diff --git a/server-firewall-setup.yml b/server-firewall-setup.yml index 55c421e..4dd0302 100755 --- a/server-firewall-setup.yml +++ b/server-firewall-setup.yml @@ -15,13 +15,16 @@ replace: 'nopass' # Telnet/SSH Configuration - - name: Accept inbound SSH only on internal network + - name: Accept inbound SSH only on internal and VM network ansible.builtin.iptables: chain: INPUT protocol: tcp - source: 192.168.1.0/24 + source: "{{ item }}/24" destination_port: 22 jump: ACCEPT + loop: + - 192.168.1.0 + - 192.168.122.0 - name: Allow all outbound telnet, SSH on default port and SSH proxy server port ansible.builtin.iptables: chain: OUTPUT @@ -100,32 +103,6 @@ protocol: icmp jump: ACCEPT - # SMB/SAMBA Service - - name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network - ansible.builtin.iptables: - chain: INPUT - protocol: tcp - source: 192.168.1.0/24 - destination_port: "{{ item }}" - jump: ACCEPT - loop: - - 445 - - 139 - - 138 - - 137 - - name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network - ansible.builtin.iptables: - chain: OUTPUT - protocol: tcp - destination: 192.168.1.0/24 - destination_port: "{{ item }}" - jump: ACCEPT - loop: - - 445 - - 139 - - 138 - - 137 - # VPN to Proxy Server Configuration - name: Accept inbound Wireguard connections only from proxy server ansible.builtin.iptables: @@ -146,150 +123,17 @@ ansible.builtin.iptables: chain: INPUT protocol: tcp - source: 140.82.121.34 + source: 140.82.121.33 destination_port: 443 jump: ACCEPT - - name: Allow outbound HTTPS only to Github Container Registry + - name: Allow all outbound HTTPS ansible.builtin.iptables: chain: OUTPUT protocol: tcp - destination: 140.82.121.34 + destination: 140.82.121.33 destination_port: 443 jump: ACCEPT - # SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers) - # # Mail Service - # - name: Allow source (Inbound) local network traffic to the Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: 192.168.1.0/24 - # protocol: tcp - # destination_port: "{{ item }}" - # jump: ACCEPT - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - # - name: Allow source (Inbound) proxy server traffic to the Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: "{{ item }}" - # jump: ACCEPT - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: "{{ item }}" - # jump: ACCEPT - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - # - name: Deny any other traffic on Mail service ports - # ansible.builtin.iptables: - # chain: DOCKER-USER - # protocol: tcp - # destination_port: "{{ item }}" - # jump: DROP - # loop: - # - 25 # SMTP Cleartext 25 - # - 465 # ESMTP Implicit TLS 465 - # - 587 # SMTP+STARTTLS Explicit TLS 587 - # - 993 # IMAPS Implicit TLS 993 - # - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143 - # - # # Invidious Service - # - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: 192.168.1.0/24 - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: 192.168.1.0/24 - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - # - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 3000 - # jump: ACCEPT - # - # - name: Deny any other traffic on Invidious port 3000 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # protocol: tcp - # destination_port: 3000 - # jump: DROP - # - # # Minecraft Service - # - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: 192.168.1.0/24 - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: 192.168.1.0/24 - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - # - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # source: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # destination: "{{ proxy_server_ip }}" - # protocol: tcp - # destination_port: 25565 - # jump: ACCEPT - # - # - name: Deny any other traffic on Minecraft port 25565 - # ansible.builtin.iptables: - # chain: DOCKER-USER - # protocol: tcp - # destination_port: 25565 - # jump: DROP - # - - name: Reset doas configuration back to default become: yes template: