From fe708dbac25cc5d83a686b62934fd1d695036c5a Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 3 Aug 2022 18:10:19 +0200 Subject: [PATCH 01/21] Added "run_once: true" to tasks from roles/include_vars_from_other_groups/tasks/main.yml. --- roles/include_vars_from_other_groups/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/include_vars_from_other_groups/tasks/main.yml b/roles/include_vars_from_other_groups/tasks/main.yml index 089c7872e..d826439b7 100644 --- a/roles/include_vars_from_other_groups/tasks/main.yml +++ b/roles/include_vars_from_other_groups/tasks/main.yml @@ -7,6 +7,7 @@ register: ip_addresses_files_found delegate_to: localhost connection: local + run_once: true - name: Include ip_addresses per stack from ip_addresses.yml files. ansible.builtin.include_vars: @@ -16,10 +17,12 @@ register: included_ip_addresses delegate_to: localhost connection: local + run_once: true - name: Combine network info from ip_addresses per stack into one dict for all items from all stacks. ansible.builtin.set_fact: all_ip_addresses: "{{ included_ip_addresses.results | json_query('[].ansible_facts.*[].ip_addresses') | combine() }}" delegate_to: localhost connection: local + run_once: true ... From f18b905f3a78782f3132643edbcab7551b1ed982 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 3 Aug 2022 18:12:07 +0200 Subject: [PATCH 02/21] Changed publicly_exposed for internal management addresses of Talos and Gearshift jumphosts to false. These jumphosts have a dedicated network interface for their public IP. --- group_vars/gearshift_cluster/ip_addresses.yml | 1 - group_vars/talos_cluster/ip_addresses.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/group_vars/gearshift_cluster/ip_addresses.yml b/group_vars/gearshift_cluster/ip_addresses.yml index 4a2b864cc..f5d28b68d 100644 --- a/group_vars/gearshift_cluster/ip_addresses.yml +++ b/group_vars/gearshift_cluster/ip_addresses.yml @@ -4,7 +4,6 @@ ip_addresses: vlan983: address: 172.23.40.36 netmask: /32 - publicly_exposed: true # This internal IP is linked to a public (floating) IP. vlan16: address: 129.125.60.196 netmask: /32 diff --git a/group_vars/talos_cluster/ip_addresses.yml b/group_vars/talos_cluster/ip_addresses.yml index 6c980c3c8..a99e99bfe 100644 --- a/group_vars/talos_cluster/ip_addresses.yml +++ b/group_vars/talos_cluster/ip_addresses.yml @@ -4,7 +4,6 @@ ip_addresses: vlan983: address: 172.23.40.100 netmask: /32 - publicly_exposed: true # This internal IP is linked to a public (floating) IP. vlan16: address: 129.125.60.18 netmask: /32 From 6126c049b57306dbed48804bb679c818a5689868 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 3 Aug 2022 18:13:37 +0200 Subject: [PATCH 03/21] Updated Talos group_vars for changes in the new iptables role (WIP). --- group_vars/talos_cluster/vars.yml | 130 ++++++++++-------------------- 1 file changed, 44 insertions(+), 86 deletions(-) diff --git a/group_vars/talos_cluster/vars.yml b/group_vars/talos_cluster/vars.yml index f5a4720e7..e44413a96 100644 --- a/group_vars/talos_cluster/vars.yml +++ b/group_vars/talos_cluster/vars.yml @@ -177,92 +177,50 @@ ega_fuse_client_mounts: solve_rd: '/groups/umcg-solve-rd/prm08/ega-fuse-client' ega_fuse_client_java_home: '/etc/alternatives/jre_11_openjdk' iptables_allow_icmp_inbound: - - 'umcg_net1' - - 'umcg_net2' - - 'umcg_net3' - - 'rug_bwp_net' - - 'rug_operator' - - 'rug_gcc_cloud_net' - - 'foyer' - - 'boxy' - - 'bender' - - 'lobby' - - 'calculon' - - 'flexo' - - 'gate' - - 'zinc_finger' - - 'coenzyme' - - 'passage' - - 'leucine_zipper' - - 'chaperone' - - 'airlock' - - 'jenkins1' - - 'jenkins2' + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ calculon_cluster.ip_addresses['lobby']['vlan16'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" + # + # ToDo: need to include the external IPs for the default routers of all clusters with something like this. + # + #- "{{ nibbler_cluster.ip_addresses['default_router']['vlan16'] }}" iptables_allow_ssh_inbound: - - 'umcg_net1' - - 'umcg_net2' - - 'umcg_net3' - - 'rug_bwp_net' - - 'rug_operator' - - 'foyer' - - 'boxy' - - 'bender' - - 'lobby' - - 'calculon' - - 'flexo' - - 'gate' - - 'zinc_finger' - - 'coenzyme' - - 'passage' - - 'leucine_zipper' - - 'chaperone' - - 'airlock' - - 'jenkins1' - - 'jenkins2' + - ANY iptables_allow_ssh_outbound: - - 'foyer' - - 'boxy' - - 'bender' - - 'lobby' - - 'calculon' - - 'flexo' - - 'gate' - - 'peregrine' - - 'gattaca01' - - 'gattaca02' - - 'cher_ami' - - 'eriba_ds' - - 'molgenis_downloads' - - 'airlock' - - 'surfsara_grid_ui' - - 'lumc_shark_ui' - - 'cnag_sftp' - - 'erasmus_mc_net' - - 'rug_f5_net' - - 'sanger_sftp' -iptables_allow_ebi_mysql_outbound: - - 'ebi_sanger_net1' - - 'ebi_sanger_net2' -iptables_allow_ftp_outbound: - - 'ebi_sanger_net1' - - 'ebi_sanger_net2' - - 'broad_ftp' - - 'ncbi_net1' - - 'ncbi_net2' -iptables_allow_aspera_outbound: - - 'ebi_sanger_net1' - - 'ebi_sanger_net2' - - 'broad_aspera_1' - - 'broad_aspera_2' - - 'broad_aspera_3' - - 'broad_aspera_4' - - 'broad_aspera_5' - - 'broad_aspera_6' - - 'broad_aspera_7' - - 'broad_aspera_8' - - 'broad_aspera_9' - - 'ncbi_net1' - - 'ncbi_net2' -iptables_allow_globus_outbound: - - 'sanger_globus' + - ANY +#iptables_allow_ebi_mysql_outbound: +# - 'ebi_sanger_net1' +# - 'ebi_sanger_net2' +#iptables_allow_ftp_outbound: +# - 'ebi_sanger_net1' +# - 'ebi_sanger_net2' +# - 'broad_ftp' +# - 'ncbi_net1' +# - 'ncbi_net2' +#iptables_allow_aspera_outbound: +# - 'ebi_sanger_net1' +# - 'ebi_sanger_net2' +# - 'broad_aspera_1' +# - 'broad_aspera_2' +# - 'broad_aspera_3' +# - 'broad_aspera_4' +# - 'broad_aspera_5' +# - 'broad_aspera_6' +# - 'broad_aspera_7' +# - 'broad_aspera_8' +# - 'broad_aspera_9' +# - 'ncbi_net1' +# - 'ncbi_net2' +#iptables_allow_globus_outbound: +# - 'sanger_globus' ... From 3f608d135a0660fa72a4112de5bb717a7e00e0d8 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 3 Aug 2022 18:14:46 +0200 Subject: [PATCH 04/21] Fixes and new features for new iptables role (WIP). --- roles/iptables/handlers/main.yml | 2 +- roles/iptables/meta/main.yml | 4 + roles/iptables/tasks/main.yml | 110 ++++++----- .../iptables/templates/iptables-init.bash.j2 | 185 ++++++++++-------- single_role_playbooks/iptables.yml | 2 +- 5 files changed, 170 insertions(+), 133 deletions(-) create mode 100644 roles/iptables/meta/main.yml diff --git a/roles/iptables/handlers/main.yml b/roles/iptables/handlers/main.yml index 3c899bf12..9bc197d40 100755 --- a/roles/iptables/handlers/main.yml +++ b/roles/iptables/handlers/main.yml @@ -14,5 +14,5 @@ ansible.builtin.command: cmd: '/etc/sysconfig/iptables-init.bash' become: true - listen: initialize_iptables + listen: configure_iptables ... diff --git a/roles/iptables/meta/main.yml b/roles/iptables/meta/main.yml new file mode 100644 index 000000000..0b7ed2d93 --- /dev/null +++ b/roles/iptables/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: include_vars_from_other_groups +... diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 39096646a..bc39a7bff 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -23,71 +23,76 @@ # # This role configures host-based firewalls using iptables. -# We first create a list of IPv4 addresses used by a host and determine if these addresses are public or private. -# Next we fetch the network interface names for the public and private addresses: -# * internal interfaces = those who use a private IPv4 address. -# * external interfaces = those who use a public IPv4 address. +# We first create a list of IPv4 addresses used by a host and determine if these addresses are publicly exposed: +# * either a public IP address +# * or a publicly exposed private address: traffic from a flaoting public IP is routed to this private IP. +# Next we fetch the network interface names for all all publicly exposed addresses: +# * internal interfaces = those who do not use a publicly exposed IP address. +# * external interfaces = those who do use a publicly exposed IP address. # Finally we configure the IPv4 firewall to: -# * allow anything over the loopback interface. -# * allow anything over internal interfaces. +# * allow anything over internal interfaces (including loopback interfaces). # * disable anything by default except for specific services on specific ports to/from specific subnets. # A subnet is specified with mask as [0-9].[0-9].[0-9].[0-9]/[0-9] and may contain one or more IP addresses. # E.g. 111.111.111.111/32 is the single machine 111.111.111.111 -# and 111.111.111.111/24 is the range from 111.111.111.1 up to and including 111.111.111.254. +# and 111.111.111.0/24 is the range from 111.111.111.1 up to and including 111.111.111.254. # Finally we configure the IPv6 firewall to: # * allow anything over the loopback interface. # * disable anything else over any other interface both internal and external. # - --- -#- name: 'Install iptables with yum.' -# yum: -# state: latest -# update_cache: yes -# name: -# - 'iptables' -# - 'iptables-services' -# #### ToDo: fail2ban -# notify: restart_iptables -# become: true +- name: 'Install iptables with yum.' + ansible.builtin.yum: + state: latest + update_cache: yes + name: + - 'iptables' + - 'iptables-services' + #### ToDo: fail2ban + notify: restart_iptables + become: true -#- name: 'Enable netfilter kernel module for FTP connection tracking.' -# lineinfile: -# path: '/etc/sysconfig/iptables-config' -# regexp: '^IPTABLES_MODULES=' -# line: 'IPTABLES_MODULES="nf_conntrack_ftp"' -# notify: -# - restart_iptables -# - reconfigure_iptables -# become: true +- name: 'Enable netfilter kernel module for FTP connection tracking.' + ansible.builtin.lineinfile: + path: '/etc/sysconfig/iptables-config' + regexp: '^IPTABLES_MODULES=' + line: 'IPTABLES_MODULES="nf_conntrack_ftp"' + notify: + - restart_iptables + - configure_iptables + become: true -- name: 'Create lists of private and of public IP addresses.' +- name: 'Create lists of public IP addresses.' ansible.builtin.set_fact: - private_ip_addresses: "{{ ansible_facts | dict2items - | json_query('[*].value.ipv4.address') - | map('ipaddr', 'private') | list - | reject('==', None) | list }}" public_ip_addresses: "{{ ansible_facts | dict2items | json_query('[*].value.ipv4.address') - | map('ipaddr', 'public') | list + | map('ansible.utils.ipaddr', 'public') | list | reject('==', None) | list }}" +- name: 'Create lists of publicly exposed, private IP addresses.' + ansible.builtin.set_fact: + publicly_exposed_internal_ip_addresses: "{{ all_ip_addresses[inventory_hostname] | dict2items + | json_query('[?value.publicly_exposed].value.address') + | list }}" + +- name: 'Create lists of all publicly exposed IP addresses that need to be firewalled.' + ansible.builtin.set_fact: + all_publicly_exposed_ip_addresses: "{{ public_ip_addresses | default([]) }} + {{ publicly_exposed_internal_ip_addresses | default([]) }}" + - name: 'Create lists of internal and external network interfaces.' ansible.builtin.set_fact: internal_interfaces: "{{ ansible_facts | dict2items | selectattr('value.ipv4.address', 'defined') - | selectattr('value.ipv4.address', 'in', private_ip_addresses) + | rejectattr('value.ipv4.address', 'in', all_publicly_exposed_ip_addresses) | map(attribute='value.device') | list }}" external_interfaces: "{{ ansible_facts | dict2items | selectattr('value.ipv4.address', 'defined') - | selectattr('value.ipv4.address', 'in', public_ip_addresses) + | selectattr('value.ipv4.address', 'in', all_publicly_exposed_ip_addresses) | map(attribute='value.device') | list }}" - name: 'DEBUG: List discovered IP addressess and network interfaces.' ansible.builtin.debug: msg: | - Private IP addresses: {{ private_ip_addresses }}. - Public IP addresses: {{ public_ip_addresses }}. + All publicly exposed IP addresses: {{ all_publicly_exposed_ip_addresses }}. Internal interfaces: {{ internal_interfaces }}. External interfaces: {{ external_interfaces }}. @@ -98,24 +103,25 @@ owner: root group: root mode: 0700 -# notify: initialize_iptables + #notify: configure_iptables become: true -# -#- name: 'Configure the firewall service.' -# service: -# name: "{{ item }}" -# state: 'started' -# enabled: 'yes' -# daemon_reload: 'yes' -# with_items: -# - 'iptables' -# - 'ip6tables' -# notify: reconfigure_iptables -# become: true +- meta: end_play + +- name: 'Configure the firewall service.' + ansible.builtin.service: + name: "{{ item }}" + state: 'started' + enabled: 'yes' + daemon_reload: 'yes' + with_items: + - 'iptables' + - 'ip6tables' + notify: configure_iptables + become: true -#- import_tasks: disable-other-firewalls.yml -# when: iptables_disable_firewalld or iptables_disable_ufw +- ansible.builtin.import_tasks: disable-other-firewalls.yml + when: iptables_disable_firewalld or iptables_disable_ufw ... diff --git a/roles/iptables/templates/iptables-init.bash.j2 b/roles/iptables/templates/iptables-init.bash.j2 index cd891c055..0cb42738d 100755 --- a/roles/iptables/templates/iptables-init.bash.j2 +++ b/roles/iptables/templates/iptables-init.bash.j2 @@ -1,3 +1,4 @@ +#jinja2: trim_blocks:True, lstrip_blocks: True #!/bin/bash # @@ -37,44 +38,71 @@ declare -a EXTERNAL_INTERFACES=( # Network addresses and ranges. # LOOPBACK='127.0.0.0/8' - declare -a ALLOW_ICMP_INBOUND=( -{% for ip in iptables_allow_icmp_inbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_icmp_inbound is defined %}{% for ip in iptables_allow_icmp_inbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) declare -a ALLOW_SSH_INBOUND=( -{% for ip in iptables_allow_ssh_inbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_ssh_inbound is defined %}{% for ip in iptables_allow_ssh_inbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) declare -a ALLOW_SSH_OUTBOUND=( -{% for ip in iptables_allow_ssh_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_ssh_outbound is defined %}{% for ip in iptables_allow_ssh_outbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) declare -a ALLOW_EBI_MYSQL_OUTBOUND=( -{% for ip in iptables_allow_ebi_mysql_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_ebi_mysql_outbound is defined %}{% for ip in iptables_allow_ebi_mysql_outbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) declare -a ALLOW_FTP_OUTBOUND=( -{% for ip in iptables_allow_ftp_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_ftp_outbound is defined %}{% for ip in iptables_allow_ftp_outbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) declare -a ALLOW_ASPERA_OUTBOUND=( -{% for ip in iptables_allow_aspera_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_aspera_outbound is defined %}{% for ip in iptables_allow_aspera_outbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) declare -a ALLOW_GLOBUS_OUTBOUND=( -{% for ip in iptables_allow_globus_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} +{% if iptables_allow_globus_outbound is defined %}{% for ip in iptables_allow_globus_outbound %} + {% if ip == 'ANY'%} + '{{ ip }}' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} +{% endfor %}{% endif%} ) -declare GLOBUS_ORG_NET='{{ ip_addresses.globus_org_net.addr }}' # {{ ip_addresses.globus_org_net.desc }} -declare GOOGLE_STUN='{{ ip_addresses.google_stun.addr }}' # {{ ip_addresses.google_stun.desc }} +declare GLOBUS_ORG_NET='{{ all.ip_addresses['globus_org']['net']['address'] }}{{ all.ip_addresses['globus_org']['net']['netmask'] }}' # {{ all.ip_addresses['globus_org']['net']['desc'] }} +declare GOOGLE_STUN='{{ all.ip_addresses['google']['stun']['address'] }}{{ all.ip_addresses['google']['stun']['netmask'] }}' # {{ all.ip_addresses['google']['stun']['desc'] }} # ## @@ -88,15 +116,14 @@ declare GOOGLE_STUN='{{ ip_addresses.google_stun.addr }}' # {{ ip_addresses.goo # * Remove any -mgmt suffixes # SERVER_NAME="$(hostname -s)" -SERVER_NAME="$(echo ${SERVER_NAME} | sed 's/-mgmt//')" # # Check if we have a config valid for this server. # -if [[ "${SERVER_NAME}" == "${TARGET_SERVER}" ]]; then +if [[ "${SERVER_NAME%-mgmt}" == "${TARGET_SERVER}" ]]; then echo "INFO: Hostname check passed. Will configure iptables firewall..." else - echo "ERROR: This config file is for \"${TARGET_SERVER}\", but this is \"${SERVER_NAME}\"." + echo "ERROR: This config file is for \"${TARGET_SERVER}\", but this is \"${SERVER_NAME%-mgmt}\"." echo 'FATAL: Cannot configure firewall on this server.' exit 1 fi @@ -219,13 +246,7 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do done # -# Allow loopback. -# -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT - -# -# Allow anything over internal interfaces. +# Allow anything over internal interfaces including the loopback interface. # for INT_INTERFACE in "${INTERNAL_INTERFACES[@]:-}"; do [[ -z "${INT_INTERFACE}" ]] && continue @@ -251,60 +272,66 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # The Time To Live (TTL) for the datagram has been exceeded. # Required for traceroute. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT - for IP_ADDRESS in ${ALLOW_ICMP_INBOUND[@]}; do - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 3 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 8 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 11 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT + for IP_ADDRESS in "${ALLOW_ICMP_INBOUND[@]}"; do + if [[ "${IP_ADDRESS}" == 'ANY' ]]; then + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 11 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + else + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 3 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 8 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 11 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + fi done # # Allow outbound NTP. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound SMTP. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -m multiport --dport 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -m multiport --dport 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound DNS. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound HTTP. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound HTTPS. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT # # Allow SSH inbound and outbound. # - for IP_ADDRESS in ${ALLOW_SSH_INBOUND[@]}; do - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -s ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_SSH_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT done - for IP_ADDRESS in ${ALLOW_SSH_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_SSH_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # # Allow MySQL outbound. # - # Required a.o. for conncections to the public Ensembl databases via the Ensembl Perl API + # Required a.o. for connections to the public Ensembl databases via the Ensembl Perl API # - for IP_ADDRESS in ${ALLOW_EBI_MYSQL_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_EBI_MYSQL_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT # # Allow FTP outbound. # @@ -318,10 +345,10 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # # Firstly, allow FTP control initiated by the client. # - for IP_ADDRESS in ${ALLOW_FTP_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_FTP_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT # # Secondly, allow FTP data connections. # * For Active Mode FTP the client must accept RELATED connections from the server on port 20 @@ -331,10 +358,10 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client # to pick up the negotiated port number from the FTP control packet payloads. # - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive Mode - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive Mode + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode # # Allow Aspera outbound. # @@ -344,12 +371,12 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # In case the server OS doesn't allow UDP port sharing a range of UDP ports is used # where the number of ports determines the max number of concurrent connections/clients. # - for IP_ADDRESS in ${ALLOW_ASPERA_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${IP_ADDRESS} -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_ASPERA_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${IP_ADDRESS}" -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT # # Allow Globus outbound. # @@ -362,11 +389,11 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # * TCP ports 50000-51000 outbound for data channel for transfers with Globus Connect Server endpoints. # * UDP ports 32768-65535 outbound for data channel for transfers with other Globus Connect Personal endpoints. