initial upload

2025-10-10 11:07:34 +00:00
commit 6224cd01c6
161 changed files with 8964 additions and 0 deletions
--- a/roles/firewall/templates/rules-v4.d/10_conntrack.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/10_conntrack.sh.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow established connections
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--- a/roles/firewall/templates/rules-v4.d/15_local.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/15_local.sh.j2
@@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+# Allow all traffic from localhost
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
--- a/roles/firewall/templates/rules-v4.d/17_monitoring.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/17_monitoring.sh.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+iptables -N monitoring-in
+
+{% for srcip in firewall_monitoring_ips|default([]) %}
+iptables -A INPUT -s {{ srcip }} -j monitoring-in
+{% endfor %}
--- a/roles/firewall/templates/rules-v4.d/18_internal.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/18_internal.sh.j2
@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+{% if datacenter_global_networks is defined %}
+iptables -N internal-in
+{% if firewall_allow_internal_dns %}
+iptables -A internal-in -p tcp --dport 53 -m comment --comment "common-dns" -j ACCEPT
+iptables -A internal-in -p udp --dport 53 -m comment --comment "common-dns" -j ACCEPT
+{% endif %}
+
+{% for srcip in datacenter_global_networks + datacenter_public_networks %}
+iptables -A INPUT -s {{ srcip }} -j internal-in
+{% endfor %}
+
+iptables -N internal-out
+iptables -A internal-out -p tcp -m multiport --dports 53,80,443,2181,3306:3310,8086,10231 -m comment --comment "common-services" -j ACCEPT
+iptables -A internal-out -p udp --dport 53 -m comment --comment "common-dns" -j ACCEPT
+iptables -A internal-out -p tcp --dport 10514 -m owner --uid-owner 0 -m comment --comment "syslog" -j ACCEPT
+iptables -A internal-out -p icmp -j ACCEPT
+
+{% for dstip in datacenter_global_networks + datacenter_public_networks %}
+iptables -A OUTPUT -d {{ dstip }} -j internal-out
+{% endfor %}
+
+{% endif %}
--- a/roles/firewall/templates/rules-v4.d/20_whitelist.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/20_whitelist.sh.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+{% if firewall_whitelist_ip %}
+# Whitelist IPs
+{% for ip in firewall_whitelist_ip %}
+iptables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{% endfor %}
+{% endif %}
--- a/roles/firewall/templates/rules-v4.d/22_ssh.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/22_ssh.sh.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# Allow SSH only from IPs:
+iptables -N ssh-in
+{% for ip in firewall_ssh_acl|default([]) + firewall_ssh_acl_extra|default([]) %}
+iptables -A ssh-in -s {{ ip }} -j ACCEPT
+{% endfor %}
+iptables -A INPUT -p tcp --dport 22 -m comment --comment "ssh" -j ssh-in
--- a/roles/firewall/templates/rules-v4.d/24_influxdb.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/24_influxdb.sh.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# Allow InfluxDB Replication only from IPs:
+iptables -N influx-in
+{% for ip in firewall_influx_acl|default([]) + firewall_influx_acl_extra|default([]) %}
+iptables -A influx-in -s {{ ip }} -j ACCEPT
+{% endfor %}
+iptables -A INPUT -p tcp --dport 8086 -m comment --comment "influx" -j influx-in
--- a/roles/firewall/templates/rules-v4.d/33_mariadb.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/33_mariadb.sh.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+# Allow MariaDB Replication only from IPs:
+iptables -N mariadb-in
+{% for ip in firewall_mariadb_acl|default([]) + firewall_mariadb_acl_extra|default([]) %}
+iptables -A mariadb-in -s {{ ip }} -j ACCEPT
+{% endfor %}
+iptables -A INPUT -p tcp --dport 3306 -m comment --comment "mariadb" -j mariadb-in
--- a/roles/firewall/templates/rules-v4.d/50_custom.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/50_custom.sh.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+{{ firewall_custom_ipv4_rules }}
--- a/roles/firewall/templates/rules-v4.d/85_whitelist.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/85_whitelist.sh.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+{% if firewall_late_whitelist_ip %}
+# Whitelist IPs
+{%   for ip in firewall_late_whitelist_ip %}
+iptables -A INPUT -s {{ ip }} -m comment --comment "whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}
+
+{% if firewall_whitelist_office_ip and firewall_whitelist_office_ports %}
+# Offices  TODO remove
+{%   for ip in firewall_whitelist_office_ip %}
+iptables -A INPUT -s {{ ip }} -p tcp -m multiport --dports "{{ firewall_whitelist_office_ports | join(',') }}" -m comment --comment "office-whitelist" -j ACCEPT
+{%   endfor %}
+{% endif %}
--- a/roles/firewall/templates/rules-v4.d/90_allow_outbound.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/90_allow_outbound.sh.j2
@@ -0,0 +1,69 @@
+# {{ ansible_managed }}
+
+{% if firewall_output_default_drop or firewall_output_whitelist_ipv4 %}
+{%   for ip in network_nameservers + ['8.8.8.8'] if ip|ipv4 %}
+{%     if loop.first %}
+# Allow DNS
+{%     endif %}
+iptables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT
+iptables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
+{%   endfor %}
+
+if getent group postfix >/dev/null 2>&1; then
+	# Permit outbound SMTP for Postfix only (TODO: move to postfix role)
+	iptables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT
+fi
+
+{%   if not (firewall_output_learning or firewall_output_whitelist_ipv4) %}
+# Permit outbound HTTP for user _apt
+iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT
+
+# Permit outbound SSH for normal users
+iptables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT
+
+# Allow all outbound traffic for the root user
+iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
+{%   endif %}
+
+{%   for ip in datacenter_global_networks|default([]) + datacenter_all_networks|default([]) %}
+iptables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT
+{%   endfor %}
+
+{%   if firewall_output_whitelist_domains %}
+# Outbound ACL for whitelist
+if [ -r /etc/firewall/outbound_whitelist_ipv4.acl ]; then
+
+	ipset -exist create outbound-whitelist hash:net counters comment
+	ipset flush outbound-whitelist
+	grep -v '^#' /etc/firewall/outbound_whitelist_ipv4.acl | while read ip name; do
+		ipset -exist add outbound-whitelist "$ip" comment "$name"
+	done < /etc/firewall/outbound_whitelist_ipv4.acl
+
+#	iptables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT
+fi
+{%   endif %}
+
+{%   if firewall_output_whitelist_ipv4 %}
+# Outbound ACL for whitelist
+iptables -N outbound-whitelist
+{%     for item in firewall_output_whitelist_ipv4 %}
+iptables -A outbound-whitelist -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT
+{%     endfor %}
+iptables -A OUTPUT -j outbound-whitelist
+{%   endif %}
+
+{%   if firewall_output_learning %}
+
+ipset -exist create outbound hash:ip counters
+
+iptables -A OUTPUT -p tcp --syn -m set --match-set outbound dst -j ACCEPT
+iptables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT
+
+iptables -A OUTPUT -p tcp --syn -j SET --add-set outbound dst
+iptables -A OUTPUT -p udp -j SET --add-set outbound dst
+
+iptables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid
+
+{%   endif %}
+
+{% endif %}
--- a/roles/firewall/templates/rules-v4.d/90_drop_all.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/90_drop_all.sh.j2
@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+
+{% if firewall_input_default_drop %}
+# Allow Safe ICMP
+iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+#iptables -A INPUT -p icmp --icmp-type redirect -j ACCEPT
+iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+
+# Drop everything else
+iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
+iptables -A INPUT -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} INPUT DROP: " --log-level 5
+iptables -A INPUT -j DROP
+{% endif %}
+
+{% if firewall_output_default_drop %}
+# Allow Safe ICMP
+iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
+iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
+#iptables -A OUTPUT -p icmp --icmp-type redirect -j ACCEPT
+iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
+
+# Drop everything else
+iptables -A OUTPUT -p tcp --syn -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+iptables -A OUTPUT ! -p tcp -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} OUTPUT DROP: " --log-level 5 --log-uid
+iptables -A OUTPUT -j REJECT
+{% endif %}
--- a/roles/firewall/templates/rules-v4.d/95_fail2ban.sh.j2
+++ b/roles/firewall/templates/rules-v4.d/95_fail2ban.sh.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+# Restart fail2ban
+if systemctl -q is-active fail2ban.service; then
+	systemctl try-restart fail2ban.service
+fi