Nie jesteś zalogowany.
Jeśli nie posiadasz konta, zarejestruj je już teraz! Pozwoli Ci ono w pełni korzystać z naszego serwisu. Spamerom dziękujemy!
Ogłoszenie
Prosimy o pomoc dla małej Julki — przekaż 1% podatku na Fundacji Dzieciom zdazyć z Pomocą.
Więcej informacji na dug.net.pl/pomagamy/.
#1 2021-03-19 22:07:27
White_Dream - Użytkownik
- White_Dream
- Użytkownik
- Zarejestrowany: 2021-03-11
Konfiguracja iptables
Napisałem rolę w ansible do konfiguracji zapory sieciowej w linuksie. Czy robić filtrowanie po OUTPUT czy sam INPUT styknie? Co mogę poprawić w mojej roli?
Definicje zmiennych:
Kod:
--- # Default head (allow) rules iptables_default_head: | -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP ip6tables_default_head: | -P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT # Default tail (deny) rules iptables_default_tail: | -A INPUT -j LOG --log-prefix "INPUT DROP: " --log-level 6 -A INPUT -j DROP ip6tables_default_tail: | -A INPUT -j LOG --log-prefix "INPUT DROP: " --log-level 6 -A INPUT -j DROP allow_ping: yes allow_ssh: no allow_http: no allow_https: no allow_ftp: no allow_rsync: no allow_mysql: no allow_pgsql: no allow_smtp: no allow_imap: no allow_imaps: no allow_pop3: no allow_pop3s: no allow_ldap: no ipv4_only: no iptables_custom_rules: [] ip6tables_custom_rules: [] # Example: # iptables_custom_rules: # - name: open_port_12345 # 'iptables_custom_rules_' will be prepended to this # rules: '-A INPUT -p tcp --dport 12345 -j ACCEPT' # state: present # weight: 40 # ipversion: 4 # table: filter # # NOTE: 'name', 'rules' and 'state' are required, others are optional. # By default this role deletes all iptables rules which are not managed by Ansible. # Set this to 'yes', if you want the role to keep unmanaged rules. iptables_keep_unmanaged: no ip6tables_keep_unmanaged: no ...
Taski:
Kod:
---
- name: Allow IPv4 ping
iptables_raw:
name: 'iptables_allow_ping'
rules: '-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT'
state: present
ipversion: '4'
when: allow_ping
- name: Allow IPv6 ping
iptables_raw:
name: 'iptables_allow_ping'
rules: '-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT'
state: present
ipversion: '6'
when: allow_ping and not ipv4_only
- name: Allow incoming ssh connections
iptables_raw:
name: 'iptables_allow_ssh'
rules: '-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_ssh
- name: Allow incoming http connections
iptables_raw:
name: 'iptables_allow_http'
rules: '-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_http
- name: Allow incoming https connections
iptables_raw:
name: 'iptables_allow_https'
rules: '-A INPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_https
- name: Allow incoming ftp connections
iptables_raw:
name: 'iptables_allow_ftp'
rules: '-A INPUT -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_ftp
- name: Allow incoming rsync connections
iptables_raw:
name: 'iptables_allow_rsync'
rules: '-A INPUT -p tcp -m tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_rsync
- name: Allow incoming MySQL connections
iptables_raw:
name: 'iptables_allow_mysql'
rules: '-A INPUT -p tcp -m tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_mysql
- name: Allow incoming PostgreSQL connections
iptables_raw:
name: 'iptables_allow_postgresql'
rules: '-A INPUT -p tcp -m tcp --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_pgsql
- name: Allow incoming SMTP connections (port 25)
iptables_raw:
name: 'iptables_allow_smtp'
rules: '-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_smtp
- name: Allow incoming SMTP connections (port 587)
iptables_raw:
name: 'iptables_allow_smtp'
rules: '-A INPUT -p tcp -m tcp --dport 587 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_smtp
- name: Allow incoming SMTP connections (port 465)
iptables_raw:
name: 'iptables_allow_smtp'
rules: '-A INPUT -p tcp -m tcp --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_smtp
- name: Allow incoming IMAP connections
iptables_raw:
name: 'iptables_allow_imap'
rules: '-A INPUT -p tcp -m tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_imap
- name: Allow incoming IMAPS connections
iptables_raw:
name: 'iptables_allow_imaps'
rules: '-A INPUT -p tcp -m tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_imaps
- name: Allow incoming POP3 connections
iptables_raw:
name: 'iptables_allow_pop3'
rules: '-A INPUT -p tcp -m tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_pop3
- name: Allow incoming POP3S connections
iptables_raw:
name: 'iptables_allow_pop3s'
rules: '-A INPUT -p tcp -m tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_pop3s
- name: Allow incoming LDAP connections
block:
- iptables_raw:
name: 'iptables_allow_ldap'
rules: '-A INPUT -p tcp -m tcp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
- iptables_raw:
name: 'iptables_allow_ldap'
rules: '-A INPUT -p udp -m udp --dport 389 -m state --state NEW,ESTABLISHED -j ACCEPT'
state: present
when: allow_ldap
- name: Set custom iptables rules
iptables_raw:
name: 'iptables_custom_rules_{{ item.name }}'
rules: '{{ item.rules }}'
state: '{{ item.state }}'
weight: '{{ item.weight|default(omit) }}'
table: '{{ item.table|default(omit) }}'
ipversion: '4'
with_items: '{{ iptables_custom_rules }}'
tags: iptables
- name: Set default iptables head rules
iptables_raw:
name: iptables_default_head
weight: 10
keep_unmanaged: '{{ iptables_keep_unmanaged }}'
state: present
rules: '{{ iptables_default_head }}'
ipversion: '4'
tags: iptables
- name: Set default iptables tail rules
iptables_raw:
name: iptables_default_tail
weight: 99
keep_unmanaged: '{{ iptables_keep_unmanaged }}'
state: '{{ (iptables_default_tail != "" ) | ternary("present", "absent") }}'
rules: '{{ iptables_default_tail }}'
ipversion: '4'
tags: iptables
- name: Set custom ip6tables rules
iptables_raw:
name: 'ip6tables_custom_rules_{{ item.name }}'
rules: '{{ item.rules }}'
state: '{{ item.state }}'
weight: '{{ item.weight|default(omit) }}'
table: '{{ item.table|default(omit) }}'
ipversion: '6'
with_items: '{{ ip6tables_custom_rules }}'
when: not ipv4_only
tags: ip6tables
- name: Set default ip6tables head rules
iptables_raw:
name: ip6tables_default_head
weight: 10
keep_unmanaged: '{{ ip6tables_keep_unmanaged }}'
state: present
rules: '{{ ip6tables_default_head }}'
ipversion: '6'
when: not ipv4_only
tags: ip6tables
- name: Set default ip6tables tail rules
iptables_raw:
name: iptables_default_tail
weight: 99
keep_unmanaged: '{{ iptables_keep_unmanaged }}'
state: '{{ (ip6tables_default_tail != "" ) | ternary("present", "absent") }}'
rules: '{{ ip6tables_default_tail }}'
ipversion: '6'
when: not ipv4_only
tags: ip6tables
...Ostatnio edytowany przez White_Dream (2021-03-19 22:08:08)
Offline
#2 2021-03-20 19:28:53
mati75 - 
Psuj
- mati75
- Psuj
- Skąd: masz ten towar?
- Zarejestrowany: 2010-03-14
Re: Konfiguracja iptables
Do czego taki firewall? Bo kompletnie w nim sensu nie widzę
Offline