cspark
/
Host-Ansible-Setup
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Host-Ansible-Setup/server-firewall-setup.yml

282 lines
11 KiB
YAML
Raw Blame History

- hosts: localhost
become: 'yes'
tasks:
# Telnet/SSH Configuration
- name: Accept inbound SSH only on internal network
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 192.168.1.0/24
destination_port: 22
jump: ACCEPT
- name: Allow all outbound telnet, SSH on default port and SSH proxy server port
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 23
- 22
- "{{ proxy_server_ssh_port }}"
# Policy Configuration
- name: Drop incoming/outgoing/forward traffic by default
ansible.builtin.iptables:
chain: "{{ item }}"
policy: DROP
loop:
- INPUT
- OUTPUT
- FORWARD
- name: Allow inbound/outbound already established/related connections to bypass firewall rules
ansible.builtin.iptables:
chain: "{{ item }}"
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
loop:
- INPUT
- OUTPUT
# Loopback Configuration
- name: Allow inbound loopback traffic
ansible.builtin.iptables:
chain: INPUT
in_interface: lo
jump: ACCEPT
- name: Allow outbound loopback traffic
ansible.builtin.iptables:
chain: OUTPUT
out_interface: lo
jump: ACCEPT
# DNS Configuration
- name: Accept inbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
ansible.builtin.iptables:
chain: INPUT
protocol: "{{ item.protocol }}"
source: "{{ item.source }}"
destination_port: "{{ item.port }}"
jump: ACCEPT
loop:
- { source: 192.168.1.254, protocol: tcp, port: 53 }
- { source: 192.168.1.254, protocol: udp, port: 53 }
- { source: 8.8.8.8, protocol: tcp, port: 53 }
- { source: 8.8.8.8, protocol: udp, port: 53 }
- { source: 192.168.1.254, protocol: tcp, port: 43 }
- { source: 8.8.8.8, protocol: tcp, port: 43 }
- name: Accept outbound TCP/UDP DNS/TCP WHOIS lookup requests only from gateway or Google Public DNS
ansible.builtin.iptables:
chain: OUTPUT
protocol: "{{ item.protocol }}"
destination: "{{ item.destination }}"
destination_port: "{{ item.port }}"
jump: ACCEPT
loop:
- { destination: 192.168.1.254, protocol: tcp, port: 53 }
- { destination: 192.168.1.254, protocol: udp, port: 53 }
- { destination: 8.8.8.8, protocol: tcp, port: 53 }
- { destination: 8.8.8.8, protocol: udp, port: 53 }
- { destination: 192.168.1.254, protocol: tcp, port: 43 }
- { destination: 8.8.8.8, protocol: tcp, port: 43 }
# ICMP Configuration
- name: Allow all outbound pinging
ansible.builtin.iptables:
chain: OUTPUT
protocol: icmp
jump: ACCEPT
# SMB/SAMBA Service
- name: Accept inbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only from internal network
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 192.168.1.0/24
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 445
- 139
- 138
- 137
- name: Allow outbound SMB/NETBIOS SSN/NETBIOS DGM/NETBIOS NS only to internal network
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 192.168.1.0/24
destination_port: "{{ item }}"
jump: ACCEPT
loop:
- 445
- 139
- 138
- 137
# VPN to Proxy Server Configuration
- name: Accept inbound Wireguard connections only from proxy server
ansible.builtin.iptables:
chain: INPUT
protocol: udp
source: "{{ proxy_server_ip }}"
destination_port: "{{ proxy_server_vpn_port }}"
jump: ACCEPT
- name: Allow all outbound Wireguard connections
ansible.builtin.iptables:
chain: OUTPUT
protocol: udp
destination_port: "{{ proxy_server_vpn_port }}"
jump: ACCEPT
# Docker
- name: Accept inbound HTTPS only from Github Container Registry
ansible.builtin.iptables:
chain: INPUT
protocol: tcp
source: 140.82.121.34
destination_port: 443
jump: ACCEPT
- name: Allow outbound HTTPS only to Github Container Registry
ansible.builtin.iptables:
chain: OUTPUT
protocol: tcp
destination: 140.82.121.34
destination_port: 443
jump: ACCEPT
# SERVICES FIREWALL CONFIGURATION NOW HANDLED ON A PER CONTAINER BASIS VIA GLUTUN VPN CLIENT (as now using VPNs within in the containers)
# # Mail Service
# - name: Allow source (Inbound) local network traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Allow source (Inbound) proxy server traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
# - name: Allow destination (Outbound) proxy server Mail container traffic to the Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: "{{ item }}"
# jump: ACCEPT
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# - name: Deny any other traffic on Mail service ports
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: "{{ item }}"
# jump: DROP
# loop:
# - 25 # SMTP Cleartext 25
# - 465 # ESMTP Implicit TLS 465
# - 587 # SMTP+STARTTLS Explicit TLS 587
# - 993 # IMAPS Implicit TLS 993
# - 143 # IMAPS IMAP+STARTTLS Explicit TLS 143
#
# # Invidious Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 3000
# jump: ACCEPT
#
# - name: Deny any other traffic on Invidious port 3000
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 3000
# jump: DROP
#
# # Minecraft Service
# - name: Allow source (Inbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) local network traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: 192.168.1.0/24
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Allow source (Inbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# source: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
# - name: Allow destination (Outbound) proxy server traffic to the Invidious service only on service port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# destination: "{{ proxy_server_ip }}"
# protocol: tcp
# destination_port: 25565
# jump: ACCEPT
#
# - name: Deny any other traffic on Minecraft port 25565
# ansible.builtin.iptables:
# chain: DOCKER-USER
# protocol: tcp
# destination_port: 25565
# jump: DROP
- name: Debug Finish message
debug:
msg: Ansible playbook has finished!
Reference in New Issue View Git Blame Copy Permalink