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${GLOBUS_ORG_NET} --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${GOOGLE_STUN} --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT - for IP_ADDRESS in ${ALLOW_GLOBUS_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${IP_ADDRESS} -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${GLOBUS_ORG_NET}" --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${GOOGLE_STUN}" --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_GLOBUS_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${IP_ADDRESS}" -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT done done diff --git a/single_role_playbooks/iptables.yml b/single_role_playbooks/iptables.yml index f707cf52d..0d397b679 100644 --- a/single_role_playbooks/iptables.yml +++ b/single_role_playbooks/iptables.yml @@ -1,5 +1,5 @@ --- -- hosts: jumphost +- hosts: all,!openstack_api roles: - 'iptables' ... \ No newline at end of file From 0bcafae66a670f4b00df642e01b531e7790110fc Mon Sep 17 00:00:00 2001 From: pneerincx Date: Fri, 5 Aug 2022 11:18:55 +0200 Subject: [PATCH 05/21] Updated generic firewall config for jumphosts. --- group_vars/jumphost.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/group_vars/jumphost.yml b/group_vars/jumphost.yml index ca2447d54..9466a38fd 100644 --- a/group_vars/jumphost.yml +++ b/group_vars/jumphost.yml @@ -1,10 +1,12 @@ --- -firewall_allowed_tcp_ports: - - 22 # SSH. - - 443 # SSH fallback when 22 is blocked. - - 3000 # Grafana server. -firewall_additional_rules: - - "iptables -A INPUT -i eth1 -p tcp -s 129.125.2.233,129.125.2.225,129.125.2.226 --dport 9090 -j ACCEPT -m comment --comment 'prometheus server'" +iptables_allow_icmp_inbound: + - ANY +iptables_allow_https_inbound: + - ANY # Port 443 is used as fallback for SSH on jumphosts. Port 443 outbound is allowed by default. +iptables_allow_ssh_inbound: + - ANY +iptables_allow_ssh_outbound: + - ANY ssh_host_signer_hostnames: "{{ ansible_hostname }}\ {% for network_id in ip_addresses[ansible_hostname] %}\ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and From 56b4381238687b82db29150636efd69fca9907eb Mon Sep 17 00:00:00 2001 From: pneerincx Date: Fri, 5 Aug 2022 11:19:58 +0200 Subject: [PATCH 06/21] Removed incorrect comment. --- group_vars/talos_cluster/vars.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/group_vars/talos_cluster/vars.yml b/group_vars/talos_cluster/vars.yml index e44413a96..f8b5ecac3 100644 --- a/group_vars/talos_cluster/vars.yml +++ b/group_vars/talos_cluster/vars.yml @@ -190,10 +190,6 @@ iptables_allow_icmp_inbound: - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" - # - # ToDo: need to include the external IPs for the default routers of all clusters with something like this. - # - #- "{{ nibbler_cluster.ip_addresses['default_router']['vlan16'] }}" iptables_allow_ssh_inbound: - ANY iptables_allow_ssh_outbound: From f0c5e0b6e3129ba71bdd1097bc85464f58b2cf39 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Fri, 5 Aug 2022 11:20:44 +0200 Subject: [PATCH 07/21] Updated defaults for iptables role. --- roles/iptables/defaults/main.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml index c0739694f..08842543d 100755 --- a/roles/iptables/defaults/main.yml +++ b/roles/iptables/defaults/main.yml @@ -2,12 +2,19 @@ # # ICMP (only inbound; outbound ICMP is allowed without restrictions). # -iptables_allow_icmp_inbound: [] +iptables_allow_icmp_inbound: + - ANY +# +# HTTPS +# +iptables_allow_https_inbound: [] # # SSH. # -iptables_allow_ssh_inbound: [] -iptables_allow_ssh_outbound: [] +iptables_allow_ssh_inbound: + - ANY +iptables_allow_ssh_outbound: + - ANY # # Public MySQL databases @ EBI (only outbound). # @@ -31,6 +38,6 @@ iptables_log_dropped_packets: false # # Set to true to ensure other iptables management software is disabled. # -iptables_disable_firewalld: false -iptables_disable_ufw: false +iptables_disable_firewalld: true +iptables_disable_ufw: true ... From 43ed85d7fea927b18b12bef7e294d8dd12635355 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Fri, 5 Aug 2022 17:13:23 +0200 Subject: [PATCH 08/21] Further improvements for iptables role (WIP). --- group_vars/all/vars.yml | 7 - group_vars/cluster.yml | 8 - group_vars/data_transfer.yml | 9 +- group_vars/docs.yml | 32 +- group_vars/irods.yml | 22 +- group_vars/jenkins.yml | 38 ++- roles/iptables/defaults/main.yml | 14 +- .../tasks/disable-other-firewalls.yml | 27 +- roles/iptables/tasks/main.yml | 60 +--- .../iptables/templates/iptables-init.bash.j2 | 302 ++++++++++++------ 10 files changed, 312 insertions(+), 207 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index f85ca7e3a..bdb0a090f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -7,13 +7,6 @@ ssh_host_signer_key_types: '.*(rsa|ed25519).*' ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}{% for host in groups['jumphost'] %},{{ host }}+{{ ansible_hostname }}{% endfor %}" slurm_database_name: "{{ stack_prefix }}_slurm_accounting" ai_jumphost: "{{ lookup('env','AI_PROXY') }}" -# -# Configure allowed network ports for geerlingguy.firewall role -# -firewall_allowed_tcp_ports: - - '22' # SSH - - '9100' # Node Exporter - # # Local volume size (root partition) for all instances # diff --git a/group_vars/cluster.yml b/group_vars/cluster.yml index 5a2adf0b9..faae293fa 100644 --- a/group_vars/cluster.yml +++ b/group_vars/cluster.yml @@ -1,11 +1,3 @@ --- ansible_python_interpreter: /usr/bin/python2.7 -# -# Configure allowed network ports for geerlingguy.firewall role -# -firewall_allowed_tcp_ports: - - '22' # SSH - - '6817' # Slurm - - '6818' # Slurm - - '6819' # Slurm ... diff --git a/group_vars/data_transfer.yml b/group_vars/data_transfer.yml index 4bdb51ef2..3b68fec95 100644 --- a/group_vars/data_transfer.yml +++ b/group_vars/data_transfer.yml @@ -1,7 +1,10 @@ --- -firewall_allowed_tcp_ports: - - 22 # SSH. - - 443 # SSH. +iptables_allow_icmp_inbound: + - ANY +iptables_allow_https_inbound: + - ANY # On data_transfer servers port 443 is used for SSH too. +iptables_allow_ssh_inbound: + - ANY ssh_host_signer_hostnames: "{{ ansible_hostname }}\ {% for network_id in ip_addresses[ansible_hostname] %}\ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and diff --git a/group_vars/docs.yml b/group_vars/docs.yml index a02d4acb6..b9761f637 100644 --- a/group_vars/docs.yml +++ b/group_vars/docs.yml @@ -1,11 +1,33 @@ --- # -# Configure allowed network ports for geerlingguy.firewall role +# Firewall configuration. # -firewall_allowed_tcp_ports: - - '22' # SSH - - '80' # HTTP - - '443' # HTTPS +iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_inbound: + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_outbound: [] +iptables_allow_http_inbound: + - ANY +iptables_allow_https_inbound: + - ANY extra_jumphosts_for_docs_server: - 'airlock' # Gearshift - 'reception' # Talos diff --git a/group_vars/irods.yml b/group_vars/irods.yml index bb7a58fed..6017caa09 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -1,11 +1,19 @@ --- -firewall_allowed_tcp_ports: # list of open ports on iCAT server - - "22" # SSH. - - "443" # davrods SSL - - "1247" # irods - - "1248" # Control Plane Port - - "5432" # PostgreSQL - - "20000:20199" # irods +# +# Firewall configuration. +# +iptables_allow_icmp_inbound: + - ANY +iptables_allow_ssh_inbound: + - ANY +iptables_allow_ssh_outbound: + - ANY +iptables_allow_https_inbound: + - ANY # For DAVRODS. +iptables_allow_irods: + - ANY +iptables_allow_postgres_outbound: + - ANY ir_version: '-4.2.11*' # if defined (empty): version will be installed (must start with '-' and end with '*') ir_server_type: 'icat' # iRODS Server Type diff --git a/group_vars/jenkins.yml b/group_vars/jenkins.yml index eacc89a30..f9400386d 100644 --- a/group_vars/jenkins.yml +++ b/group_vars/jenkins.yml @@ -1,11 +1,39 @@ --- # -# Configure allowed network ports for geerlingguy.firewall role +# Firewall configuration. # -firewall_allowed_tcp_ports: - - '22' # SSH - - '80' # HTTP - - '443' # HTTPS +iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_inbound: + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_outbound: + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" +iptables_allow_https_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" extra_jumphosts_for_jenkins_server: - 'airlock' # Gearshift - 'reception' # Talos diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml index 08842543d..184d7bec5 100755 --- a/roles/iptables/defaults/main.yml +++ b/roles/iptables/defaults/main.yml @@ -5,8 +5,9 @@ iptables_allow_icmp_inbound: - ANY # -# HTTPS +# HTTP and HTTPS inbound. (HTTP and HTTPS always allowed by default to fetch packages from repos.) # +iptables_allow_http_inbound: [] iptables_allow_https_inbound: [] # # SSH. @@ -20,6 +21,10 @@ iptables_allow_ssh_outbound: # iptables_allow_ebi_mysql_outbound: [] # +# PostgreSQL (only outbound). +# +iptables_allow_postgresql_outbound: [] +# # FTP (only outbound). # iptables_allow_ftp_outbound: [] @@ -28,6 +33,10 @@ iptables_allow_ftp_outbound: [] # iptables_allow_aspera_outbound: [] # +# iRODS: by definition both inbound and outbound. +# +iptables_allow_irods: [] +# # Globus ToolKit (only outbound). # iptables_allow_globus_outbound: [] @@ -36,8 +45,7 @@ iptables_allow_globus_outbound: [] # iptables_log_dropped_packets: false # -# Set to true to ensure other iptables management software is disabled. +# Set to true (default) to ensure other iptables management software is disabled. # iptables_disable_firewalld: true -iptables_disable_ufw: true ... diff --git a/roles/iptables/tasks/disable-other-firewalls.yml b/roles/iptables/tasks/disable-other-firewalls.yml index 29ae27419..79a446207 100755 --- a/roles/iptables/tasks/disable-other-firewalls.yml +++ b/roles/iptables/tasks/disable-other-firewalls.yml @@ -6,29 +6,14 @@ register: firewalld_installed ignore_errors: true changed_when: false - when: ansible_os_family == "RedHat" and firewall_disable_firewalld + when: ansible_os_family == "RedHat" and iptables_disable_firewalld - name: Disable the firewalld service on RedHat. - ansible.builtin.service: + ansible.builtin.systemd: name: firewalld state: stopped - enabled: no - when: ansible_os_family == "RedHat" and firewall_disable_firewalld and firewalld_installed.rc == 0 - -- name: Check if ufw package is installed (on Ubuntu). - ansible.builtin.shell: service ufw status - args: - warn: no - register: ufw_installed - ignore_errors: true - changed_when: false - when: ansible_distribution == "Ubuntu" and firewall_disable_ufw - notify: Disable ufw firewall. - -- name: Disable ufw firewall. - ansible.builtin.service: - name: ufw - state: stopped - enabled: no - when: ansible_distribution == "Ubuntu" and firewall_disable_ufw and ufw_installed.rc == 0 + enabled: false + daemon_reload: true + when: ansible_os_family == "RedHat" and iptables_disable_firewalld and firewalld_installed.rc == 0 + become: true ... \ No newline at end of file diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index bc39a7bff..476821c92 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -1,26 +1,3 @@ -############################################################################################################################################### -# Query tests -#- name: 'List hostinfo 1.' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | dict2items | selectattr('value.ipv4', 'defined') | map(attribute='value.device') | list }}" -# -#- name: 'List hostinfo 2.' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | json_query(_query) }}" -# vars: -# _query: "*.ipv4.address" -# -#- name: 'List hostinfo 3.' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | dict2items | selectattr('value.ipv4', 'defined') | list }}" -# -#- name: 'List hostinfo 3.q' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | dict2items | selectattr('value.ipv4', 'defined') | list | json_query(_query) }}" -# vars: -# _query: '[].{Name: value.device, IPv4: value.ipv4, IPv6: value.ipv6, Type: value.type}' -############################################################################################################################################### - # # This role configures host-based firewalls using iptables. # We first create a list of IPv4 addresses used by a host and determine if these addresses are publicly exposed: @@ -40,7 +17,7 @@ # * disable anything else over any other interface both internal and external. # --- -- name: 'Install iptables with yum.' +- name: Install iptables with yum. ansible.builtin.yum: state: latest update_cache: yes @@ -51,7 +28,7 @@ notify: restart_iptables become: true -- name: 'Enable netfilter kernel module for FTP connection tracking.' +- name: Enable netfilter kernel module for FTP connection tracking. ansible.builtin.lineinfile: path: '/etc/sysconfig/iptables-config' regexp: '^IPTABLES_MODULES=' @@ -61,24 +38,24 @@ - configure_iptables become: true -- name: 'Create lists of public IP addresses.' +- name: Create lists of public IP addresses. ansible.builtin.set_fact: public_ip_addresses: "{{ ansible_facts | dict2items | json_query('[*].value.ipv4.address') | map('ansible.utils.ipaddr', 'public') | list | reject('==', None) | list }}" -- name: 'Create lists of publicly exposed, private IP addresses.' +- name: Create lists of publicly exposed, private IP addresses. ansible.builtin.set_fact: publicly_exposed_internal_ip_addresses: "{{ all_ip_addresses[inventory_hostname] | dict2items | json_query('[?value.publicly_exposed].value.address') | list }}" -- name: 'Create lists of all publicly exposed IP addresses that need to be firewalled.' +- name: Create lists of all publicly exposed IP addresses that need to be firewalled. ansible.builtin.set_fact: all_publicly_exposed_ip_addresses: "{{ public_ip_addresses | default([]) }} + {{ publicly_exposed_internal_ip_addresses | default([]) }}" -- name: 'Create lists of internal and external network interfaces.' +- name: Create lists of internal and external network interfaces. ansible.builtin.set_fact: internal_interfaces: "{{ ansible_facts | dict2items | selectattr('value.ipv4.address', 'defined') @@ -89,26 +66,24 @@ | selectattr('value.ipv4.address', 'in', all_publicly_exposed_ip_addresses) | map(attribute='value.device') | list }}" -- name: 'DEBUG: List discovered IP addressess and network interfaces.' +- name: 'INFO: List discovered IP addressess and network interfaces.' ansible.builtin.debug: msg: | All publicly exposed IP addresses: {{ all_publicly_exposed_ip_addresses }}. Internal interfaces: {{ internal_interfaces }}. External interfaces: {{ external_interfaces }}. -- name: 'Deploy firewall configuration script.' +- name: Deploy firewall configuration script. ansible.builtin.template: src: 'iptables-init.bash.j2' dest: '/etc/sysconfig/iptables-init.bash' owner: root group: root mode: 0700 - #notify: configure_iptables + notify: configure_iptables become: true -- meta: end_play - -- name: 'Configure the firewall service.' +- name: Configure the firewall service. ansible.builtin.service: name: "{{ item }}" state: 'started' @@ -120,15 +95,10 @@ notify: configure_iptables become: true -- ansible.builtin.import_tasks: disable-other-firewalls.yml +- name: Flush handlers for iptables role. + ansible.builtin.meta: flush_handlers + +- name: Disable other firewalls. + ansible.builtin.import_tasks: disable-other-firewalls.yml when: iptables_disable_firewalld or iptables_disable_ufw ... - - -# systemctl disable firewalld -# yum install iptables-services -# systemctl enable iptables -# systemctl enable ip6tables -# systemctl start iptables -# systemctl start ip6tables -# /root/firewall/firewall.sh \ No newline at end of file diff --git a/roles/iptables/templates/iptables-init.bash.j2 b/roles/iptables/templates/iptables-init.bash.j2 index 0cb42738d..8747e872b 100755 --- a/roles/iptables/templates/iptables-init.bash.j2 +++ b/roles/iptables/templates/iptables-init.bash.j2 @@ -7,12 +7,6 @@ # # This file must be located in /etc/sysconfig/iptables-init.bash # -# Common port reference: -# 22: SSH -# 25: SMTP -# 80: HTTP -# 123: NTP -# 443: HTTPS # # Bash sanity. @@ -33,76 +27,7 @@ declare -a EXTERNAL_INTERFACES=( '{{ external_interface }}' {% endfor %} ) - -# -# Network addresses and ranges. -# LOOPBACK='127.0.0.0/8' -declare -a ALLOW_ICMP_INBOUND=( -{% if iptables_allow_icmp_inbound is defined %}{% for ip in iptables_allow_icmp_inbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare -a ALLOW_SSH_INBOUND=( -{% if iptables_allow_ssh_inbound is defined %}{% for ip in iptables_allow_ssh_inbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare -a ALLOW_SSH_OUTBOUND=( -{% if iptables_allow_ssh_outbound is defined %}{% for ip in iptables_allow_ssh_outbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare -a ALLOW_EBI_MYSQL_OUTBOUND=( -{% if iptables_allow_ebi_mysql_outbound is defined %}{% for ip in iptables_allow_ebi_mysql_outbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare -a ALLOW_FTP_OUTBOUND=( -{% if iptables_allow_ftp_outbound is defined %}{% for ip in iptables_allow_ftp_outbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare -a ALLOW_ASPERA_OUTBOUND=( -{% if iptables_allow_aspera_outbound is defined %}{% for ip in iptables_allow_aspera_outbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare -a ALLOW_GLOBUS_OUTBOUND=( -{% if iptables_allow_globus_outbound is defined %}{% for ip in iptables_allow_globus_outbound %} - {% if ip == 'ANY'%} - '{{ ip }}' - {% else %} - '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} - {% endif %} -{% endfor %}{% endif%} -) -declare GLOBUS_ORG_NET='{{ all.ip_addresses['globus_org']['net']['address'] }}{{ all.ip_addresses['globus_org']['net']['netmask'] }}' # {{ all.ip_addresses['globus_org']['net']['desc'] }} -declare GOOGLE_STUN='{{ all.ip_addresses['google']['stun']['address'] }}{{ all.ip_addresses['google']['stun']['netmask'] }}' # {{ all.ip_addresses['google']['stun']['desc'] }} # ## @@ -182,16 +107,28 @@ echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter ip6tables -F ip6tables -X +# +# Create custom chain for LOGDROP. +# +ip6tables -N LOGDROP +ip6tables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by ip6tables: ' +ip6tables -A LOGDROP -j DROP + # # Set the default policies to drop everything. # +{% if iptables_log_dropped_packets %} +ip6tables -P INPUT LOGDROP +{% else %} +ip6tables -P INPUT DROP +{% endif %} ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP # # We must accept IPv6 traffic on the loopback interface to prevent tests from failing -# during installation of verious software packages with network functionality. +# during installation of various software packages with network functionality. # ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT @@ -221,14 +158,12 @@ iptables -Z # Create custom chain for LOGDROP. # iptables -N LOGDROP -iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by iptables firewall: ' +iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by iptables: ' iptables -A LOGDROP -j DROP # -# Config default policies to drop. +# Set default policies to drop everything. # -# Log EVERYTHING (ONLY for Debugging). -# iptables -A INPUT -j LOG {% if iptables_log_dropped_packets %} iptables -P INPUT LOGDROP {% else %} @@ -261,6 +196,11 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do [[ -z "${EXT_INTERFACE}" ]] && continue # # Allow all outbound ICMP. + # + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT +{% if iptables_allow_icmp_inbound is defined and iptables_allow_icmp_inbound | length > 0 %} + # # Allow limited inbound ICMP: # Type 0 Echo Reply (a.k.a. pong) must be RELATED. # Type 8 Echo Request (a.k.a. ping) @@ -272,19 +212,21 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # The Time To Live (TTL) for the datagram has been exceeded. # Required for traceroute. # - iptables -A OUTPUT -o "${EXT_INTERFACE}" -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT + declare -a ALLOW_ICMP_INBOUND=( + {% for ip in