Add iptables role

2021-01-09 23:33:18 +01:00 · 2021-01-09 23:33:18 +01:00 · c3958894fb
parent 9cffaf1e54
commit c3958894fb
6 changed files with 115 additions and 0 deletions
--- a/roles/iptables/README.md
+++ b/roles/iptables/README.md
@ -0,0 +1,27 @@
+# iptables
+
+Installs and configures iptables.
+
+## Role variables
+
+* `iptables_become` - Default: true. Enable/disable the Ansible become
+  functionality.
+* `iptables_become_user` - Default: root. When using become functionality for
+  privilege escalation, this is the user with desired privileges you become.
+* `iptables_input_policy` - Default: drop. Policy of input chain.
+* `iptables_forward_policy` - Default: drop. Policy of forward chain.
+* `iptables_output_policy` - Default: drop. Policy of output chain.
+* `iptables_rules` - Default: []. List of rules.
+
+## Example playbook
+
+```yaml
+- hosts: my-server
+  vars:
+    iptables_output_policy: accept
+    iptables_rules:
+      - -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+      - -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+  roles:
+    - eriol.kit.iptables
+```
--- a/roles/iptables/defaults/main.yml
+++ b/roles/iptables/defaults/main.yml
@ -0,0 +1,9 @@
+---
+iptables_become: true
+iptables_become_user: root
+
+iptables_input_policy: drop
+iptables_forward_policy: drop
+iptables_output_policy: drop
+
+iptables_rules: []
--- a/roles/iptables/files/etc/network/if-pre-up.d/iptables
+++ b/roles/iptables/files/etc/network/if-pre-up.d/iptables
@ -0,0 +1,5 @@
+#!/bin/sh
+
+# Ansible managed.
+
+/sbin/iptables-legacy-restore < /etc/iptables.up.rules
--- a/roles/iptables/handlers/main.yml
+++ b/roles/iptables/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: load iptables rules
+  shell: /sbin/iptables-legacy-restore < /etc/iptables.up.rules
+  become: "{{ iptables_become }}"
+  become_user: "{{ iptables_become_user }}"
--- a/roles/iptables/tasks/main.yml
+++ b/roles/iptables/tasks/main.yml
@ -0,0 +1,45 @@
+---
+- block:
+
+  - name: install iptables
+    apt:
+      name: iptables
+      state: present
+      update_cache: true
+      cache_valid_time: 3600
+
+  - name: switch to iptables legacy as default
+    alternatives:
+      name: "{{ item.name }}"
+      path: "{{ item.path }}"
+    with_items:
+      - name: iptables
+        path: /usr/sbin/iptables-legacy
+      - name: ip6tables
+        path: /usr/sbin/ip6tables-legacy
+
+  - name: install /etc/iptables.up.rules
+    template:
+      src: etc/iptables.up.rules.j2
+      dest: /etc/iptables.up.rules
+      owner: root
+      group: root
+      mode: 0644
+    notify: load iptables rules
+    register: iptables_up_rules
+
+  - name: set iptables_rules_changed
+    set_fact:
+      iptables_rules_changed: true
+    when: iptables_up_rules.changed
+
+  - name: ensure iptables rules are started on reboot
+    copy:
+      src: etc/network/if-pre-up.d/iptables
+      dest: /etc/network/if-pre-up.d/iptables
+      owner: root
+      group: root
+      mode: 0750
+
+  become: "{{ iptables_become }}"
+  become_user: "{{ iptables_become_user }}"
--- a/roles/iptables/templates/etc/iptables.up.rules.j2
+++ b/roles/iptables/templates/etc/iptables.up.rules.j2
@ -0,0 +1,24 @@
+# Ansible managed
+
+*nat
+
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+COMMIT
+
+*filter
+
+:INPUT {{ iptables_input_policy | upper }} [0:0]
+:FORWARD {{ iptables_forward_policy | upper }} [0:0]
+:OUTPUT {{ iptables_output_policy | upper }} [0:0]
+
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+{% for rule in iptables_rules %}
+{{ rule }}
+{% endfor %}
+
+COMMIT