Skip to content

Latest commit

 

History

History
200 lines (156 loc) · 6.57 KB

README.md

File metadata and controls

200 lines (156 loc) · 6.57 KB

iptables

Build Status

Description

Ansible role for iptables setup.

Settings

Enable ICMP

accept_icmp: { v4: true, v6: true }

Creates typical ICMP rules for IPv4 and IPv6.

Supported chains

  • input. INPUT chain for input traffic
  • enemy_input. enemy_input chain for input traffic
  • output. OUTPUT chain for outgoing traffic
  • docker_forward. docker_forward chain for forward traffic
  • dnat. nat table. DNAT rules
  • snat. nat table. SNAT rules
  • masq. nat table. MASQUERADE rules
  • postrouting. postrouting chain, nat table.
  • forward. filter, mangle tables.

Any custom chains for filter table can be described via custom_filter_chains list. For example:

custom_filter_chains:
  some_chain:
    v4:
      - { dport: 80, comment: "custom chain rule" }
    v6:
      - { dport: 80, comment: "custom chain rule" }

Changing policies

Performed via ipv4_policies and ipv6_policies, for example:

ipv4_policies:
  filter:
    forward: drop
ipv6_policies:
  nat:
    prerouting: drop

By default everything is ACCEPT.

Common settings for rules

Setting Default iptables Description
i: eth1 - -i eth1 input interface
ni: eth2 - ! -i eth2 not input interface
dport: 1234, p: tcp p:tcp if dport is defined -p tcp -m tcp --dport 1234 port and protocol
p: udp - -p udp protocol only
dport: "80,443" p:tcp if dport is defined -p tcp -m multiport --dports 80,443 multiport. doesn't work for snat/masq rules
s: 123.123.123.123 - -s 123.123.123.123 source address
ns: 123.123.123.123 - ! -s 123.123.123.123 not source address
d: 234.234.234.234 - -d 234.234.234.234 destination address
nd: 234.234.234.234 - ! -d 234.234.234.234 not destination address
state: NEW - -m state --state NEW connection state
list: oss-v4 - -m set --match-set oss-v4 src ipset list
nfacct: http-v4 - -m nfacct --nfacct-name http-v4 nfacct counter
comment: "test rule" - -m comment --comment "test rule" rule comment

These settings work for any supported chain.

Settings for input and docker_forward

Setting Default iptables Description
action: DROP ACCEPT -j DROP action for matched packet

enemy_input examples:

role rule iptables rule
{ s: 234.234.234.234, action: DROP } -A enemy_input -s 234.234.234.234 -j DROP
{ i: eth0, ni: eth1, dport: 80, s: 123.123.123.0/24, comment: 'test rule' } -A enemy_input -i eth0 ! -i eth1 -p tcp -m tcp --dport 80 -s 123.123.123.0/24 -m comment --comment "test rule"

docker_forward examples:

role rule iptables rule
{ p: tcp, drport 443 } -A docker_forward -p tcp -m tcp --dport 443 -j ACCEPT
{ action: DROP' } -A docker_forward -j DROP

Settings for dnat

Setting Default iptables Description
o: eth1 - -o eth1 output interface
dport: 61000-62000 p:tcp if dport is defined -p tcp -m tcp --dport 61000:62000 same as common but with port range support
dstaddr: 10.10.10.10 required -j DNAT --to-destination 10.10.10.10 destination address
dstport: 61000-62000 - -j DNAT --to-destination 10.10.10.10:61000-62000 destination port or port range

Settings for snat

Setting Default iptables Description
o: eth1 - -o eth1 output interface
srcaddr: 123.123.123.123 required -j SNAT --to-source 123.123.123.123 source address

Settings for masq

Setting Default iptables Description
o: eth1 - -o eth1 output interface

example:

role rule iptables rule
{ s: 10.10.10.0/24, nd: 10.10.10.0/24 } -A PREROUTING -s 10.10.10.0/24 ! -d 10.10.10.0/24 -j MASQUERADE

Disable interface check

disable_interface_check: true

Settings for modules policy, ipv6header, tcpmss

Setting Default iptables Description
m: policy - -m policy --dir in --pol ipsec policy module, you can override default --dir with dir: and --pol with pol:
reqid: 1 - --reqid 1 matches the reqid of the policy rule
m: ipv6header - -m ipv6header --header esp ipv6header module, you can override --header with header:
mss: 123 - -m tcpmss --mss 123 tcpmss module
action: TCPMSS - -j TCPMSS --clamp-mss-to-pmtu TCPMSS action, instead --clamp-mss-to-pmtu you can set --set-mss with setmss:

Usage example

- role: iptables
  ext_ifaces: [eno1, wlp1s0]
  accept_icmp: { v4: true, v6: true }
  input:
    v4:
      - { dport: 80, nfacct: "http-v4" }
    v6:
      - { dport: 80, nfacct: "http-v6" }
  enemy_input:
    v4:
      - { list: oss-v4 }
      - { dport: 22, comment: "ssh host for clients access" }
    v6:
      - { list: oss-v6 }
  docker_forward:
    v4:
      - { state: 'RELATED,ESTABLISHED' }
      - { dport: 80, comment: "nginx container" }
      - { dport: 443, comment: "nginx container" }
      - { p: tcp, dport: 5432, m: policy, dir: in, pol: ipsec, reqid: 1 }
      - { action: DROP }
    v6:
      - { state: 'RELATED,ESTABLISHED' }
      - { action: DROP }
  dnat:
    v4:
      - { dport: 8888, dstaddr: 10.10.10.10, comment: "dnat for smth", dstport: 8888 }
  snat:
    v4:
      - { s: 10.10.10.20, nd: 10.10.10.0/24, comment: "snat for smth", srcaddr: 123.123.123.123 }
  masq:
    v4:
      - { s: 10.10.10.0/24, nd: 10.10.10.0/24, comment: "default masq rule" }
  postrouting:
    v6:
      - { o: eth0, m: policy, dir: out }
  mangle_forward:
    v4:
      - { o: eth0, p: tcp, flags: 'SYN,RST', mss: '1361:1536', setmss: 1360, action: TCPMSS }

TODO

  • tasks. use service_facts for services instead of the command module
  • tasks. add the ability to turn off/on autorestart services. Otherwise it can be dangerous for Docker for example.
  • tests. add OS dependency (for example: Ubuntu 16.04 or Ubuntu 18.04. Different ways to autoload rules)
  • tests. add service test (for ubuntu 18.04)
  • add support for using + in ext_ifaces names. e.g. eth+. For details see this.
  • add costom modules support (with params), hardcoded in templates for now

License

GPL3

Author

OSSHelp Team, see https://oss.help