cloud-mu 2.0.4 → 2.1.0beta
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/README.md +6 -0
- data/ansible/roles/geerlingguy.firewall/LICENSE +20 -0
- data/ansible/roles/geerlingguy.firewall/README.md +93 -0
- data/ansible/roles/geerlingguy.firewall/defaults/main.yml +19 -0
- data/ansible/roles/geerlingguy.firewall/handlers/main.yml +3 -0
- data/ansible/roles/geerlingguy.firewall/meta/main.yml +26 -0
- data/ansible/roles/geerlingguy.firewall/molecule/default/molecule.yml +40 -0
- data/ansible/roles/geerlingguy.firewall/molecule/default/playbook.yml +17 -0
- data/ansible/roles/geerlingguy.firewall/molecule/default/tests/test_default.py +14 -0
- data/ansible/roles/geerlingguy.firewall/molecule/default/yaml-lint.yml +6 -0
- data/ansible/roles/geerlingguy.firewall/tasks/disable-other-firewalls.yml +66 -0
- data/ansible/roles/geerlingguy.firewall/tasks/main.yml +44 -0
- data/ansible/roles/geerlingguy.firewall/templates/firewall.bash.j2 +136 -0
- data/ansible/roles/geerlingguy.firewall/templates/firewall.init.j2 +52 -0
- data/ansible/roles/geerlingguy.firewall/templates/firewall.unit.j2 +12 -0
- data/bin/mu-ansible-secret +114 -0
- data/bin/mu-aws-setup +74 -21
- data/bin/mu-node-manage +22 -12
- data/bin/mu-self-update +11 -4
- data/cloud-mu.gemspec +3 -3
- data/cookbooks/firewall/metadata.json +1 -1
- data/cookbooks/firewall/recipes/default.rb +4 -0
- data/cookbooks/mu-master/recipes/default.rb +0 -3
- data/cookbooks/mu-master/recipes/init.rb +15 -9
- data/cookbooks/mu-master/templates/default/mu.rc.erb +1 -1
- data/cookbooks/mu-master/templates/default/web_app.conf.erb +0 -4
- data/cookbooks/mu-php54/metadata.rb +2 -2
- data/cookbooks/mu-php54/recipes/default.rb +1 -3
- data/cookbooks/mu-tools/recipes/eks.rb +25 -2
- data/cookbooks/mu-tools/recipes/nrpe.rb +6 -1
- data/cookbooks/mu-tools/recipes/set_mu_hostname.rb +8 -0
- data/cookbooks/mu-tools/templates/default/etc_hosts.erb +1 -1
- data/cookbooks/mu-tools/templates/default/kubeconfig.erb +2 -2
- data/cookbooks/mu-tools/templates/default/kubelet-config.json.erb +35 -0
- data/extras/clean-stock-amis +10 -4
- data/extras/list-stock-amis +64 -0
- data/extras/python_rpm/build.sh +21 -0
- data/extras/python_rpm/muthon.spec +68 -0
- data/install/README.md +5 -2
- data/install/user-dot-murc.erb +1 -1
- data/modules/mu.rb +52 -8
- data/modules/mu/clouds/aws.rb +1 -1
- data/modules/mu/clouds/aws/container_cluster.rb +1071 -47
- data/modules/mu/clouds/aws/firewall_rule.rb +45 -19
- data/modules/mu/clouds/aws/log.rb +3 -2
- data/modules/mu/clouds/aws/role.rb +18 -2
- data/modules/mu/clouds/aws/server.rb +11 -5
- data/modules/mu/clouds/aws/server_pool.rb +20 -24
- data/modules/mu/clouds/aws/userdata/linux.erb +1 -1
- data/modules/mu/clouds/aws/vpc.rb +9 -0
- data/modules/mu/clouds/google/server.rb +2 -0
- data/modules/mu/config.rb +3 -3
- data/modules/mu/config/container_cluster.rb +1 -1
- data/modules/mu/config/firewall_rule.rb +4 -0
- data/modules/mu/config/role.rb +29 -0
- data/modules/mu/config/server.rb +9 -4
- data/modules/mu/groomer.rb +14 -3
- data/modules/mu/groomers/ansible.rb +553 -0
- data/modules/mu/groomers/chef.rb +0 -5
- data/modules/mu/mommacat.rb +18 -3
- data/modules/scratchpad.erb +1 -1
- data/requirements.txt +5 -0
- metadata +39 -16
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: b339d7f5e35d4ca0b753f23d4552fa4f5589b16f
|
4
|
+
data.tar.gz: 9e46c23f39cc04b1102ff2f671453105ac043d4b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 08acf7c80363ea2b446e356b65ce3fb8a3dc5687917f346fabd272de0ac1d4b827d1d70c187c1e796e5eb0472398923109c5115a0a6478b6c292ca6a4bcdf332
|
7
|
+
data.tar.gz: 09a509cb2f1d9c7dc65b44de161dc52ba8c0e84e1d57f1f1faee651145689802f9ae4e6f9abeb9dbab4954a3fe4ea777147d69281ffdb1e21c8685bbf7371c1c
|
data/README.md
CHANGED
@@ -17,5 +17,11 @@ The mu tooling is currently supported on RHEL or CentOS 6/7.
