From bd9605ac315e734c7f60d3d12b1a3cd283b704ed Mon Sep 17 00:00:00 2001 From: Fabian Arrotin Date: Jul 09 2021 11:54:19 +0000 Subject: added iptables explanations and link to role Signed-off-by: Fabian Arrotin --- diff --git a/docs/apps/git.md b/docs/apps/git.md deleted file mode 100644 index e69de29..0000000 --- a/docs/apps/git.md +++ /dev/null diff --git a/docs/apps/mailservers.md b/docs/apps/mailservers.md deleted file mode 100644 index 7bc91e7..0000000 --- a/docs/apps/mailservers.md +++ /dev/null @@ -1,7 +0,0 @@ -# Mail servers - -## @centos.org setup -### aliases - -## @centosproject.org setup -### aliases diff --git a/docs/infra/web.md b/docs/infra/web.md deleted file mode 100644 index 78627aa..0000000 --- a/docs/infra/web.md +++ /dev/null @@ -1,3 +0,0 @@ -# CentOS Website - -## Workflow diff --git a/docs/operations/deploy/virtual-machine.md b/docs/operations/deploy/virtual-machine.md index 9ee1cbc..9ff6bdb 100644 --- a/docs/operations/deploy/virtual-machine.md +++ b/docs/operations/deploy/virtual-machine.md @@ -24,6 +24,8 @@ The process will go like this : * wait for sshd to be available on the node * clean-up the `virt-install` wrapper script for the kvm guest +!!! tip + As now in the ansible inventory we know where the VM is hosted, in case you need to reset a node you can use the `adhoc-reset-vm.yml` that will destroy the VM (through delegate_to: ansible task) and restart it ## Cloud providers diff --git a/docs/security/iptables.md b/docs/security/iptables.md index ead6282..a9b0839 100644 --- a/docs/security/iptables.md +++ b/docs/security/iptables.md @@ -1,2 +1,74 @@ # Host Firewall rules +We want to enforce iptables rules on all servers fleet, including on the ones behind a corporate firewall (and so using NAT for outgoing connections and/or DNAT for incoming ones) + +## Baseline + +The [ansible-role-iptables](https://github.com/centos/ansible-role-iptables) is one of the few roles that isn't applied through a group membership at the ansible inventory level, but is deployed/imported in our [baseline](https://github.com/CentOS/ansible-role-baseline/blob/master/tasks/main.yml#L149) (see the `import_role` task to import iptables rules) + +The basic iptables role would (both for ipv4 and ipv6): + + * only allow sshd (tcp/22) from some known bastion hosts + * create an iptables rules for `ipset` (centos-blocked-manual) + * install ipset service + * block all the rest + +It creates a skeleton of other rules to be assembled by iptables (see `/etc/sysconfig/iptables.d`) to be then reloaded. + +That means that from there, any other ansible role would just have to drop his iptables rules file , assemble new config file and reload. + +One example is from `baseline` role itself, importing [zabbix-agent](https://github.com/CentOS/ansible-role-zabbix-agent) : + +``` +- name: Configuring iptables rules + include_role: + name: iptables + tasks_from: custom-policy + vars: + iptables_policy_name: zabbix-agent + iptables_protocol: tcp + iptables_port: "10050" + iptables_source: "{{ zabbix_server_ip }}" + tags: + - iptables +``` + +As you can see, the zabbix-agent role, is just importing the `custom-policy.yml` tasks from iptables role, with some variables (in our case, mentioning that we only accept traffic from zabbix server on tcp/10050 on the agent side). It's quite modular and other roles follow the same principles (usually). Behind the scene that means that : + + * it's creating the /etc/sysconfig/iptables.d/01-input-service-policy-zabbix-agent (from jinja2 ansible template) + * using the `assemble` ansible module to concat all snippet files under /etc/sysconfig/iptables.d/ + * restarting iptables with new ruleset + +## Custom rules (including NAT/DNAT) + +Probably better to read the [defaults/main.yml](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml) to see other features that you can apply with the iptables rules but there are some other features (speicific to host/group variables and not `role` bound : + +Defining custom local rules (empty by default): + +``` +iptables_local_input_rules: + - source: 192.168.0.0/24 + dport: 80 + protocol: tcp + - dport: 25 # would open for all tcp/25 +``` + +Should the node be used as gateway/router/firewall itself, we can control that through the following variables (see the main.yml files for examples : + + * iptables_gw (boolean, default is False) + * iptables_forward_allow + * iptables_nat_postrouting_allow + * iptables_nat_prerouting_allow + * iptables_redirects (local port) + + +## Ipset + +One of the main advantage with [ipset](https://ipset.netfilter.org/) is that if you need to add a *lot* of hosts in a deny list (either for DROP or REJECT rules) , it's faster to just use ipset in memory than iptables rules for all these IP addresses. That means that you can just create one (or mutiple) iptables rules just pointing to ipset rules. + +As said above, our basic iptables rule would at least create one iptable rule pointing to the `centos-blocked-manual` ipset list (empty), but that means that adding an ip directly into ipset would work without having to reload the whole iptables service/ruleset (`ipset add blocked-centos-manual $ip`) + +We also can use/update some public lists from services like [Firehol.org](http://iplists.firehol.org/). +See again the `defaults/main.yml` iptables file to see some example but by default `ipset_block_lists` is empty and so not using any of these lists + + diff --git a/mkdocs.yml b/mkdocs.yml index 64bc76b..2dcb7af 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -70,18 +70,15 @@ nav: - buildsys/mirror-network.md - Public Applications: - apps/www.md - - apps/git.md - apps/wiki.md - apps/bugs.md - apps/forums.md - - apps/mailservers.md - apps/mailman.md - apps/docs.md - apps/blog.md - Infra services: - infra/authentication.md - infra/dns.md - - infra/web.md - infra/mailservers.md - infra/mirrorlists.md - infra/sponsors.md