iptables_allow_icmp_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) for IP_ADDRESS in "${ALLOW_ICMP_INBOUND[@]}"; do - if [[ "${IP_ADDRESS}" == 'ANY' ]]; then - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 3 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 11 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - else - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 3 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 8 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 11 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - fi + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 3 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 8 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 11 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done +{% endif%} # # Allow outbound NTP. # @@ -293,8 +235,8 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # # Allow outbound SMTP. # - iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -m multiport --dport 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -m multiport --dports 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 25,587 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound DNS. # @@ -303,35 +245,131 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT # + # Allow outbound LDAPS. + # + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT + # # Allow outbound HTTP. # iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +{% if iptables_allow_http_inbound is defined and iptables_allow_http_inbound | length > 0 %} + # + # Allow inbound HTTP. + # + declare -a ALLOW_HTTP_INBOUND=( + {% for ip in iptables_allow_http_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_HTTP_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + done + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +{% endif%} # # Allow outbound HTTPS. # iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT +{% if iptables_allow_https_inbound is defined and iptables_allow_https_inbound | length > 0 %} + # + # Allow inbound HTTPS. + # + declare -a ALLOW_HTTPS_INBOUND=( + {% for ip in iptables_allow_https_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_HTTPS_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + done + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ssh_inbound is defined and iptables_allow_ssh_inbound | length > 0 %} # - # Allow SSH inbound and outbound. + # Allow SSH inbound. # + declare -a ALLOW_SSH_INBOUND=( + {% for ip in iptables_allow_ssh_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) for IP_ADDRESS in "${ALLOW_SSH_INBOUND[@]}"; do iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT done + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ssh_outbound is defined and iptables_allow_ssh_outbound | length > 0 %} + # + # Allow SSH outbound. + # + declare -a ALLOW_SSH_OUTBOUND=( + {% for ip in iptables_allow_ssh_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) for IP_ADDRESS in "${ALLOW_SSH_OUTBOUND[@]}"; do iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ebi_mysql_outbound is defined and iptables_allow_ebi_mysql_outbound | length > 0 %} # # Allow MySQL outbound. # # Required a.o. for connections to the public Ensembl databases via the Ensembl Perl API # + declare -a ALLOW_EBI_MYSQL_OUTBOUND=( + {% for ip in iptables_allow_ebi_mysql_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) for IP_ADDRESS in "${ALLOW_EBI_MYSQL_OUTBOUND[@]}"; do iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_postgresql_outbound is defined and iptables_allow_postgresql_outbound | length > 0 %} + # + # Allow PostgreSQL outbound. + # + declare -a ALLOW_POSTGRESQL_OUTBOUND=( + {% for ip in iptables_allow_postgresql_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_POSTGRESQL_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT + done + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 5432 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ftp_outbound is defined and iptables_allow_ftp_outbound | length > 0 %} # # Allow FTP outbound. # @@ -340,6 +378,15 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # The extra module must be added to /etc/sysconfig/iptables-config # IPTABLES_MODULES="nf_conntrack_ftp" # + declare -a ALLOW_FTP_OUTBOUND=( + {% for ip in iptables_allow_ftp_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) /sbin/modprobe nf_conntrack # Default module: should already be present, just checking here. /sbin/modprobe nf_conntrack_ftp # Extra module: should be added to /etc/sysconfig/iptables-config, just checking here. # @@ -348,20 +395,22 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do for IP_ADDRESS in "${ALLOW_FTP_OUTBOUND[@]}"; do iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT # # Secondly, allow FTP data connections. - # * For Active Mode FTP the client must accept RELATED connections from the server on port 20 + # * For Active Mode FTP the client must accept RELATED connections from the server on port 20 # to the client on a port number negotiated in the FTP control connection. - # * For Passive Mode FTP the client starts a RELATED connection from a random own high port number + # * For Passive Mode FTP the client starts a RELATED connection from a random own high port number # to the server's fixed high port number negotiated in the FTP control connection. - # * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client + # * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client # to pick up the negotiated port number from the FTP control packet payloads. # iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive Mode iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode +{% endif%} +{% if iptables_allow_aspera_outbound is defined and iptables_allow_aspera_outbound | length > 0 %} # # Allow Aspera outbound. # @@ -371,12 +420,23 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # In case the server OS doesn't allow UDP port sharing a range of UDP ports is used # where the number of ports determines the max number of concurrent connections/clients. # + declare -a ALLOW_ASPERA_OUTBOUND=( + {% for ip in iptables_allow_aspera_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) for IP_ADDRESS in "${ALLOW_ASPERA_OUTBOUND[@]}"; do iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${IP_ADDRESS}" -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -i "${EXT_INTERFACE}" -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_globus_outbound is defined and iptables_allow_globus_outbound | length > 0 %} # # Allow Globus outbound. # @@ -389,12 +449,48 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # * TCP ports 50000-51000 outbound for data channel for transfers with Globus Connect Server endpoints. # * UDP ports 32768-65535 outbound for data channel for transfers with other Globus Connect Personal endpoints. # + declare -a ALLOW_GLOBUS_OUTBOUND=( + {% for ip in iptables_allow_globus_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + declare GLOBUS_ORG_NET='{{ all.ip_addresses['globus_org']['net']['address'] }}{{ all.ip_addresses['globus_org']['net']['netmask'] }}' # {{ all.ip_addresses['globus_org']['net']['desc'] }} + declare GOOGLE_STUN='{{ all.ip_addresses['google']['stun']['address'] }}{{ all.ip_addresses['google']['stun']['netmask'] }}' # {{ all.ip_addresses['google']['stun']['desc'] }} iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${GLOBUS_ORG_NET}" --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${GOOGLE_STUN}" --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT for IP_ADDRESS in "${ALLOW_GLOBUS_OUTBOUND[@]}"; do iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${IP_ADDRESS}" -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT done +{% endif%} +{% if iptables_allow_irods is defined and iptables_allow_irods | length > 0 %} + # + # Allow iRODS both inbound and outbound. + # + # iRODS requires: + # * TCP port 1247: Handshakes and data transfers. + # * TCP port 1248: Control Plane. + # * TCP ports 20000-20199: Dynamically allocated for direct machine to machine connections for large data transfers. + # * The iCAT requires a DataBase too, which is usually a PostgreSQL DB. Do not forget to open the corresponding port too. + # + declare -a ALLOW_IRODS=( + {% for ip in iptables_allow_irods %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_IRODS[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" -m multiport --ports 1247,1248,20000:20199 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --ports 1247,1248,20000:20199 -m state --state NEW,ESTABLISHED -j ACCEPT + done +{% endif%} done # From 9cf5ac85c279c1bc7521f9433fe802b3ead8a145 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 16:15:56 +0200 Subject: [PATCH 09/21] Cleanup: removed files no longer used. --- roles/iptables/tasks/main.yml.disabled | 45 -------------------------- single_role_playbooks/firewall.yml | 10 ------ 2 files changed, 55 deletions(-) delete mode 100755 roles/iptables/tasks/main.yml.disabled delete mode 100644 single_role_playbooks/firewall.yml diff --git a/roles/iptables/tasks/main.yml.disabled b/roles/iptables/tasks/main.yml.disabled deleted file mode 100755 index 462229346..000000000 --- a/roles/iptables/tasks/main.yml.disabled +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Ensure iptables is present. - package: name=iptables state=present - -#- name: Flush iptables the first time playbook runs. -# command: > -# iptables -F -# creates=/etc/firewall.bash - -- name: Copy firewall configuration script into place. - template: - src: firewall.bash.j2 - dest: /etc/firewall.bash - owner: root - group: root - mode: 0744 - notify: restart firewall - -- name: Copy firewall init script into place (for System V init systems). - template: - src: firewall.init.j2 - dest: /etc/init.d/firewall - owner: root - group: root - mode: 0755 - when: "ansible_service_mgr != 'systemd'" - -- name: Copy firewall systemd unit file into place (for systemd systems). - template: - src: firewall.unit.j2 - dest: /etc/systemd/system/firewall.service - owner: root - group: root - mode: 0644 - when: "ansible_service_mgr == 'systemd'" - -- name: Configure the firewall service. - service: - name: firewall - state: "{{ iptables_state }}" - enabled: "{{ iptables_enabled }}" - -- import_tasks: disable-other-firewalls.yml - when: iptables_disable_firewalld or iptables_disable_ufw -... diff --git a/single_role_playbooks/firewall.yml b/single_role_playbooks/firewall.yml deleted file mode 100644 index f74c00ecb..000000000 --- a/single_role_playbooks/firewall.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Deploy the geerlingguy.firewall role. - hosts: - - jumphost - - cluster - - docs - - jenkins - roles: - - { role: geerlingguy.firewall, become: true } -... From 7480143f7f0ca8356dfe8225259f22cdeed7978f Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 16:16:33 +0200 Subject: [PATCH 10/21] Wrote small README for iptables role. --- roles/iptables/README.md | 108 ++++++++++----------------------------- 1 file changed, 27 insertions(+), 81 deletions(-) diff --git a/roles/iptables/README.md b/roles/iptables/README.md index 62bde29e4..99aaff932 100755 --- a/roles/iptables/README.md +++ b/roles/iptables/README.md @@ -1,95 +1,41 @@ -# Ansible Role: Firewall (iptables) +# Ansible Role: iptables -https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7 - -[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall) - -Installs an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`). - -This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall. - -After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall. - -## Requirements - -None. +This role configures host-based firewalls using iptables: both for IPv4 (`iptables`) and for IPv6 (`ip6tables`). +After deployment, `iptables` and `ip6tables` init services will be available on the server. +Use `service ip[6]tables [start|stop|restart|status]` to control the firewall. ## Role Variables -Available variables are listed below, along with default values (see `defaults/main.yml`): - - firewall_state: started - firewall_enabled_at_boot: true - -Controls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`). - - firewall_allowed_tcp_ports: - - "22" - - "80" - ... - firewall_allowed_udp_ports: [] - -A list of TCP or UDP ports (respectively) to open to incoming traffic. - - firewall_forwarded_tcp_ports: - - { src: "22", dest: "2222" } - - { src: "80", dest: "8080" } - firewall_forwarded_udp_ports: [] - -Forward `src` port to `dest` port, either TCP or UDP (respectively). - - firewall_additional_rules: [] - firewall_ip6_additional_rules: [] - -Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used: - - # Allow only the IP 167.89.89.18 to access port 4949 (Munin). - firewall_additional_rules: - - "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT" - - # Allow only the IP 214.192.48.21 to access port 3306 (MySQL). - firewall_additional_rules: - - "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT" - -See [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples. - - firewall_log_dropped_packets: true - -Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: "). - - firewall_disable_firewalld: false - firewall_disable_ufw: false - -Set to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively. - -## Dependencies - -None. +See `defaults/main.yml`. All role variables are prefixed with` iptables_` -## Example Playbook +## Logic - - hosts: server - vars_files: - - vars/main.yml - roles: - - { role: geerlingguy.firewall } +#### IPv4 -*Inside `vars/main.yml`*: +We first create a list of IPv4 addresses used by a host and determine if these addresses are publicly exposed. +This role considers an IP _publicly exposed_ when it - firewall_allowed_tcp_ports: - - "22" - - "25" - - "80" + * either a _public_ IP address + * or a private address and traffic from a _floating_, _public_ IP is routed to this private IP. -## TODO +Next we fetch the network interface names for all _publicly exposed_ IP addresses: - - Make outgoing ports more configurable. - - Make other firewall features (like logging) configurable. + * **internal** interfaces = those who do **not** use a _publicly exposed_ IP address. + * **external** interfaces = those who do use a _publicly exposed_ IP address. -## License +Finally we configure the IPv4 firewall to: -MIT / BSD + * **internal** interfaces (including loopback interfaces): Allow anything. + * **external** interfaces: + * Disable anything by default + * Allow specific services on specific ports to/from specific subnets. + * A subnet is specified with mask as [0-9].[0-9].[0-9].[0-9]/[0-9] and may contain one or more IP addresses. + E.g. 111.111.111.111/32 is the single machine 111.111.111.111 + and 111.111.111.0/24 is the range from 111.111.111.1 up to and including 111.111.111.254. + * Defaults for supported services for which this role can configure the firewall are listed in `defaults/main.yml`. -## Author Information +#### IPv6 -This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). +We do not use IPv6 and configure the IPv6 firewall to: + * Allow anything over the loopback interface. + * Disable anything else over any other interface both internal and external. From 626c8eef086a86523d0b94633b47c24b56115e92 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 16:20:39 +0200 Subject: [PATCH 11/21] Several fixes, updated group vars for changes in iptables role and replaced geerlingguy.firewall with new iptables role. --- group_vars/docs.yml | 1 - group_vars/talos_cluster/vars.yml | 43 ---------------------- requirements.yml | 2 - roles/iptables/defaults/main.yml | 3 +- roles/iptables/tasks/main.yml | 18 --------- single_group_playbooks/cluster_part1.yml | 1 + single_group_playbooks/data_transfer.yml | 2 +- single_group_playbooks/docs.yml | 1 + single_group_playbooks/irods.yml | 2 +- single_group_playbooks/jenkins.yml | 1 + single_group_playbooks/jumphost.yml | 2 +- static_inventories/talos_cluster.yml | 14 +++++++ static_inventories/wingedhelix_cluster.yml | 7 ++++ 13 files changed, 28 insertions(+), 69 deletions(-) diff --git a/group_vars/docs.yml b/group_vars/docs.yml index b9761f637..7efdbdd0e 100644 --- a/group_vars/docs.yml +++ b/group_vars/docs.yml @@ -23,7 +23,6 @@ iptables_allow_ssh_inbound: - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" -iptables_allow_ssh_outbound: [] iptables_allow_http_inbound: - ANY iptables_allow_https_inbound: diff --git a/group_vars/talos_cluster/vars.yml b/group_vars/talos_cluster/vars.yml index f8b5ecac3..f73b1be3b 100644 --- a/group_vars/talos_cluster/vars.yml +++ b/group_vars/talos_cluster/vars.yml @@ -176,47 +176,4 @@ ega_fuse_client_mounts: cineca: '/groups/umcg-cineca/prm08/ega-fuse-client' solve_rd: '/groups/umcg-solve-rd/prm08/ega-fuse-client' ega_fuse_client_java_home: '/etc/alternatives/jre_11_openjdk' -iptables_allow_icmp_inbound: - - "{{ all.ip_addresses['umcg']['net1'] }}" - - "{{ all.ip_addresses['umcg']['net2'] }}" - - "{{ all.ip_addresses['umcg']['net3'] }}" - - "{{ all.ip_addresses['umcg']['net4'] }}" - - "{{ all.ip_addresses['rug']['bwp_net'] }}" - - "{{ all.ip_addresses['rug']['operator'] }}" - - "{{ all.ip_addresses['gcc']['cloud_net'] }}" - - "{{ calculon_cluster.ip_addresses['lobby']['vlan16'] }}" - - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" - - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" - - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" - - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" - - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" -iptables_allow_ssh_inbound: - - ANY -iptables_allow_ssh_outbound: - - ANY -#iptables_allow_ebi_mysql_outbound: -# - 'ebi_sanger_net1' -# - 'ebi_sanger_net2' -#iptables_allow_ftp_outbound: -# - 'ebi_sanger_net1' -# - 'ebi_sanger_net2' -# - 'broad_ftp' -# - 'ncbi_net1' -# - 'ncbi_net2' -#iptables_allow_aspera_outbound: -# - 'ebi_sanger_net1' -# - 'ebi_sanger_net2' -# - 'broad_aspera_1' -# - 'broad_aspera_2' -# - 'broad_aspera_3' -# - 'broad_aspera_4' -# - 'broad_aspera_5' -# - 'broad_aspera_6' -# - 'broad_aspera_7' -# - 'broad_aspera_8' -# - 'broad_aspera_9' -# - 'ncbi_net1' -# - 'ncbi_net2' -#iptables_allow_globus_outbound: -# - 'sanger_globus' ... diff --git a/requirements.yml b/requirements.yml index 0dabc3da5..92ef86169 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,8 +3,6 @@ # --- roles: - - src: geerlingguy.firewall - version: 2.5.0 - src: geerlingguy.repo-epel version: 3.0.0 - src: geerlingguy.security diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml index 184d7bec5..d5f5c0c60 100755 --- a/roles/iptables/defaults/main.yml +++ b/roles/iptables/defaults/main.yml @@ -14,8 +14,7 @@ iptables_allow_https_inbound: [] # iptables_allow_ssh_inbound: - ANY -iptables_allow_ssh_outbound: - - ANY +iptables_allow_ssh_outbound: [] # # Public MySQL databases @ EBI (only outbound). # diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 476821c92..ba12698ab 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -1,21 +1,3 @@ -# -# This role configures host-based firewalls using iptables. -# We first create a list of IPv4 addresses used by a host and determine if these addresses are publicly exposed: -# * either a public IP address -# * or a publicly exposed private address: traffic from a flaoting public IP is routed to this private IP. -# Next we fetch the network interface names for all all publicly exposed addresses: -# * internal interfaces = those who do not use a publicly exposed IP address. -# * external interfaces = those who do use a publicly exposed IP address. -# Finally we configure the IPv4 firewall to: -# * allow anything over internal interfaces (including loopback interfaces). -# * disable anything by default except for specific services on specific ports to/from specific subnets. -# A subnet is specified with mask as [0-9].[0-9].[0-9].