|
|
17
17
|
## Installation
|
18
18
|
See the [README](../master/install) in the install folder for mu master installation instructions
|
19
19
|
|
20
|
+
Alternatively, get started by clicking the Launch Button!!
|
21
|
+
|
22
|
+
This does create all the AWS resources in us-east-1 region.
|
23
|
+
|
24
|
+
[![Launch Stack](https://s3.amazonaws.com/cloudformation-examples/cloudformation-launch-stack.png)](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=CloudamaticInstaller&templateURL=https://s3.amazonaws.com/mu-cfn-installer/cfn_create_mu_master.json)
|
25
|
+
|
20
26
|
## Usage
|
21
27
|
See the [Usage](https://github.com/cloudamatic/mu/wiki/Usage) section of our Wiki for an overview of how to use the mu tooling for deployment
|
@@ -0,0 +1,20 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2017 Jeff Geerling
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of
|
6
|
+
this software and associated documentation files (the "Software"), to deal in
|
7
|
+
the Software without restriction, including without limitation the rights to
|
8
|
+
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
|
9
|
+
the Software, and to permit persons to whom the Software is furnished to do so,
|
10
|
+
subject to the following conditions:
|
11
|
+
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
13
|
+
copies or substantial portions of the Software.
|
14
|
+
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
17
|
+
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
|
18
|
+
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
|
19
|
+
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
|
20
|
+
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
@@ -0,0 +1,93 @@
|
|
1
|
+
# Ansible Role: Firewall (iptables)
|
2
|
+
|
3
|
+
[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall)
|
4
|
+
|
5
|
+
Installs an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`).
|
6
|
+
|
7
|
+
This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.
|
8
|
+
|
9
|
+
After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall.
|
10
|
+
|
11
|
+
## Requirements
|
12
|
+
|
13
|
+
None.
|
14
|
+
|
15
|
+
## Role Variables
|
16
|
+
|
17
|
+
Available variables are listed below, along with default values (see `defaults/main.yml`):
|
18
|
+
|
19
|
+
firewall_state: started
|
20
|
+
firewall_enabled_at_boot: true
|
21
|
+
|
22
|
+
Controls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`).
|
23
|
+
|
24
|
+
firewall_allowed_tcp_ports:
|
25
|
+
- "22"
|
26
|
+
- "80"
|
27
|
+
...
|
28
|
+
firewall_allowed_udp_ports: []
|
29
|
+
|
30
|
+
A list of TCP or UDP ports (respectively) to open to incoming traffic.
|
31
|
+
|
32
|
+
firewall_forwarded_tcp_ports:
|
33
|
+
- { src: "22", dest: "2222" }
|
34
|
+
- { src: "80", dest: "8080" }
|
35
|
+
firewall_forwarded_udp_ports: []
|
36
|
+
|
37
|
+
Forward `src` port to `dest` port, either TCP or UDP (respectively).
|
38
|
+
|
39
|
+
firewall_additional_rules: []
|
40
|
+
firewall_ip6_additional_rules: []
|
41
|
+
|
42
|
+
Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used:
|
43
|
+
|
44
|
+
# Allow only the IP 167.89.89.18 to access port 4949 (Munin).
|
45
|
+
firewall_additional_rules:
|
46
|
+
- "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT"
|
47
|
+
|
48
|
+
# Allow only the IP 214.192.48.21 to access port 3306 (MySQL).
|
49
|
+
firewall_additional_rules:
|
50
|
+
- "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT"
|
51
|
+
|
52
|
+
See [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples.
