302 lines
11 KiB
YAML
Executable File
302 lines
11 KiB
YAML
Executable File
- hosts: localhost
|
|
ignore_errors: true
|
|
become: 'yes'
|
|
tasks:
|
|
- name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
|
|
become: yes
|
|
template:
|
|
src: root_resources/etc/doas.conf
|
|
dest: "/etc/doas.conf"
|
|
- name: Temporarily disable doas pass prompt as doas persist does not work within scripts
|
|
become: yes
|
|
replace:
|
|
path: /etc/doas.conf
|
|
regexp: 'persist'
|
|
replace: 'nopass'
|
|
|
|
# Telnet/SSH Configuration
|
|
- name: Accept inbound SSH only on internal network
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
source: 192.168.1.0/24
|
|
destination_port: 22
|
|
jump: ACCEPT
|
|
- name: Allow all outbound telnet, SSH on default port and SSH proxy server port
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: tcp
|
|
destination_port: "{{ item }}"
|
|
jump: ACCEPT
|
|
loop:
|
|
- 23
|
|
- 22
|
|
- "{{ proxy_server_ssh_port }}"
|
|
|
|
# Policy Configuration
|
|
- name: Drop incoming/outgoing/forward traffic by default
|
|
ansible.builtin.iptables:
|
|
chain: "{{ item }}"
|
|
policy: DROP
|
|
loop:
|
|
- INPUT
|
|
- OUTPUT
|
|
- FORWARD
|
|
- name: Allow inbound/outbound already established/related connections to bypass firewall rules
|
|
ansible.builtin.iptables:
|
|
chain: "{{ item }}"
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
loop:
|
|
- INPUT
|
|
- OUTPUT
|
|
|
|
# Loopback Configuration
|
|
- name: Allow inbound loopback traffic
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
in_interface: lo
|
|
jump: ACCEPT
|
|
- name: Allow outbound loopback traffic
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
out_interface: lo
|
|
jump: ACCEPT
|
|
|
|
# DNS Configuration
|
|
- name: Accept inbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: "{{ item.protocol }}"
|
|
source: "{{ item.source }}"
|
|
destination_port: "{{ item.port }}"
|
|
jump: ACCEPT
|
|
loop:
|
|
- { source: 192.168.1.254, protocol: tcp, port: 53 }
|
|
- { source: 192.168.1.254, protocol: udp, port: 53 }
|
|
- { source: 8.8.8.8, protocol: tcp, port: 53 }
|
|
- { source: 8.8.8.8, protocol: udp, port: 53 }
|
|
- { source: 192.168.1.254, protocol: tcp, port: 43 }
|
|
- { source: 8.8.8.8, protocol: tcp, port: 43 }
|
|
- name: Accept outbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: "{{ item.protocol }}"
|
|
destination: "{{ item.destination }}"
|
|
destination_port: "{{ item.port }}"
|
|
jump: ACCEPT
|
|
loop:
|
|
- { destination: 192.168.1.254, protocol: tcp, port: 53 }
|
|
- { destination: 192.168.1.254, protocol: udp, port: 53 }
|
|
- { destination: 8.8.8.8, protocol: tcp, port: 53 }
|
|
- { destination: 8.8.8.8, protocol: udp, port: 53 }
|
|
- { destination: 192.168.1.254, protocol: tcp, port: 43 }
|
|
- { destination: 8.8.8.8, protocol: tcp, port: 43 }
|
|
|
|
# ICMP Configuration
|
|
- name: Allow all outbound pinging
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: icmp
|
|
jump: ACCEPT
|
|
|
|
# SMB/SAMBA Service
|
|
- name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
source: 192.168.1.0/24
|
|
destination_port: "{{ item }}"
|
|
jump: ACCEPT
|
|
loop:
|
|
- 445
|
|
- 139
|
|
- 138
|
|
- 137
|
|
- name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: tcp
|
|
destination: 192.168.1.0/24
|
|
destination_port: "{{ item }}"
|
|
jump: ACCEPT
|
|
loop:
|
|
- 445
|
|
- 139
|
|
- 138
|
|
- 137
|
|
|
|
# VPN to Proxy Server Configuration
|
|
- name: Accept inbound Wireguard connections only from proxy server
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: udp
|
|
source: "{{ proxy_server_ip }}"
|
|
destination_port: "{{ proxy_server_vpn_port }}"
|
|
jump: ACCEPT
|
|
- name: Allow all outbound Wireguard connections
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: udp
|
|
destination_port: "{{ proxy_server_vpn_port }}"
|
|
jump: ACCEPT
|
|
|
|
# Docker
|
|
- name: Accept inbound HTTPS only from Github Container Registry
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
protocol: tcp
|
|
source: 140.82.121.34
