cspark
/
Client-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Server firewall setup re-configuration

This commit is contained in:
cspark 2024-03-18 10:14:41 +00:00
parent 836384d474
commit 04ef639f55
1 changed files with 8 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

172
server-firewall-setup.yml
View File

@ -15,13 +15,16 @@
replace: 'nopass'
# Telnet/SSH Configuration
- name: Accept inbound SSH only on internal network
- name: Accept inbound SSH only on internal and VM network
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 192.168.1.0/24
source: "{{ item }}/24"
destination_port: 22
jump: ACCEPT
loop:
- 192.168.1.0
- 192.168.122.0
- name: Allow all outbound telnet, SSH on default port and SSH proxy server port
ansible.builtin.iptables:
chain: OUTPUT
@ -100,32 +103,6 @@
protocol: icmp
jump: ACCEPT
# SMB/SAMBA Service
- name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 192.168.1.0/24
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 445
- 139
- 138
- 137
- name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 192.168.1.0/24
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 445
- 139
- 138
- 137
# VPN to Proxy Server Configuration
- name: Accept inbound Wireguard connections only from proxy server
ansible.builtin.iptables:
@ -146,150 +123,17 @@
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 140.82.121.34
source: 140.82.121.33
destination_port: 443
jump: ACCEPT
- name: Allow outbound HTTPS only to Github Container Registry
- name: Allow all outbound HTTPS
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 140.82.121.34
destination: 140.82.121.33
destination_port: 443
jump: ACCEPT
# SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers)
# # Mail Service
# - name: Allow source (Inbound) local network traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Allow source (Inbound) proxy server traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
# - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Deny any other traffic on Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: "{{ item }}"
# jump: DROP
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# # Invidious Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Deny any other traffic on Invidious port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 3000
# jump: DROP
#
# # Minecraft Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Deny any other traffic on Minecraft port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 25565
# jump: DROP
#
- name: Reset doas configuration back to default
become: yes
template: