From 2fd6ee218643b72812b7a8a6beac9ef639f29d48 Mon Sep 17 00:00:00 2001 From: Tanguy MAZE Date: Thu, 13 Dec 2018 18:12:18 +0100 Subject: [PATCH] Added host templates + new firewall rules --- files/firewall.conf | 25 ++++++++++++++++++++++++- hosts-init.inv | 4 ++-- init.yml | 11 ++++++----- temp.yml | 13 +++++++++++++ templates/hosts-init.inv.j2 | 2 ++ templates/init.yml.j2 | 37 +++++++++++++++++++++++++++++++++++++ 6 files changed, 84 insertions(+), 8 deletions(-) create mode 100644 temp.yml create mode 100644 templates/hosts-init.inv.j2 create mode 100644 templates/init.yml.j2 diff --git a/files/firewall.conf b/files/firewall.conf index 2164f7c..5483cb7 100644 --- a/files/firewall.conf +++ b/files/firewall.conf @@ -5,7 +5,25 @@ :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [246:65684] :POSTROUTING ACCEPT [246:65684] +-A PREROUTING -p icmp -j DROP -A PREROUTING -m conntrack --ctstate INVALID -j DROP +-A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP +-A PREROUTING -f -j DROP +-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP +-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP +-A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP +-A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP +-A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP +-A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP +-A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP +-A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP +-A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP +-A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP +-A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP +-A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP COMMIT # Completed on Mon Dec 10 17:46:32 2018 # Generated by iptables-save v1.6.0 on Sat Nov 17 14:32:27 2018 @@ -13,6 +31,11 @@ COMMIT :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] +-A INPUT -p tcp -m connlimit --connlimit-above 40 -j REJECT --reject-with tcp-reset +-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 10 -j ACCEPT +-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP +-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 +-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p tcp -m tcp --dport 2230 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT @@ -26,4 +49,4 @@ COMMIT -A OUTPUT -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT COMMIT -# Completed on Sat Nov 17 14:32:27 2018 +# Completed on Sat Nov 17 14:32:27 2018 \ No newline at end of file diff --git a/hosts-init.inv b/hosts-init.inv index 5cd2825..d0a2b39 100644 --- a/hosts-init.inv +++ b/hosts-init.inv @@ -1,2 +1,2 @@ -e1r9p4.42.fr ansible_port=2230 ansible_user=tanguy -roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy +e3r5p2.42.fr ansible_host=10.13.5.2 ansible_port=2230 ansible_user=tanguy +roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy diff --git a/init.yml b/init.yml index 6c23492..e41b2d4 100644 --- a/init.yml +++ b/init.yml @@ -1,5 +1,5 @@ - name: "Initialise network config, packages & user tanguy" - hosts: "e1r9p4.42.fr" + hosts: e3r5p2.42.fr become: yes become_user: root become_method: su @@ -30,7 +30,8 @@ authorized_key: user: "tanguy" state: "present" - key: "{{ lookup('file', '/Users/tmaze/.ssh/id_rsa.pub') }}" - - name: "Reboot VM" - reboot: - reboot_timeout: 60 + key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmt03YiHn0kILfc45ylWmSnIYDJvLko2+mHf8wQlap9s6L9RPUwh4FuJ0lxAENelOkzl6CeD8ET7RPLy+EvUjL2B3iLSVlZRFiBNiAbtNHCxxKBl7CF5pRd5Us797BCa1trrfCdW3bznLswkB6aVOqt5GnjXy62/Ambvrb0yBILeQQzEnBdPdxwKLoG57kM1Ag9tulvgM0OkNRgVTzoJrm9MiPPjvHXZxLanC/3hUA5hOKSp0gEcpUm+W/YpyvsrlcAmWSQT3RwvavK+cGa51cNUofKSHUSJmz3QBanYs4EmaTby1QecQA0q7SlIsAdcsznhCC07TWm1qJtjg9DL/nzrinr59BGYkptExod2RGuZeXWB3a7nPvN5pz0whEHfHxARnUMDJFXPToUaeHE/BzyBAzX2cQJuF/eX1ld5WpFNM1aZTuI8LgJbOiNa4xPZEOvnWTRR7i+w6/NrSXggeHcycDmFjiXKUPJMco05T+sropbxB0x/hIdl7KCfr2n+UUZgwfvNnTc/L8x3r8kzXjX76NPeG4qF6T1Q83pcKKCw9Iw4xnNHU7C7hz64CUeWctyxLF3ou6i8lmoqON+olKDWgLVh2oLGEUJKySul292nVgFaW6HExHcdBAESlPts3tN72RuLnvgWAfaSmF4vFkThUr+DsYPxqCa1PdFeCZzw== tmaze@e3r11p6.42.fr" + - name: "Restart networking service" + service: + name: "networking" + state: "restarted" diff --git a/temp.yml b/temp.yml new file mode 100644 index 0000000..346d0ae --- /dev/null +++ b/temp.yml @@ -0,0 +1,13 @@ +- name: "Create hosts-init.inv and init.yml form templates" + hosts: "localhost" + connection: "local" + tasks: + - name: "Template hosts-init.inv" + template: + src: "templates/hosts-init.inv.j2" + dest: "hosts-init.inv" + - name: "Template init.yml" + template: + src: "templates/init.yml.j2" + dest: "init.yml" + diff --git a/templates/hosts-init.inv.j2 b/templates/hosts-init.inv.j2 new file mode 100644 index 0000000..8eb8dc6 --- /dev/null +++ b/templates/hosts-init.inv.j2 @@ -0,0 +1,2 @@ +{{ ansible_nodename }} ansible_host={{ ansible_default_ipv4.address }} ansible_port=2230 ansible_user=tanguy +roger-skyline-1 ansible_host=192.168.99.2 ansible_port=2230 ansible_user=tanguy diff --git a/templates/init.yml.j2 b/templates/init.yml.j2 new file mode 100644 index 0000000..5396a6a --- /dev/null +++ b/templates/init.yml.j2 @@ -0,0 +1,37 @@ +- name: "Initialise network config, packages & user tanguy" + hosts: {{ ansible_nodename }} + become: yes + become_user: root + become_method: su + tasks: + - name: "Set up networking" + copy: + src: "files/interfaces" + dest: "/etc/network/" + owner: "root" + group: "root" + - name: "Upload ssh config" + copy: + src: "files/sshd_config" + dest: "/etc/ssh/" + owner: "root" + group: "root" + - name: "Install sudo" + apt: + name: ['sudo'] + update_cache: "yes" + state: "present" + - name: "Add tanguy to sudoers" + user: + name: "tanguy" + groups: "sudo" + append: yes + - name: "Upload public key for tanguy" + authorized_key: + user: "tanguy" + state: "present" + key: "{{ lookup('file', '/Users/tmaze/.ssh/id_rsa.pub') }}" + - name: "Restart networking service" + service: + name: "networking" + state: "restarted"