|
53
|
+
|
54
|
+
firewall_log_dropped_packets: true
|
55
|
+
|
56
|
+
Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: ").
|
57
|
+
|
58
|
+
firewall_disable_firewalld: false
|
59
|
+
firewall_disable_ufw: false
|
60
|
+
|
61
|
+
Set to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively.
|
62
|
+
|
63
|
+
## Dependencies
|
64
|
+
|
65
|
+
None.
|
66
|
+
|
67
|
+
## Example Playbook
|
68
|
+
|
69
|
+
- hosts: server
|
70
|
+
vars_files:
|
71
|
+
- vars/main.yml
|
72
|
+
roles:
|
73
|
+
- { role: geerlingguy.firewall }
|
74
|
+
|
75
|
+
*Inside `vars/main.yml`*:
|
76
|
+
|
77
|
+
firewall_allowed_tcp_ports:
|
78
|
+
- "22"
|
79
|
+
- "25"
|
80
|
+
- "80"
|
81
|
+
|
82
|
+
## TODO
|
83
|
+
|
84
|
+
- Make outgoing ports more configurable.
|
85
|
+
- Make other firewall features (like logging) configurable.
|
86
|
+
|
87
|
+
## License
|
88
|
+
|
89
|
+
MIT / BSD
|
90
|
+
|
91
|
+
## Author Information
|
92
|
+
|
93
|
+
This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/).
|
@@ -0,0 +1,19 @@
|
|
1
|
+
---
|
2
|
+
firewall_state: started
|
3
|
+
firewall_enabled_at_boot: true
|
4
|
+
|
5
|
+
firewall_allowed_tcp_ports:
|
6
|
+
- "22"
|
7
|
+
- "25"
|
8
|
+
- "80"
|
9
|
+
- "443"
|
10
|
+
firewall_allowed_udp_ports: []
|
11
|
+
firewall_forwarded_tcp_ports: []
|
12
|
+
firewall_forwarded_udp_ports: []
|
13
|
+
firewall_additional_rules: []
|
14
|
+
firewall_ip6_additional_rules: []
|
15
|
+
firewall_log_dropped_packets: true
|
16
|
+
|
17
|
+
# Set to true to ensure other firewall management software is disabled.
|
18
|
+
firewall_disable_firewalld: false
|
19
|
+
firewall_disable_ufw: false
|
@@ -0,0 +1,26 @@
|
|
1
|
+
---
|
2
|
+
dependencies: []
|
3
|
+
|
4
|
+
galaxy_info:
|
5
|
+
author: geerlingguy
|
6
|
+
description: Simple iptables firewall for most Unix-like systems.
|
7
|
+
company: "Midwestern Mac, LLC"
|
8
|
+
license: "license (BSD, MIT)"
|
9
|
+
min_ansible_version: 2.4
|
10
|
+
platforms:
|
11
|
+
- name: EL
|
12
|
+
versions:
|
13
|
+
- all
|
14
|
+
- name: Debian
|
15
|
+
versions:
|
16
|
+
- all
|
17
|
+
- name: Ubuntu
|
18
|
+
versions:
|
19
|
+
- all
|
20
|
+
galaxy_tags:
|
21
|
+
- networking
|
22
|
+
- system
|
23
|
+
- security
|
24
|
+
- firewall
|
25
|
+
- iptables
|
26
|
+
- tcp
|
@@ -0,0 +1,40 @@
|
|
1
|
+
---
|
2
|
+
dependency:
|
3
|
+
name: galaxy
|
4
|
+
driver:
|
5
|
+
name: docker
|
6
|
+
lint:
|
7
|
+
name: yamllint
|
8
|
+
options:
|
9
|
+
config-file: molecule/default/yaml-lint.yml
|
10
|
+
platforms:
|
11
|
+
- name: instance
|
12
|
+
image: geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible
|
13
|
+
command: ${MOLECULE_DOCKER_COMMAND:-"sleep infinity"}
|
14
|
+
privileged: true
|
15
|
+
pre_build_image: true
|
16
|
+
provisioner:
|
17
|
+
name: ansible
|
18
|
+
lint:
|
19
|
+
name: ansible-lint
|
20
|
+
playbooks:
|
21
|
+
converge: ${MOLECULE_PLAYBOOK:-playbook.yml}
|
22
|
+
scenario:
|
23
|
+
name: default
|
24
|
+
test_sequence:
|
25
|
+
- lint
|
26
|
+
- destroy
|
27
|
+
- dependency
|
28
|
+
- syntax
|
29
|
+
- create
|
30
|
+
- prepare
|
31
|
+
- converge
|
32
|
+
- idempotence
|
33
|
+
- check
|
34
|
+
- side_effect
|
35
|
+
- verify
|
36
|
+
- destroy
|
37
|
+
verifier:
|
38
|
+
name: testinfra
|
39
|
+
lint:
|
40
|
+
name: flake8
|
@@ -0,0 +1,17 @@
|
|
1
|
+
---
|
2
|
+
- name: Converge
|
3
|
+
hosts: all
|
4
|
+
become: true
|
5
|
+
|
6
|
+
vars:
|
7
|
+
firewall_allowed_tcp_ports:
|
8
|
+
- "9123"
|
9
|
+
|
10
|
+
pre_tasks:
|
11
|
+
- name: Update apt cache.
