Role to install iptables
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Lyz beda5f7feb
Merge branch 'fix/writable_directory'
1 month ago
defaults WIP: each_rule_each_name 8 months ago
library * Add library 1 year ago
meta [wip] initial commit 1 year ago
molecule/default Fix lint 8 months ago
tasks Added Unsafe_writes to IP forwarding step 1 month ago
vars Added smtp 1 month ago
.gitignore license and gitignore 1 year ago
.yamllint Improve the forwarding method 8 months ago
COPYING license and gitignore 1 year ago
History.md Upgrade version 1 month ago
README.md Improve the forwarding method 8 months ago
iptables_michael_rash_model [feat] readme.md completion 1 year ago

README.md

iptables

Role to configure iptables.

WARNING: Be sure what you are doing because you can be locked out from your machine!

Requirements

Install the netaddr python package

sudo apt-get install python-netaddr

Role Variables

  • keep_unmanaged: Use yes if you want to keep the iptables rules not managed by the iptables_raw ansible module. (Default: no)
  • internal_cidr: Specify the server’s LAN (Default: Ansible internal_netmask variable)
  • internal_interface: Specify the server’s LAN interface (Default Ansible ansible_default_ipv4.interface variable)
  • ssh_port: SSH port (Default: 22)
  • allow_forward: Allow ipv4 forwarding (ipv6 forwarding is disabled)

  • iptables: Dictionary containing the desired ipv4 rules

    • ipv4_rules: Dictionary containing the desired ipv4 rules
    • head: List of iptables ipv4 rules that will show on top of your rules
    • custom:List of iptables ipv4 rules that will show in the middle (here is where you put your custom rules)
    • tail:List of iptables ipv4 rules that will show at the bottom of your rules

    • ipv6_rules: Dictionary containing the desired ipv6 rules

    • head: List of iptables ipv6 rules that will show on top of your rules

    • custom:List of iptables ipv6 rules that will show in the middle (here is where you put your custom rules)

    • tail:List of iptables ipv6 rules that will show at the bottom of your rules

I’ve defined a series of default rules in vars/main.yml that you can use, based on the work of Michael Rash books. As a reference I’ve left the original bash script in the parent dir.

  • default_accept: By default we’ll use an accept, later we’ll set the log & drop policy (Use with caution)
  • default_log_and_drop: By default log & drop policy (Use with caution)
  • log: Set logging rules
  • log_and_drop: Set log and drop rules
  • state_tracking: This rules will keep opened legit connections and flag as Invalid ilegit ones (for example scanners that don’t do the correct TCP handshake)
  • anti_spoofing: This rules will flag as spoofed packages that seem to come from the local CIDR but don’t come from the local interface

  • allow_loopback: allow loopback interface

  • allow_ssh_inbound_from_everywhere: allow inbound ssh from everywhere

  • allow_ssh_inbound_from_internal: allow inbound ssh only from local interface

  • allow_ssh_outbound_to_everywhere: allow outbound ssh to everywhere

  • allow_icmp: allow inbound and outbound ping icmp

  • allow_icmp_inbound: allow inbound ping icmp

  • allow_icmp_outbound: allow outbound ping icmp

  • allow_dns_outbound: allow outbound dns queries

  • allow_https_outbound: allow outbound https traffic

  • allow_http_outbound: allow outbound http traffic

  • allow_tcp_outbound: allow tcp traffic to all ports

  • allow_docker: allow docker

Dependencies

None

Example playbook

- hosts: all
  roles:
    - iptables

Testing

To test the role you need molecule.

molecule test

(The tests cover only the default case, if you feel like it, make more test cases :))

Troubleshooting

Library not in path

If you encounter the next error:

exception: no action detected in task. This often indicates a misspelled module name, or incorrect module path.

It means that the library is not installed correctly, search your ~/.ansible.cfg for the library path, and add the contents of the library directory of this repository

License

GPLv2

Author Information

Lyz (lyz@riseup.net)