-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.yml
32 lines (28 loc) · 1.16 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
---
- hosts: all
tasks:
- name: Check to ensure this is only run on a single host
fail: msg="Single host check failed."
when: play_hosts|length != 1
- hosts: all
become: yes
become_user: root
gather_facts: yes
roles:
- selinux
- database
- inprod-bow
- geerlingguy.firewall
vars:
# iptables are used instead of firewalld, so this needs to be disabled
firewall_disable_firewalld: true
firewall_allowed_tcp_ports:
- "22"
- "80"
- "443"
firewall_additional_rules:
# Set rate limits
- "iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 80 --hashlimit-above 100/sec --hashlimit-mode srcip --hashlimit-htable-expire 600000 --hashlimit-htable-gcinterval 1000 --hashlimit-name http_rate -m state --state NEW -j DROP"
- "iptables -I INPUT -m hashlimit -m tcp -p tcp --dport 443 --hashlimit-above 100/sec --hashlimit-mode srcip --hashlimit-htable-expire 600000 --hashlimit-htable-gcinterval 1000 --hashlimit-name https_rate -m state --state NEW -j DROP"
# accept postgres for internal IP address range
- "iptables -A INPUT -p tcp --dport 5432 -s {{ internal_ip_range }} -j ACCEPT"