Blame docs/security/iptables.md

0d32f4
# Host Firewall rules
0d32f4
bd9605
We want to enforce iptables rules on all servers fleet, including on the ones behind a corporate firewall (and so using NAT for outgoing connections and/or DNAT for incoming ones)
bd9605
bd9605
## Baseline
bd9605
bd9605
The [ansible-role-iptables](https://github.com/centos/ansible-role-iptables) is one of the few roles that isn't applied through a group membership at the ansible inventory level, but is deployed/imported in our [baseline](https://github.com/CentOS/ansible-role-baseline/blob/master/tasks/main.yml#L149) (see the `import_role` task to import iptables rules)
bd9605
bd9605
The basic iptables role would (both for ipv4 and ipv6): 
bd9605
bd9605
 * only allow sshd (tcp/22) from some known bastion hosts
bd9605
 * create an iptables rules for `ipset` (centos-blocked-manual)
bd9605
 * install ipset service
bd9605
 * block all the rest
bd9605
bd9605
It creates a skeleton of other rules to be assembled by iptables (see `/etc/sysconfig/iptables.d`) to be then reloaded.
bd9605
bd9605
That means that from there, any other ansible role would just have to drop his iptables rules file , assemble new config file and reload.
bd9605
bd9605
One example is from `baseline` role itself, importing [zabbix-agent](https://github.com/CentOS/ansible-role-zabbix-agent) : 
bd9605
bd9605
```
bd9605
- name: Configuring iptables rules
bd9605
  include_role:
bd9605
    name: iptables
bd9605
    tasks_from: custom-policy
bd9605
  vars:
bd9605
    iptables_policy_name: zabbix-agent
bd9605
    iptables_protocol: tcp
bd9605
    iptables_port: "10050"
bd9605
    iptables_source: "{{ zabbix_server_ip }}"
bd9605
  tags:
bd9605
    - iptables
bd9605
```
bd9605
bd9605
As you can see, the zabbix-agent role, is just importing the `custom-policy.yml` tasks from iptables role, with some variables (in our case, mentioning that we only accept traffic from zabbix server on tcp/10050 on the agent side). It's quite modular and other roles follow the same principles (usually). Behind the scene that means that :
bd9605
bd9605
  * it's creating the /etc/sysconfig/iptables.d/01-input-service-policy-zabbix-agent (from jinja2 ansible template)
bd9605
  * using the `assemble` ansible module to concat all snippet files under /etc/sysconfig/iptables.d/
bd9605
  * restarting iptables with new ruleset
bd9605
bd9605
## Custom rules (including NAT/DNAT)
bd9605
bd9605
Probably better to read the [defaults/main.yml](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml) to see other features that you can apply with the iptables rules but there are some other features (speicific to host/group variables and not `role` bound :
bd9605
bd9605
Defining custom local rules (empty by default):
bd9605
bd9605
```
bd9605
iptables_local_input_rules:
bd9605
  - source: 192.168.0.0/24
bd9605
    dport: 80
bd9605
    protocol: tcp
bd9605
  - dport: 25  # would open for all tcp/25  
bd9605
```
bd9605
bd9605
Should the node be used as gateway/router/firewall itself, we can control that through the following variables (see the main.yml files for examples :
bd9605
bd9605
  * iptables_gw (boolean, default is False)
bd9605
  * iptables_forward_allow
bd9605
  * iptables_nat_postrouting_allow
bd9605
  * iptables_nat_prerouting_allow
bd9605
  * iptables_redirects (local port)
bd9605
 
bd9605
bd9605
## Ipset
bd9605
bd9605
One of the main advantage with [ipset](https://ipset.netfilter.org/) is that if you need to add a *lot* of hosts in a deny list (either for DROP or REJECT rules) , it's faster to just use ipset in memory than iptables rules for all these IP addresses. That means that you can just create one (or mutiple) iptables rules just pointing to ipset rules.
bd9605
bd9605
As said above, our basic iptables rule would at least create one iptable rule pointing to the `centos-blocked-manual` ipset list (empty), but that means that adding an ip directly into ipset would work without having to reload the whole iptables service/ruleset (`ipset add blocked-centos-manual $ip`)
bd9605
bd9605
We also can use/update some public lists from services like  [Firehol.org](http://iplists.firehol.org/).
bd9605
See again the `defaults/main.yml` iptables file to see some example but by default `ipset_block_lists` is empty and so not using any of these lists
bd9605
bd9605