|
12
|
+
apt: update_cache=true cache_valid_time=1200
|
13
|
+
when: ansible_os_family == 'Debian'
|
14
|
+
changed_when: false
|
15
|
+
|
16
|
+
roles:
|
17
|
+
- role: geerlingguy.firewall
|
@@ -0,0 +1,14 @@
|
|
1
|
+
import os
|
2
|
+
|
3
|
+
import testinfra.utils.ansible_runner
|
4
|
+
|
5
|
+
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
6
|
+
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
|
7
|
+
|
8
|
+
|
9
|
+
def test_hosts_file(host):
|
10
|
+
f = host.file('/etc/hosts')
|
11
|
+
|
12
|
+
assert f.exists
|
13
|
+
assert f.user == 'root'
|
14
|
+
assert f.group == 'root'
|
@@ -0,0 +1,66 @@
|
|
1
|
+
---
|
2
|
+
- name: Check if firewalld package is installed (on RHEL).
|
3
|
+
command: yum list installed firewalld
|
4
|
+
args:
|
5
|
+
warn: false
|
6
|
+
register: firewalld_installed
|
7
|
+
ignore_errors: true
|
8
|
+
changed_when: false
|
9
|
+
when:
|
10
|
+
- ansible_os_family == "RedHat"
|
11
|
+
- firewall_disable_firewalld
|
12
|
+
check_mode: false
|
13
|
+
|
14
|
+
- name: Disable the firewalld service (on RHEL, if configured).
|
15
|
+
service:
|
16
|
+
name: firewalld
|
17
|
+
state: stopped
|
18
|
+
enabled: false
|
19
|
+
when:
|
20
|
+
- ansible_os_family == "RedHat"
|
21
|
+
- firewall_disable_firewalld
|
22
|
+
- firewalld_installed.rc == 0
|
23
|
+
|
24
|
+
- name: Check if ufw package is installed (on Ubuntu).
|
25
|
+
command: service ufw status
|
26
|
+
args:
|
27
|
+
warn: false
|
28
|
+
register: ufw_installed
|
29
|
+
ignore_errors: true
|
30
|
+
changed_when: false
|
31
|
+
when:
|
32
|
+
- ansible_distribution == "Ubuntu"
|
33
|
+
- firewall_disable_ufw
|
34
|
+
check_mode: false
|
35
|
+
|
36
|
+
- name: Disable the ufw firewall (on Ubuntu, if configured).
|
37
|
+
service:
|
38
|
+
name: ufw
|
39
|
+
state: stopped
|
40
|
+
enabled: false
|
41
|
+
when:
|
42
|
+
- ansible_distribution == "Ubuntu"
|
43
|
+
- firewall_disable_ufw
|
44
|
+
- ufw_installed.rc == 0
|
45
|
+
|
46
|
+
- name: Check if ufw package is installed (on Archlinux).
|
47
|
+
command: pacman -Q ufw
|
48
|
+
args:
|
49
|
+
warn: false
|
50
|
+
register: ufw_installed
|
51
|
+
ignore_errors: true
|
52
|
+
changed_when: false
|
53
|
+
when:
|
54
|
+
- ansible_distribution == "Archlinux"
|
55
|
+
- firewall_disable_ufw
|
56
|
+
check_mode: false
|
57
|
+
|
58
|
+
- name: Disable the ufw firewall (on Archlinux, if configured).
