From fdf80b1b6ced30784b86a3f095392fa4046a58fc Mon Sep 17 00:00:00 2001 From: OldTyT Date: Mon, 19 Aug 2024 12:05:45 +0000 Subject: [PATCH] chore: update to use ipset for port list --- defaults/main.yml | 2 ++ templates/custom.firewall-restore.j2 | 18 +++++++++--------- templates/ipset.j2 | 8 ++++++++ 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c3115af..0fa61eb 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,6 +4,8 @@ whitelist_ip6: [] whitelist_interface: "eth0" whitelist_ip4_name: "whitelist" whitelist_ip6_name: "whitelist6" +whitelist_ports_tcp: "whitelist_ports_tcp" +whitelist_ports_udp: "whitelist_ports_udp" whitelist_public_tcp_port: - 80 - 443 diff --git a/templates/custom.firewall-restore.j2 b/templates/custom.firewall-restore.j2 index c07b055..b3c13cb 100644 --- a/templates/custom.firewall-restore.j2 +++ b/templates/custom.firewall-restore.j2 @@ -14,12 +14,12 @@ iptables -N enemy_input iptables -I INPUT 1 -i {{ whitelist_interface }} -j enemy_input iptables -N DOCKER-USER iptables -I DOCKER-USER 1 -i {{ whitelist_interface }} -j enemy_input -iptables -I enemy_input 1 -p tcp -m multiport ! --dports {{ whitelist_public_tcp_port|join(',') }} -m set --match-set {{ whitelist_ip4_name }} src -j ACCEPT -iptables -I enemy_input 2 -p udp -m multiport ! --dports {{ whitelist_public_udp_port|join(',') }} -m set --match-set {{ whitelist_ip4_name }} src -j ACCEPT -iptables -I enemy_input 3 -m set --match-set {{ whitelist_ip4_name }} src -j ACCEPT +iptables -I enemy_input 1 -p tcp -m set --match-set {{ whitelist_ports_tcp }} dst -m set --match-set {{ whitelist_ip_name }} src -j ACCEPT +iptables -I enemy_input 2 -p udp -m set --match-set {{ whitelist_ports_udp }} dst -m set --match-set {{ whitelist_ip_name }} src -j ACCEPT +iptables -I enemy_input 3 -m set --match-set {{ whitelist_ip_name }} src -j ACCEPT iptables -I enemy_input 4 -m state --state RELATED,ESTABLISHED -j ACCEPT -iptables -I enemy_input 5 -p tcp -m multiport ! --dports {{ whitelist_public_tcp_port|join(',') }} -j DROP -iptables -I enemy_input 6 -p udp -m multiport ! --dports {{ whitelist_public_udp_port|join(',') }} -j DROP +iptables -I enemy_input 5 -p tcp -m set ! --match-set {{ whitelist_ports_tcp }} dst -j DROP +iptables -I enemy_input 6 -p udp -m set ! --match-set {{ whitelist_ports_udp }} dst -j DROP # IPv6 @@ -31,9 +31,9 @@ ip6tables -N enemy_input ip6tables -I INPUT 1 -i {{ whitelist_interface }} -j enemy_input ip6tables -N DOCKER-USER ip6tables -I DOCKER-USER 1 -i {{ whitelist_interface }} -j enemy_input -ip6tables -I enemy_input 1 -p tcp -m multiport ! --dports {{ whitelist_public_tcp_port|join(',') }} -m set --match-set {{ whitelist_ip6_name }} src -j ACCEPT -ip6tables -I enemy_input 2 -p udp -m multiport ! --dports {{ whitelist_public_udp_port|join(',') }} -m set --match-set {{ whitelist_ip6_name }} src -j ACCEPT +ip6tables -I enemy_input 1 -p tcp -m set --match-set {{ whitelist_ports_tcp }} dst -m set --match-set {{ whitelist_ip6_name }} src -j ACCEPT +ip6tables -I enemy_input 2 -p udp -m set --match-set {{ whitelist_ports_udp }} dst -m set --match-set {{ whitelist_ip6_name }} src -j ACCEPT ip6tables -I enemy_input 3 -m set --match-set {{ whitelist_ip6_name }} src -j ACCEPT ip6tables -I enemy_input 4 -m state --state RELATED,ESTABLISHED -j ACCEPT -ip6tables -I enemy_input 5 -p tcp -m multiport ! --dports {{ whitelist_public_tcp_port|join(',') }} -j DROP -ip6tables -I enemy_input 6 -p udp -m multiport ! --dports {{ whitelist_public_udp_port|join(',') }} -j DROP +ip6tables -I enemy_input 5 -p tcp -m set ! --match-set {{ whitelist_ports_tcp }} dst -j DROP +ip6tables -I enemy_input 6 -p udp -m set ! --match-set {{ whitelist_ports_udp }} dst -j DROP diff --git a/templates/ipset.j2 b/templates/ipset.j2 index 172b993..b034c60 100644 --- a/templates/ipset.j2 +++ b/templates/ipset.j2 @@ -7,5 +7,13 @@ create {{ whitelist_ip6_name }} hash:ip family inet6 {% for white_ip6 in whitelist_ip6 %} add {{ whitelist_ip6_name }} {{ white_ip6 }} {% endfor %} +create {{ whitelist_ports_tcp }} bitmap:port range 0-65535 +{% for port_tcp in whitelist_public_tcp_port %} +add {{ whitelist_ports_tcp }} {{ port_tcp }} +{% endfor %} +create {{ whitelist_ports_udp }} bitmap:port range 0-65535 +{% for port_udp in whitelist_public_udp_port %} +add {{ whitelist_ports_udp }} {{ port_udp }} +{% endfor %} {{ ansible_managed | comment }}