From 8622c159194ba53e7aea0d9773fe5c295a457ce1 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 6 Feb 2015 21:20:11 +0000 Subject: [PATCH] Add initial ip6tables to base. --- handlers/restart_services.yml | 3 ++ roles/base/tasks/main.yml | 23 +++++++++++ roles/base/templates/iptables/ip6tables | 52 +++++++++++++++++++++++++ 3 files changed, 78 insertions(+) create mode 100644 roles/base/templates/iptables/ip6tables diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index fd593c0a7f..c721b40a2a 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -38,6 +38,9 @@ - name: restart iptables action: service name=iptables state=restarted +- name: restart ip6tables + action: service name=ip6tables state=restarted + - name: restart jenkins action: service name=jenkins state=restarted diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 596d7654d7..52389c2f63 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -127,6 +127,29 @@ - service - base +- name: ip6tables + template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=600 backup=yes + with_first_found: + - ../templates/iptables/ip6tables.{{ datacenter }} + - ../templates/iptables/ip6tables.{{ ansible_fqdn }} + - ../templates/iptables/ip6tables.{{ host_group }} + - ../templates/iptables/ip6tables.{{ env }} + - ../templates/iptables/ip6tables + notify: + - restart ip6tables + - hup libvirtd + tags: + - ip6tables + - config + - base + +- name: ip6tables service enabled + service: name=ip6tables state=started enabled=true + tags: + - ip6tables + - service + - base + - name: rsyslog.conf copy: src={{ item }} dest=/etc/rsyslog.conf mode=644 with_first_found: diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables new file mode 100644 index 0000000000..5768256290 --- /dev/null +++ b/roles/base/templates/iptables/ip6tables @@ -0,0 +1,52 @@ +# {{ ansible_managed }} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +loopback allowed +-A INPUT -i lo -j ACCEPT + +# Accept ping and traceroute (needs icmp) +-A INPUT -p ipv6-icmp -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ssh - always +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT + +# for nrpe - allow it from nocs +-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if custom_rules is defined %} +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited +COMMIT