diff --git a/defaults/main.yml b/defaults/main.yml index 2287c96..d19ab8b 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -29,6 +29,24 @@ iptables_sshd_allowed_from: # if the node is a firewall/gateway iptables_gw: false +# The "internal" interface of the gateway +iptables_gw_internal_iface: eth1 + +# The "external" interface of the gateway +iptables_gw_external_iface: eth0 + +# Default chain policies. This is only active on the filter table +iptables_default_input_policy: ACCEPT +iptables_default_forward_policy: ACCEPT +iptables_default_output_policy: ACCEPT + +# Add a default reject footer (you can do the same by setting the +# default_*_policy for the chains. This is here to support backwards compat +# with current systems that add a REJECT stanza for the INPUT and FORWARD +# chains +iptables_default_reject_footer: true + + # if it's a gw, what do we forward/allow (lists) iptables_forward_allow: - source: "192.168.0.0/24" @@ -59,4 +77,3 @@ ip6tables_sshd_allowed_from: ip6tables_forward_allow: - source: "::/0" destination: "::/0" - diff --git a/files/01-input-0_head b/files/01-input-0_head deleted file mode 100644 index f778d79..0000000 --- a/files/01-input-0_head +++ /dev/null @@ -1,9 +0,0 @@ - -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT - diff --git a/tasks/iptables-config.yml b/tasks/iptables-config.yml index c7dccf8..d58ea6f 100644 --- a/tasks/iptables-config.yml +++ b/tasks/iptables-config.yml @@ -25,12 +25,18 @@ with_items: - 99-filter-commit - 98-forward-0_head - - 98-forward-z_foot - - 01-input-0_head - - 01-input-z_foot - 00-nat-0_head - 00-nat-commit +- name: Dropping templated iptables rules + template: + src: "{{ item }}.j2" + dest: "/etc/sysconfig/iptables.d/{{ item }}" + with_items: + - 01-input-0_head + - 01-input-z_foot + - 98-forward-z_foot + - name: Configuring incoming sshd allowed IP template: src: 01-input-service-default-sshd.policy.j2 diff --git a/templates/01-input-0_head.j2 b/templates/01-input-0_head.j2 new file mode 100644 index 0000000..53678ab --- /dev/null +++ b/templates/01-input-0_head.j2 @@ -0,0 +1,10 @@ + +*filter +:INPUT {{ iptables_default_input_policy }} [0:0] +:FORWARD {{ iptables_default_forward_policy }} [0:0] +:OUTPUT {{ iptables_default_output_policy }} [0:0] +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +#-A OUTPUT -o eth0 -j ACCEPT + +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT diff --git a/files/01-input-z_foot b/templates/01-input-z_foot.j2 similarity index 67% rename from files/01-input-z_foot rename to templates/01-input-z_foot.j2 index 8e7fbef..a0e2cae 100644 --- a/files/01-input-z_foot +++ b/templates/01-input-z_foot.j2 @@ -1,4 +1,4 @@ - +{% if iptables_default_reject_footer -%} # End of computed iptables rules, so denying all the rest -A INPUT -j REJECT --reject-with icmp-host-prohibited - +{% endif %} diff --git a/templates/98-forward-11-allow.j2 b/templates/98-forward-11-allow.j2 index 6f711e5..e98c1a3 100644 --- a/templates/98-forward-11-allow.j2 +++ b/templates/98-forward-11-allow.j2 @@ -1,3 +1,5 @@ +-A FORWARD -i {{ iptables_gw_external_iface }} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -i {{ iptables_gw_internal_iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT {% for rule in iptables_forward_allow %} {% if rule.protocol is defined -%} diff --git a/files/98-forward-z_foot b/templates/98-forward-z_foot.j2 similarity index 51% rename from files/98-forward-z_foot rename to templates/98-forward-z_foot.j2 index d5edb37..deffcbb 100644 --- a/files/98-forward-z_foot +++ b/templates/98-forward-z_foot.j2 @@ -1 +1,3 @@ +{% if iptables_default_reject_footer -%} -A FORWARD -j REJECT --reject-with icmp-host-prohibited +{% endif %}