[0-9]/[0-9] and may contain one or more IP addresses. -# E.g. 111.111.111.111/32 is the single machine 111.111.111.111 -# and 111.111.111.0/24 is the range from 111.111.111.1 up to and including 111.111.111.254. -# Finally we configure the IPv6 firewall to: -# * allow anything over the loopback interface. -# * disable anything else over any other interface both internal and external. -# --- - name: Install iptables with yum. ansible.builtin.yum: diff --git a/single_group_playbooks/cluster_part1.yml b/single_group_playbooks/cluster_part1.yml index 8b1d6b3b9..66f2b54bc 100644 --- a/single_group_playbooks/cluster_part1.yml +++ b/single_group_playbooks/cluster_part1.yml @@ -7,6 +7,7 @@ roles: - admin_users - ssh_host_signer + - iptables - ssh_known_hosts - swap - {role: spacewalk_client, when: repo_manager == 'spacewalk'} diff --git a/single_group_playbooks/data_transfer.yml b/single_group_playbooks/data_transfer.yml index db06cabb2..aa8d8409e 100644 --- a/single_group_playbooks/data_transfer.yml +++ b/single_group_playbooks/data_transfer.yml @@ -7,11 +7,11 @@ roles: - admin_users - ssh_host_signer + - iptables - logrotate - remove - update - {role: geerlingguy.repo-epel, become: true} - - {role: geerlingguy.firewall, become: true} - logins - role: ldap when: diff --git a/single_group_playbooks/docs.yml b/single_group_playbooks/docs.yml index d53b76111..6453c6cee 100644 --- a/single_group_playbooks/docs.yml +++ b/single_group_playbooks/docs.yml @@ -7,6 +7,7 @@ roles: - admin_users - ssh_host_signer + - iptables - logrotate - remove - update diff --git a/single_group_playbooks/irods.yml b/single_group_playbooks/irods.yml index 5546ab709..6505c9c0c 100644 --- a/single_group_playbooks/irods.yml +++ b/single_group_playbooks/irods.yml @@ -6,6 +6,7 @@ roles: - admin_users - ssh_host_signer + - iptables - ssh_known_hosts - pulp_client - static_hostname_lookup @@ -13,7 +14,6 @@ - logins - sshd - {role: geerlingguy.security, become: true} - - {role: geerlingguy.firewall, become: true} - remove - update - docker diff --git a/single_group_playbooks/jenkins.yml b/single_group_playbooks/jenkins.yml index 70118d5ce..159efb76e 100644 --- a/single_group_playbooks/jenkins.yml +++ b/single_group_playbooks/jenkins.yml @@ -7,6 +7,7 @@ roles: - admin_users - ssh_host_signer + - iptables - logrotate - remove - update diff --git a/single_group_playbooks/jumphost.yml b/single_group_playbooks/jumphost.yml index 2fb71b6c4..a441a8864 100644 --- a/single_group_playbooks/jumphost.yml +++ b/single_group_playbooks/jumphost.yml @@ -7,13 +7,13 @@ roles: - admin_users - ssh_host_signer + - iptables - ssh_known_hosts - {role: yum_local, when: local_yum_repository is defined} - logrotate - remove - update - {role: geerlingguy.repo-epel, become: true} - - {role: geerlingguy.firewall, become: true} - logins - role: ldap when: diff --git a/static_inventories/talos_cluster.yml b/static_inventories/talos_cluster.yml index 9349977d0..8c78d15ef 100644 --- a/static_inventories/talos_cluster.yml +++ b/static_inventories/talos_cluster.yml @@ -8,6 +8,20 @@ all: hosts: reception: cloud_flavor: 2C-4GB + iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ calculon_cluster.ip_addresses['lobby']['vlan16'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" repo: hosts: tl-repo: diff --git a/static_inventories/wingedhelix_cluster.yml b/static_inventories/wingedhelix_cluster.yml index 2e50ab56e..5514f84d9 100644 --- a/static_inventories/wingedhelix_cluster.yml +++ b/static_inventories/wingedhelix_cluster.yml @@ -9,6 +9,13 @@ all: porch: cloud_flavor: m1.small security_ssh_challenge_response_auth: 'yes' # geerlingguy.security fix sshd_config 2FA + iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" repo: hosts: wh-repo: From 05119ad057a0b1717dc912e78d6942ada2d1d6f9 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 16:47:54 +0200 Subject: [PATCH 12/21] Fixed linter issues. --- roles/iptables/defaults/main.yml | 6 +++--- roles/iptables/tasks/disable-other-firewalls.yml | 11 ++++++----- roles/iptables/tasks/main.yml | 6 +++--- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml index d5f5c0c60..0144758ca 100755 --- a/roles/iptables/defaults/main.yml +++ b/roles/iptables/defaults/main.yml @@ -1,7 +1,7 @@ --- # # ICMP (only inbound; outbound ICMP is allowed without restrictions). -# +# iptables_allow_icmp_inbound: - ANY # @@ -20,7 +20,7 @@ iptables_allow_ssh_outbound: [] # iptables_allow_ebi_mysql_outbound: [] # -# PostgreSQL (only outbound). +# PostgreSQL (only outbound). # iptables_allow_postgresql_outbound: [] # @@ -28,7 +28,7 @@ iptables_allow_postgresql_outbound: [] # iptables_allow_ftp_outbound: [] # -# Aspera (only outbound). +# Aspera (only outbound). # iptables_allow_aspera_outbound: [] # diff --git a/roles/iptables/tasks/disable-other-firewalls.yml b/roles/iptables/tasks/disable-other-firewalls.yml index 79a446207..34cc4e0be 100755 --- a/roles/iptables/tasks/disable-other-firewalls.yml +++ b/roles/iptables/tasks/disable-other-firewalls.yml @@ -1,10 +1,11 @@ --- - name: Check if firewalld package is installed on RedHat. - ansible.builtin.shell: yum list installed firewalld - args: - warn: no + ansible.builtin.command: + cmd: yum list installed firewalld register: firewalld_installed - ignore_errors: true + failed_when: + - firewalld_installed.rc != 0 + - ('No matching Packages to list' not in firewalld_installed.stderr) changed_when: false when: ansible_os_family == "RedHat" and iptables_disable_firewalld @@ -16,4 +17,4 @@ daemon_reload: true when: ansible_os_family == "RedHat" and iptables_disable_firewalld and firewalld_installed.rc == 0 become: true -... \ No newline at end of file +... diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index ba12698ab..de9e1b5c8 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -2,7 +2,7 @@ - name: Install iptables with yum. ansible.builtin.yum: state: latest - update_cache: yes + update_cache: true name: - 'iptables' - 'iptables-services' @@ -72,8 +72,8 @@ enabled: 'yes' daemon_reload: 'yes' with_items: - - 'iptables' - - 'ip6tables' + - 'iptables' + - 'ip6tables' notify: configure_iptables become: true From e4ad04d1a1bddb24bab327c78694623a4780cb51 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 17:12:42 +0200 Subject: [PATCH 13/21] Fixed linter issues. --- roles/iptables/tasks/disable-other-firewalls.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/iptables/tasks/disable-other-firewalls.yml b/roles/iptables/tasks/disable-other-firewalls.yml index 34cc4e0be..7a5e1894f 100755 --- a/roles/iptables/tasks/disable-other-firewalls.yml +++ b/roles/iptables/tasks/disable-other-firewalls.yml @@ -1,7 +1,7 @@ --- - name: Check if firewalld package is installed on RedHat. - ansible.builtin.command: - cmd: yum list installed firewalld + ansible.builtin.yum: + list: installed firewalld register: firewalld_installed failed_when: - firewalld_installed.rc != 0 From d47b8a75f7544261827f80c7527e7686137fb78e Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 17:36:46 +0200 Subject: [PATCH 14/21] Fixed additional linter issues. --- roles/iptables/tasks/disable-other-firewalls.yml | 16 ++++++---------- roles/iptables/tasks/main.yml | 2 +- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/roles/iptables/tasks/disable-other-firewalls.yml b/roles/iptables/tasks/disable-other-firewalls.yml index 7a5e1894f..0a085a695 100755 --- a/roles/iptables/tasks/disable-other-firewalls.yml +++ b/roles/iptables/tasks/disable-other-firewalls.yml @@ -1,20 +1,16 @@ --- -- name: Check if firewalld package is installed on RedHat. +- name: List installed packages. ansible.builtin.yum: - list: installed firewalld - register: firewalld_installed - failed_when: - - firewalld_installed.rc != 0 - - ('No matching Packages to list' not in firewalld_installed.stderr) + list: installed + register: yum_list_installed changed_when: false - when: ansible_os_family == "RedHat" and iptables_disable_firewalld -- name: Disable the firewalld service on RedHat. +- name: Disable the firewalld service if the firewalld package was installed. ansible.builtin.systemd: name: firewalld state: stopped enabled: false - daemon_reload: true - when: ansible_os_family == "RedHat" and iptables_disable_firewalld and firewalld_installed.rc == 0 + daemon_reload : true + when: yum_list_installed.results | selectattr('name', 'equalto', 'firewalld') | list | length > 0 become: true ... diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index de9e1b5c8..f03999c0f 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -82,5 +82,5 @@ - name: Disable other firewalls. ansible.builtin.import_tasks: disable-other-firewalls.yml - when: iptables_disable_firewalld or iptables_disable_ufw + when: iptables_disable_firewalld ... From 7340bf38102a09703e8209e52be70611c98dc053 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 8 Aug 2022 17:39:26 +0200 Subject: [PATCH 15/21] Fixed additional linter issues. --- roles/iptables/tasks/disable-other-firewalls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iptables/tasks/disable-other-firewalls.yml b/roles/iptables/tasks/disable-other-firewalls.yml index 0a085a695..e6a6eb9a7 100755 --- a/roles/iptables/tasks/disable-other-firewalls.yml +++ b/roles/iptables/tasks/disable-other-firewalls.yml @@ -10,7 +10,7 @@ name: firewalld state: stopped enabled: false - daemon_reload : true + daemon_reload: true when: yum_list_installed.results | selectattr('name', 'equalto', 'firewalld') | list | length > 0 become: true ... From e013a9d3f98c64a472dc985707d3a4b28b321b75 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Thu, 11 Aug 2022 13:52:52 +0200 Subject: [PATCH 16/21] Removed redundant line that overruled an if then else block. --- roles/iptables/templates/iptables-init.bash.