|
|
0d32f4 |
# Host Firewall rules
|
|
|
0d32f4 |
|
|
|
bd9605 |
We want to enforce iptables rules on all servers fleet, including on the ones behind a corporate firewall (and so using NAT for outgoing connections and/or DNAT for incoming ones)
|
|
|
bd9605 |
|
|
|
bd9605 |
## Baseline
|
|
|
bd9605 |
|
|
|
bd9605 |
The [ansible-role-iptables](https://github.com/centos/ansible-role-iptables) is one of the few roles that isn't applied through a group membership at the ansible inventory level, but is deployed/imported in our [baseline](https://github.com/CentOS/ansible-role-baseline/blob/master/tasks/main.yml#L149) (see the `import_role` task to import iptables rules)
|
|
|
bd9605 |
|
|
|
bd9605 |
The basic iptables role would (both for ipv4 and ipv6):
|
|
|
bd9605 |
|
|
|
bd9605 |
* only allow sshd (tcp/22) from some known bastion hosts
|
|
|
bd9605 |
* create an iptables rules for `ipset` (centos-blocked-manual)
|
|
|
bd9605 |
* install ipset service
|
|
|
bd9605 |
* block all the rest
|
|
|
bd9605 |
|
|
|
bd9605 |
It creates a skeleton of other rules to be assembled by iptables (see `/etc/sysconfig/iptables.d`) to be then reloaded.
|
|
|
bd9605 |
|
|
|
bd9605 |
That means that from there, any other ansible role would just have to drop his iptables rules file , assemble new config file and reload.
|
|
|
bd9605 |
|
|
|
bd9605 |
One example is from `baseline` role itself, importing [zabbix-agent](https://github.com/CentOS/ansible-role-zabbix-agent) :
|
|
|
bd9605 |
|
|
|
bd9605 |
```
|
|
|
bd9605 |
- name: Configuring iptables rules
|
|
|
bd9605 |
include_role:
|
|
|
bd9605 |
name: iptables
|
|
|
bd9605 |
tasks_from: custom-policy
|
|
|
bd9605 |
vars:
|
|
|
bd9605 |
iptables_policy_name: zabbix-agent
|
|
|
bd9605 |
iptables_protocol: tcp
|
|
|
bd9605 |
iptables_port: "10050"
|
|
|
bd9605 |
iptables_source: "{{ zabbix_server_ip }}"
|
|
|
bd9605 |
tags:
|
|
|
bd9605 |
- iptables
|
|
|
bd9605 |
```
|
|
|
bd9605 |
|
|
|
bd9605 |
As you can see, the zabbix-agent role, is just importing the `custom-policy.yml` tasks from iptables role, with some variables (in our case, mentioning that we only accept traffic from zabbix server on tcp/10050 on the agent side). It's quite modular and other roles follow the same principles (usually). Behind the scene that means that :
|
|
|
bd9605 |
|
|
|
bd9605 |
* it's creating the /etc/sysconfig/iptables.d/01-input-service-policy-zabbix-agent (from jinja2 ansible template)
|
|
|
bd9605 |
* using the `assemble` ansible module to concat all snippet files under /etc/sysconfig/iptables.d/
|
|
|
bd9605 |
* restarting iptables with new ruleset
|
|
|
bd9605 |
|
|
|
bd9605 |
## Custom rules (including NAT/DNAT)
|
|
|
bd9605 |
|
|
|
bd9605 |
Probably better to read the [defaults/main.yml](https://github.com/CentOS/ansible-role-iptables/blob/master/defaults/main.yml) to see other features that you can apply with the iptables rules but there are some other features (speicific to host/group variables and not `role` bound :
|
|
|
bd9605 |
|
|
|
bd9605 |
Defining custom local rules (empty by default):
|
|
|
bd9605 |
|
|
|
bd9605 |
```
|
|
|
bd9605 |
iptables_local_input_rules:
|
|
|
bd9605 |
- source: 192.168.0.0/24
|
|
|
bd9605 |
dport: 80
|
|
|
bd9605 |
protocol: tcp
|
|
|
bd9605 |
- dport: 25 # would open for all tcp/25
|
|
|
bd9605 |
```
|
|
|
bd9605 |
|
|
|
bd9605 |
Should the node be used as gateway/router/firewall itself, we can control that through the following variables (see the main.yml files for examples :
|
|
|
bd9605 |
|
|
|
bd9605 |
* iptables_gw (boolean, default is False)
|
|
|
bd9605 |
* iptables_forward_allow
|
|
|
bd9605 |
* iptables_nat_postrouting_allow
|
|
|
bd9605 |
* iptables_nat_prerouting_allow
|
|
|
bd9605 |
* iptables_redirects (local port)
|
|
|
bd9605 |
|
|
|
bd9605 |
|
|
|
bd9605 |
## Ipset
|
|
|
bd9605 |
|
|
|
bd9605 |
One of the main advantage with [ipset](https://ipset.netfilter.org/) is that if you need to add a *lot* of hosts in a deny list (either for DROP or REJECT rules) , it's faster to just use ipset in memory than iptables rules for all these IP addresses. That means that you can just create one (or mutiple) iptables rules just pointing to ipset rules.
|
|
|
bd9605 |
|
|
|
bd9605 |
As said above, our basic iptables rule would at least create one iptable rule pointing to the `centos-blocked-manual` ipset list (empty), but that means that adding an ip directly into ipset would work without having to reload the whole iptables service/ruleset (`ipset add blocked-centos-manual $ip`)
|
|
|
bd9605 |
|
|
|
bd9605 |
We also can use/update some public lists from services like [Firehol.org](http://iplists.firehol.org/).
|
|
|
bd9605 |
See again the `defaults/main.yml` iptables file to see some example but by default `ipset_block_lists` is empty and so not using any of these lists
|
|
|
bd9605 |
|
|
|
bd9605 |
|