|
59
|
+
service:
|
60
|
+
name: ufw
|
61
|
+
state: stopped
|
62
|
+
enabled: false
|
63
|
+
when:
|
64
|
+
- ansible_distribution == "Archlinux"
|
65
|
+
- firewall_disable_ufw
|
66
|
+
- ufw_installed.rc == 0
|
@@ -0,0 +1,44 @@
|
|
1
|
+
---
|
2
|
+
- name: Ensure iptables is present.
|
3
|
+
package: name=iptables state=present
|
4
|
+
|
5
|
+
- name: Flush iptables the first time playbook runs.
|
6
|
+
command: >
|
7
|
+
iptables -F
|
8
|
+
creates=/etc/firewall.bash
|
9
|
+
|
10
|
+
- name: Copy firewall script into place.
|
11
|
+
template:
|
12
|
+
src: firewall.bash.j2
|
13
|
+
dest: /etc/firewall.bash
|
14
|
+
owner: root
|
15
|
+
group: root
|
16
|
+
mode: 0744
|
17
|
+
notify: restart firewall
|
18
|
+
|
19
|
+
- name: Copy firewall init script into place.
|
20
|
+
template:
|
21
|
+
src: firewall.init.j2
|
22
|
+
dest: /etc/init.d/firewall
|
23
|
+
owner: root
|
24
|
+
group: root
|
25
|
+
mode: 0755
|
26
|
+
when: "ansible_service_mgr != 'systemd'"
|
27
|
+
|
28
|
+
- name: Copy firewall systemd unit file into place (for systemd systems).
|
29
|
+
template:
|
30
|
+
src: firewall.unit.j2
|
31
|
+
dest: /etc/systemd/system/firewall.service
|
32
|
+
owner: root
|
33
|
+
group: root
|
34
|
+
mode: 0644
|
35
|
+
when: "ansible_service_mgr == 'systemd'"
|
36
|
+
|
37
|
+
- name: Configure the firewall service.
|
38
|
+
service:
|
39
|
+
name: firewall
|
40
|
+
state: "{{ firewall_state }}"
|
41
|
+
enabled: "{{ firewall_enabled_at_boot }}"
