Initial commit

Signed-off-by: Julien Riou <julien@riou.xyz>
2024-04-27 15:18:41 +02:00 · 2024-04-27 15:18:41 +02:00 · 096a3e0540
commit 096a3e0540
parent d547c7f607
69 changed files with 1650 additions and 0 deletions
--- a/tasks/iptables.yml
+++ b/tasks/iptables.yml
@ -0,0 +1,63 @@
+---
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    comment: allow related and established connections
+
+- name: Allow local connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    in_interface: lo
+    jump: ACCEPT
+    comment: allow local connections
+
+- name: Allow ping
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: icmp
+    jump: ACCEPT
+    comment: allow ping from the world
+
+- name: Deny input connections by default
+  ansible.builtin.iptables: 
+    chain: INPUT
+    policy: DROP
+
+- name: Allow SSH to VPN
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination: "{{ openvpn_subnet }}"
+    destination_port: "22"
+    jump: ACCEPT
+    comment: allow ssh to vpn
+
+- name: Deny SSH to the world
+  ansible.builtin.iptables:
+    chain: OUTPUT
+    protocol: tcp
+    destination_port: "22"
+    jump: DROP
+    comment: deny ssh to the world
+
+- name: Deny IPv6 connections
+  ansible.builtin.iptables:
+    ip_version: ipv6
+    chain: "{{ item }}"
+    policy: DROP
+  loop:
+    - INPUT
+    - FORWARD
+    - OUTPUT
+
+- name: Install netfilter-persistent
+  ansible.builtin.apt:
+    name:
+      - netfilter-persistent
+      - iptables-persistent
+    state: latest
+
+- name: Save iptables
+  ansible.builtin.command: netfilter-persistent save