Client-Ansible-Setup/prox-server-firewall-setup.yml

- hosts: 
  - "{{ proxy_server_hostname }}"
  - "{{ proxy_server_hostname }}-defaultport"
  become: 'yes'
  ignore_errors: true
  tasks:
    - name: Apply default doas configuration allowing wheel group users to elevate commands with prompt
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"
    - name: Temporarily disable doas pass prompt as doas persist does not work within scripts
      become: yes
      replace:
        path: /etc/doas.conf
        regexp: 'persist'
        replace: 'nopass'

    - name: Allow all outbound SSH
      ansible.builtin.iptables:
        chain: OUTPUT
        protocol: tcp
        destination_port: "{{ proxy_server_ssh_port }}"
        jump: ACCEPT
#    - name: Create inbound SSH recent rule (Limits new inbound SSH to 60 per minute, any extra is dropped)
#      ansible.builtin.shell: /sbin/iptables -C INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j DROP || /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 60 -j DROP && /sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 
    - name: Accept inbound SSH
      ansible.builtin.iptables:
        chain: INPUT
        protocol: tcp
        destination_port: "{{ proxy_server_ssh_port }}"
        jump: ACCEPT
    # Currently issues with SSH and dropping all outgoing traffic policy by default despite the SSH allow rules, might be to do something with how network is routed from the KVM. Shall just allow everything for now (Ideally would be nice to set back to dropping by default though) 
    - name: Allow incoming traffic by default
      ansible.builtin.iptables:
        chain: INPUT
        policy: ACCEPT
    - name: Allow outgoing traffic by default
      ansible.builtin.iptables:
        chain: OUTPUT
        policy: ACCEPT
    - name: Allow forward traffic by default
      ansible.builtin.iptables:
        chain: FORWARD
        policy: ACCEPT
    - name: Allow previous inbound accepted/known connections to bypass firewall rules
      ansible.builtin.iptables:
        chain: INPUT
        ctstate: ESTABLISHED,RELATED
        jump: ACCEPT
    - name: Allow previous outbound accepted/known connections to bypass firewall rules
      ansible.builtin.iptables:
        chain: OUTPUT
        ctstate: ESTABLISHED,RELATED
        jump: ACCEPT
    - name: Allow inbound loopback traffic
      ansible.builtin.iptables:
        chain: INPUT
        in_interface: lo
        jump: ACCEPT
    - name: Allow outbound loopback traffic
      ansible.builtin.iptables:
        chain: OUTPUT
        out_interface: lo
        jump: ACCEPT

    - name: Block known attacker IP's
      ansible.builtin.iptables:
        chain: "{{ item.chain }}"
        source: "{{ item.source }}"
        jump: DROP
      loop:
        - { chain: INPUT, source: 46.148.40.0/24 } # IP targetting mailserver
        - { chain: OUTPUT, source: 46.148.40.0/24 }
        - { chain: FORWARD, source: 46.148.40.0/24 }

    - name: Reset doas configuration back to default
      become: yes
      template:
        src: root_resources/etc/doas.conf
        dest: "/etc/doas.conf"

    - name: Debug Finish message
      debug:
        msg: Ansible playbook has finished!