|
42
|
+
|
43
|
+
- import_tasks: disable-other-firewalls.yml
|
44
|
+
when: firewall_disable_firewalld or firewall_disable_ufw
|
@@ -0,0 +1,136 @@
|
|
1
|
+
#!/bin/bash
|
2
|
+
# iptables firewall for common LAMP servers.
|
3
|
+
#
|
4
|
+
# This file should be located at /etc/firewall.bash, and is meant to work with
|
5
|
+
# Jeff Geerling's firewall init script.
|
6
|
+
#
|
7
|
+
# Common port reference:
|
8
|
+
# 22: SSH
|
9
|
+
# 25: SMTP
|
10
|
+
# 80: HTTP
|
11
|
+
# 123: NTP
|
12
|
+
# 443: HTTPS
|
13
|
+
# 2222: SSH alternate
|
14
|
+
# 4949: Munin
|
15
|
+
# 6082: Varnish admin
|
16
|
+
# 8080: HTTP alternate (often used with Tomcat)
|
17
|
+
# 8983: Tomcat HTTP
|
18
|
+
# 8443: Tomcat HTTPS
|
19
|
+
# 9000: SonarQube
|
20
|
+
#
|
21
|
+
# @author Jeff Geerling
|
22
|
+
|
23
|
+
# No spoofing.
|
24
|
+
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
|
25
|
+
then
|
26
|
+
for filter in /proc/sys/net/ipv4/conf/*/rp_filter
|
27
|
+
do
|
28
|
+
echo 1 > $filter
|
29
|
+
done
|
30
|
+
fi
|
31
|
+
|
32
|
+
# Completely reset the firewall by removing all rules and chains.
|
33
|
+
iptables -P INPUT ACCEPT
|
34
|
+
iptables -P FORWARD ACCEPT
|
35
|
+
iptables -P OUTPUT ACCEPT
|
36
|
+
iptables -t nat -F
|
37
|
+
iptables -t mangle -F
|
38
|
+
iptables -F
|
39
|
+
iptables -X
|
40
|
+
|
41
|
+
# Accept traffic from loopback interface (localhost).
|
42
|
+
iptables -A INPUT -i lo -j ACCEPT
|
43
|
+
|
44
|
+
# Forwarded ports.
|
45
|
+
{# Add a rule for each forwarded port #}
|
46
|
+
{% for forwarded_port in firewall_forwarded_tcp_ports %}
|
47
|
+
iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
|
48
|
+
iptables -t nat -I OUTPUT -p tcp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
|
49
|
+
{% endfor %}
|
50
|
+
{% for forwarded_port in firewall_forwarded_udp_ports %}
|
51
|
+
iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
|
52
|
+
iptables -t nat -I OUTPUT -p udp -o lo --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
|
53
|
+
{% endfor %}
|
54
|
+
|
55
|
+
# Open ports.
|
56
|
+
{# Add a rule for each open port #}
|
57
|
+
{% for port in firewall_allowed_tcp_ports %}
|
58
|
+
iptables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
|
59
|
+
{% endfor %}
|
60
|
+
{% for port in firewall_allowed_udp_ports %}
|
61
|
+
iptables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
|
62
|
+
{% endfor %}
|
63
|
+
|
64
|
+
# Accept icmp ping requests.
|
65
|
+
iptables -A INPUT -p icmp -j ACCEPT
|
66
|
+
|
67
|
+
# Allow NTP traffic for time synchronization.
|
68
|
+
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
|
69
|
+
iptables -A INPUT -p udp --sport 123 -j ACCEPT
|
70
|
+
|
71
|
+
# Additional custom rules.
|
72
|
+
{% for rule in firewall_additional_rules %}
|
73
|
+
{{ rule }}
|
74
|
+
{% endfor %}
|
75
|
+
|
76
|
+
# Allow established connections:
|
77
|
+
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
78
|
+
|
79
|
+
# Log EVERYTHING (ONLY for Debug).
|
80
|
+
# iptables -A INPUT -j LOG
|
81
|
+
|
82
|
+
{% if firewall_log_dropped_packets %}
|
83
|
+
# Log other incoming requests (all of which are dropped) at 15/minute max.
|
84
|
+
iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
|
85
|
+
{% endif %}
|
86
|
+
|
87
|
+
# Drop all other traffic.
|
88
|
+
iptables -A INPUT -j DROP
|
89
|
+
|
90
|
+
|
91
|
+
# Configure IPv6 if ip6tables is present.
|
92
|
+
if [ -x "$(which ip6tables 2>/dev/null)" ]; then
|
93
|
+
|
94
|
+
# Remove all rules and chains.
|
95
|
+
ip6tables -F
|
96
|
+
ip6tables -X
|
97
|
+
|
98
|
+
# Accept traffic from loopback interface (localhost).
|
99
|
+
ip6tables -A INPUT -i lo -j ACCEPT
|
100
|
+
|
101
|
+
# Open ports.
|
102
|
+
{# Add a rule for each open port #}
|
103
|
+
{% for port in firewall_allowed_tcp_ports %}
|
104
|
+
ip6tables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
|
105
|
+
{% endfor %}
|
106
|
+
{% for port in firewall_allowed_udp_ports %}
|
107
|
+
ip6tables -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
|
108
|
+
{% endfor %}
|
109
|
+
|
110
|
+
# Accept icmp ping requests.
|
111
|
+
ip6tables -A INPUT -p icmp -j ACCEPT
|
112
|
+
|
113
|
+
# Allow NTP traffic for time synchronization.
|
114
|
+
ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT
|
115
|
+
ip6tables -A INPUT -p udp --sport 123 -j ACCEPT
|
116
|
+
|
117
|
+
# Additional custom rules.
|
118
|
+
{% for rule in firewall_ip6_additional_rules %}
|
119
|
+
{{ rule }}
|
120
|
+
{% endfor %}
|
121
|
+
|
122
|
+
# Allow established connections:
|
123
|
+
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
124
|
+
|
125
|
+
# Log EVERYTHING (ONLY for Debug).
|
126
|
+
# ip6tables -A INPUT -j LOG
|
127
|
+
|
128
|
+
{% if firewall_log_dropped_packets %}
|
129
|
+
# Log other incoming requests (all of which are dropped) at 15/minute max.
|
130
|
+
ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
|
131
|
+
{% endif %}
|
132
|
+
|
133
|
+
# Drop all other traffic.
|
134
|
+
ip6tables -A INPUT -j DROP
|
135
|
+
|
136
|
+
fi
|