults/main.yml index cc8fb8a..ed72722 100644 --- a/roles/firewall/defaults/main.yml +++ b/roles/firewall/defaults/main.yml @@ -1,4 +1,3 @@ --- -firewall_chain_name: VEGA firewall_open_tcp: [] firewall_open_udp: [] From 674062f26f6c904073ed34a88360a0b01d761ba1 Mon Sep 17 00:00:00 2001 From: 0xdeadcode Date: Sun, 27 Oct 2024 01:19:30 +0000 Subject: [PATCH 3/3] fix: mock community.general.iptables_state role --- .ansible-lint | 1 + 1 file changed, 1 insertion(+) diff --git a/.ansible-lint b/.ansible-lint index 45c4c5d..5607cbe 100755 --- a/.ansible-lint +++ b/.ansible-lint @@ -5,3 +5,4 @@ mock_modules: - community.postgresql.postgresql_user - community.postgresql.postgresql_owner - community.docker.docker_image + - community.general.iptables_state