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/iptables/templates/iptables-init.bash.j2 b/roles/iptables/templates/iptables-init.bash.j2 index 8747e872b..cf4f2d2ed 100755 --- a/roles/iptables/templates/iptables-init.bash.j2 +++ b/roles/iptables/templates/iptables-init.bash.j2 @@ -122,7 +122,6 @@ ip6tables -P INPUT LOGDROP {% else %} ip6tables -P INPUT DROP {% endif %} -ip6tables -P INPUT DROP ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP From b206fbc0f4beed95bd0981f6b72edb31b186f003 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Thu, 11 Aug 2022 16:27:26 +0200 Subject: [PATCH 17/21] Improved firewall and security group config for iRODS machines on Merlin. --- deploy-os_servers.yml | 31 ++++++++++++++++++-------- group_vars/all/ip_addresses.yml | 4 ++++ static_inventories/nibbler_cluster.yml | 3 +++ 3 files changed, 29 insertions(+), 9 deletions(-) diff --git a/deploy-os_servers.yml b/deploy-os_servers.yml index 630e74a12..dd537cb8d 100644 --- a/deploy-os_servers.yml +++ b/deploy-os_servers.yml @@ -85,6 +85,7 @@ # portip: 10.10.1.1 wait: true timeout: "{{ openstack_api_timeout }}" + when: false # # Jumphosts security group. # @@ -216,30 +217,45 @@ name: "{{ stack_prefix }}_irods" description: | Security group for iRODS machines. - Allows SSH inbound on ports 22 and 443. + Allows SSH and ICMP inbound from jumphosts. + Allows DAVRODS on port 443. Allows iRODS inbound on ports 1247 and 20000-20199. - Allows ICMP inbound. Allows all outbound traffic. wait: true timeout: "{{ openstack_api_timeout }}" when: groups['irods'] | default([]) | length >= 1 - - name: "Add rules to {{ stack_prefix }}_irods security group." + - name: "Add rules to {{ stack_prefix }}_irods security group: allow inbound traffic from {{ stack_prefix }}_jumphosts security group." openstack.cloud.security_group_rule: security_group: "{{ stack_prefix }}_irods" direction: ingress protocol: "{{ item.protocol }}" port_range_min: "{{ item.port_min }}" port_range_max: "{{ item.port_max }}" - remote_ip_prefix: 0.0.0.0/0 + remote_group: "{{ stack_prefix }}_jumphosts" wait: true timeout: "{{ openstack_api_timeout }}" with_items: - protocol: tcp port_min: 22 # SSH port_max: 22 # SSH + - protocol: icmp + port_min: -1 # ICMP protocol does not have any ports. + port_max: -1 # ICMP protocol does not have any ports. + when: groups['irods'] | default([]) | length >= 1 + - name: "Add rules to {{ stack_prefix }}_irods security group." + openstack.cloud.security_group_rule: + security_group: "{{ stack_prefix }}_irods" + direction: ingress + protocol: "{{ item.protocol }}" + port_range_min: "{{ item.port_min }}" + port_range_max: "{{ item.port_max }}" + remote_ip_prefix: 0.0.0.0/0 + wait: true + timeout: "{{ openstack_api_timeout }}" + with_items: - protocol: tcp - port_min: 443 # SSH - port_max: 443 # SSH + port_min: 443 # DAVRODS + port_max: 443 # DAVRODS - protocol: tcp port_min: 636 # LDAPS port_max: 636 # LDAPS @@ -252,9 +268,6 @@ - protocol: tcp port_min: 20000 # iRODS port_max: 20199 # iRODS - - protocol: icmp - port_min: -1 # ICMP protocol does not have any ports. - port_max: -1 # ICMP protocol does not have any ports. when: groups['irods'] | default([]) | length >= 1 - name: "Add rules to {{ stack_prefix }}_irods security group: allow inbound traffic from machines in the same security group." openstack.cloud.security_group_rule: diff --git a/group_vars/all/ip_addresses.yml b/group_vars/all/ip_addresses.yml index ed1edde53..900411c28 100644 --- a/group_vars/all/ip_addresses.yml +++ b/group_vars/all/ip_addresses.yml @@ -92,6 +92,10 @@ ip_addresses: address: '145.100.5.194' netmask: '/32' fqdn: 'ui.grid.sara.nl' + umcg-resc1: + address: '145.38.219.24' + netmask: '/32' + fqdn: 'umcg-resc1.irods.surfsara.nl' eriba: ds: address: '129.125.161.80' diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index 537fa651c..4c59afc1e 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -57,6 +57,9 @@ all: local_volume_size_extra: 20 fqdn: umcg-icat01.hpc.rug.nl davrods_icat_ip: "{{ ip_addresses[inventory_hostname][network_private_management_id]['address'] }}" + iptables_allow_ssh_outbound: [] + iptables_allow_irods: + - "{{ all.ip_addresses['surfsara']['umcg-resc1'] }}" docs: hosts: docs_on_merlin: From 47a6fdc7cc287789844766026ce7ea1f5a1b572b Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 15 Aug 2022 15:51:11 +0200 Subject: [PATCH 18/21] Relocated configuration of kernel network tweaks to make sure they will survive a reboot. --- roles/iptables/defaults/main.yml | 23 ++++++++++ roles/iptables/tasks/main.yml | 13 +++++- .../iptables/templates/iptables-init.bash.j2 | 42 ------------------- 3 files changed, 35 insertions(+), 43 deletions(-) diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml index 0144758ca..fe3259bec 100755 --- a/roles/iptables/defaults/main.yml +++ b/roles/iptables/defaults/main.yml @@ -1,4 +1,27 @@ --- +kernel_network_tweaks: + - name: net.ipv4.conf.all.forwarding + value: 0 # Disable forwarding, which is only required on routers. + - name: net.ipv6.conf.all.forwarding + value: 0 # Disable forwarding, which is only required on routers. + - name: net.ipv4.conf.all.accept_redirects + value: 0 # Disable redirects, which are only required on routers. + - name: net.ipv6.conf.all.accept_redirects + value: 0 # Disable redirects, which are only required on routers. + - name: net.ipv4.tcp_syncookies # Confusing name, but applies to IP version 6 as well. + value: 1 # Prevent SYNC-floods. + - name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 # Limit response to ICMP packets. + - name: net.ipv4.icmp_ignore_bogus_error_responses + value: 1 # Limit response to ICMP packets. + - name: net.ipv4.conf.all.accept_source_route + value: 0 # Disable source routed packets, which should only be required for debugging network issues. + - name: net.ipv6.conf.all.accept_source_route + value: 0 # Disable source routed packets, which should only be required for debugging network issues. + - name: net.ipv4.conf.all.rp_filter + value: 1 # Enable IP spoofing protection. + - name: net.ipv4.conf.all.log_martians + value: 0 # Disable logging of spoofed, source routed and redirect packets to prevent flooding the logs. # # ICMP (only inbound; outbound ICMP is allowed without restrictions). # diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index f03999c0f..4b4d24742 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -20,6 +20,17 @@ - configure_iptables become: true +- name: Add kernel network tweaks to /etc/sysctl.d/60-ansible-managed-network.conf. + ansible.posix.sysctl: + sysctl_file: '/etc/sysctl.d/60-ansible-managed-network.conf' + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_set: true + state: present + reload: yes + loop: "{{ kernel_network_tweaks }}" + become: true + - name: Create lists of public IP addresses. ansible.builtin.set_fact: public_ip_addresses: "{{ ansible_facts | dict2items @@ -48,7 +59,7 @@ | selectattr('value.ipv4.address', 'in', all_publicly_exposed_ip_addresses) | map(attribute='value.device') | list }}" -- name: 'INFO: List discovered IP addressess and network interfaces.' +- name: List discovered IP addressess and network interfaces. ansible.builtin.debug: msg: | All publicly exposed IP addresses: {{ all_publicly_exposed_ip_addresses }}. diff --git a/roles/iptables/templates/iptables-init.bash.j2 b/roles/iptables/templates/iptables-init.bash.j2 index cf4f2d2ed..0f122636c 100755 --- a/roles/iptables/templates/iptables-init.bash.j2 +++ b/roles/iptables/templates/iptables-init.bash.j2 @@ -53,48 +53,6 @@ else exit 1 fi -# -## -### Kernel tweaks. -## -# - -# -# Disable redirects and forwarding, which are only required on routers. -# -echo '0' > /proc/sys/net/ipv4/conf/all/forwarding -echo '0' > /proc/sys/net/ipv6/conf/all/forwarding -echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects -echo '0' > /proc/sys/net/ipv6/conf/all/accept_redirects - -# -# Prevent SYNC-floods. -# -echo '1' > /proc/sys/net/ipv4/tcp_syncookies # confusing name, but applies to IP version 6 as well. - -# -# Limit response to ICMP packets. -# -echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses - -# -# Disable logging of spoofed packets, source routed packets, -# and redirect packets to prevent flooding the logs. -# -echo '0' > /proc/sys/net/ipv4/conf/all/log_martians - -# -# Disable source routed packets, which should only be required for debugging network issues. -# -echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route -echo '0' > /proc/sys/net/ipv6/conf/all/accept_source_route - -# -# Enable IP spoofing protection. -# -echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter - # ## ### IPv6: disable all and log. From dafa64bf978fa11103f335720d1b96abbb0774b9 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 15 Aug 2022 15:54:17 +0200 Subject: [PATCH 19/21] Deleted unused roles/iptables/templates/firewall.unit.j2 --- roles/iptables/templates/firewall.unit.j2 | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100755 roles/iptables/templates/firewall.unit.j2 diff --git a/roles/iptables/templates/firewall.unit.j2 b/roles/iptables/templates/firewall.unit.j2 deleted file mode 100755 index ad2655806..000000000 --- a/roles/iptables/templates/firewall.unit.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Firewall -After=syslog.target network.target - -[Service] -Type=oneshot -ExecStart=/etc/sysconfig/iptables-init.bash -ExecStop=/sbin/iptables -F -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target From 1fd1a095995f11ed7e1c57b3435b73d7e9a60723 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 15 Aug 2022 15:58:07 +0200 Subject: [PATCH 20/21] Fixed linter issue. --- roles/iptables/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 4b4d24742..6b94b7975 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -27,7 +27,7 @@ value: "{{ item.value }}" sysctl_set: true state: present - reload: yes + reload: true loop: "{{ kernel_network_tweaks }}" become: true From 58b60dab589e0f9701c731652a191994a4bf15c8 Mon Sep 17 00:00:00 2001 From: Pieter Neerincx Date: Tue, 16 Aug 2022 14:04:22 +0200 Subject: [PATCH 21/21] Update roles/iptables/README.md Co-authored-by: scimerman <80223690+scimerman@users.noreply.github.com> --- roles/iptables/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/iptables/README.md b/roles/iptables/README.md index 99aaff932..7d04c7174 100755 --- a/roles/iptables/README.md +++ b/roles/iptables/README.md @@ -13,7 +13,7 @@ See `defaults/main.yml`. All role variables are prefixed with` iptables_` #### IPv4 We first create a list of IPv4 addresses used by a host and determine if these addresses are publicly exposed. -This role considers an IP _publicly exposed_ when it +This role considers an IP _publicly exposed_ when it is * either a _public_ IP address * or a private address and traffic from a _floating_, _public_ IP is routed to this private IP.