|
|
destination_port: 443
|
|
jump: ACCEPT
|
|
- name: Allow outbound HTTPS only to Github Container Registry
|
|
ansible.builtin.iptables:
|
|
chain: OUTPUT
|
|
protocol: tcp
|
|
destination: 140.82.121.34
|
|
destination_port: 443
|
|
jump: ACCEPT
|
|
|
|
# SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers)
|
|
# # Mail Service
|
|
# - name: Allow source (Inbound) local network traffic to the Mail service ports
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# source: 192.168.1.0/24
|
|
# protocol: tcp
|
|
# destination_port: "{{ item }}"
|
|
# jump: ACCEPT
|
|
# loop:
|
|
# - 25 # SMTP Cleartext 25
|
|
# - 465 # ESMTP Implicit TLS 465
|
|
# - 587 # SMTP+STARTTLS Explicit TLS 587
|
|
# - 993 # IMAPS Implicit TLS 993
|
|
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
|
|
#
|
|
# - name: Allow source (Inbound) proxy server traffic to the Mail service ports
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# source: "{{ proxy_server_ip }}"
|
|
# protocol: tcp
|
|
# destination_port: "{{ item }}"
|
|
# jump: ACCEPT
|
|
# loop:
|
|
# - 25 # SMTP Cleartext 25
|
|
# - 465 # ESMTP Implicit TLS 465
|
|
# - 587 # SMTP+STARTTLS Explicit TLS 587
|
|
# - 993 # IMAPS Implicit TLS 993
|
|
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
|
|
# - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# destination: "{{ proxy_server_ip }}"
|
|
# protocol: tcp
|
|
# destination_port: "{{ item }}"
|
|
# jump: ACCEPT
|
|
# loop:
|
|
# - 25 # SMTP Cleartext 25
|
|
# - 465 # ESMTP Implicit TLS 465
|
|
# - 587 # SMTP+STARTTLS Explicit TLS 587
|
|
# - 993 # IMAPS Implicit TLS 993
|
|
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
|
|
#
|
|
# - name: Deny any other traffic on Mail service ports
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# protocol: tcp
|
|
# destination_port: "{{ item }}"
|
|
# jump: DROP
|
|
# loop:
|
|
# - 25 # SMTP Cleartext 25
|
|
# - 465 # ESMTP Implicit TLS 465
|
|
# - 587 # SMTP+STARTTLS Explicit TLS 587
|
|
# - 993 # IMAPS Implicit TLS 993
|
|
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
|
|
#
|
|
# # Invidious Service
|
|
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# source: 192.168.1.0/24
|
|
# protocol: tcp
|
|
# destination_port: 3000
|
|
# jump: ACCEPT
|
|
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# destination: 192.168.1.0/24
|
|
# protocol: tcp
|
|
# destination_port: 3000
|
|
# jump: ACCEPT
|
|
#
|
|
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# source: "{{ proxy_server_ip }}"
|
|
# protocol: tcp
|
|
# destination_port: 3000
|
|
# jump: ACCEPT
|
|
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# destination: "{{ proxy_server_ip }}"
|
|
# protocol: tcp
|
|
# destination_port: 3000
|
|
# jump: ACCEPT
|
|
#
|
|
# - name: Deny any other traffic on Invidious port 3000
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# protocol: tcp
|
|
# destination_port: 3000
|
|
# jump: DROP
|
|
#
|
|
# # Minecraft Service
|
|
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# source: 192.168.1.0/24
|
|
# protocol: tcp
|
|
# destination_port: 25565
|
|
# jump: ACCEPT
|
|
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# destination: 192.168.1.0/24
|
|
# protocol: tcp
|
|
# destination_port: 25565
|
|
# jump: ACCEPT
|
|
#
|
|
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# source: "{{ proxy_server_ip }}"
|
|
# protocol: tcp
|
|
# destination_port: 25565
|
|
# jump: ACCEPT
|
|
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# destination: "{{ proxy_server_ip }}"
|
|
# protocol: tcp
|
|
# destination_port: 25565
|
|
# jump: ACCEPT
|
|
#
|
|
# - name: Deny any other traffic on Minecraft port 25565
|
|
# ansible.builtin.iptables:
|
|
# chain: DOCKER-USER
|
|
# protocol: tcp
|
|
# destination_port: 25565
|
|
# jump: DROP
|
|
#
|
|
|
|
- name: Reset doas configuration back to default
|
|
become: yes
|
|
template:
|
|
src: root_resources/etc/doas.conf
|
|
dest: "/etc/doas.conf"
|
|
|
|
- name: Debug Finish message
|
|
debug:
|
|
msg: Ansible playbook has finished!
|