Added host templates + new firewall rules

files/firewall.conf

@@ -5,7 +5,25 @@
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [246:65684]
 :POSTROUTING ACCEPT [246:65684]
+-A PREROUTING -p icmp -j DROP
 -A PREROUTING -m conntrack --ctstate INVALID -j DROP
+-A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
+-A PREROUTING -f -j DROP
+-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
+-A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
+-A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
+-A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
+-A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
+-A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
+-A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
+-A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
+-A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
+-A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
+-A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
+-A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
+-A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
+-A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 COMMIT
 # Completed on Mon Dec 10 17:46:32 2018
 # Generated by iptables-save v1.6.0 on Sat Nov 17 14:32:27 2018
@@ -13,6 +31,11 @@ COMMIT
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
+-A INPUT -p tcp -m connlimit --connlimit-above 40 -j REJECT --reject-with tcp-reset
+-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 10 -j ACCEPT 
+-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP
+-A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 
+-A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -p tcp -m tcp --dport 2230 -j ACCEPT
 -A INPUT -p tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp --dport 443 -j ACCEPT

hosts-init.inv

@@ -1,2 +1,2 @@
-e1r9p4.42.fr	ansible_port=2230 	ansible_user=tanguy
+e3r5p2.42.fr	ansible_host=10.13.5.2			ansible_port=2230 	ansible_user=tanguy
 roger-skyline-1 		ansible_host=192.168.99.2								ansible_port=2230	ansible_user=tanguy

init.yml

@@ -1,5 +1,5 @@
 - name: "Initialise network config, packages & user tanguy"
-  hosts: "e1r9p4.42.fr"
+  hosts: e3r5p2.42.fr
   become: yes
   become_user: root
   become_method: su
@@ -30,7 +30,8 @@
       authorized_key:
         user: "tanguy"
         state: "present"
-        key: "{{ lookup('file', '/Users/tmaze/.ssh/id_rsa.pub') }}"
-    - name: "Reboot VM"
-      reboot:
-        reboot_timeout: 60
+        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmt03YiHn0kILfc45ylWmSnIYDJvLko2+mHf8wQlap9s6L9RPUwh4FuJ0lxAENelOkzl6CeD8ET7RPLy+EvUjL2B3iLSVlZRFiBNiAbtNHCxxKBl7CF5pRd5Us797BCa1trrfCdW3bznLswkB6aVOqt5GnjXy62/Ambvrb0yBILeQQzEnBdPdxwKLoG57kM1Ag9tulvgM0OkNRgVTzoJrm9MiPPjvHXZxLanC/3hUA5hOKSp0gEcpUm+W/YpyvsrlcAmWSQT3RwvavK+cGa51cNUofKSHUSJmz3QBanYs4EmaTby1QecQA0q7SlIsAdcsznhCC07TWm1qJtjg9DL/nzrinr59BGYkptExod2RGuZeXWB3a7nPvN5pz0whEHfHxARnUMDJFXPToUaeHE/BzyBAzX2cQJuF/eX1ld5WpFNM1aZTuI8LgJbOiNa4xPZEOvnWTRR7i+w6/NrSXggeHcycDmFjiXKUPJMco05T+sropbxB0x/hIdl7KCfr2n+UUZgwfvNnTc/L8x3r8kzXjX76NPeG4qF6T1Q83pcKKCw9Iw4xnNHU7C7hz64CUeWctyxLF3ou6i8lmoqON+olKDWgLVh2oLGEUJKySul292nVgFaW6HExHcdBAESlPts3tN72RuLnvgWAfaSmF4vFkThUr+DsYPxqCa1PdFeCZzw== tmaze@e3r11p6.42.fr"
+    - name: "Restart networking service"
+      service:
+        name: "networking"
+        state: "restarted"

temp.yml

@@ -0,0 +1,13 @@
+- name: "Create hosts-init.inv and init.yml form templates"
+  hosts: "localhost"
+  connection: "local"
+  tasks:
+    - name: "Template hosts-init.inv"
+      template:
+        src: "templates/hosts-init.inv.j2"
+        dest: "hosts-init.inv"
+    - name: "Template init.yml"
+      template:
+        src: "templates/init.yml.j2"
+        dest: "init.yml"
+

templates/hosts-init.inv.j2

@@ -0,0 +1,2 @@
+{{ ansible_nodename }}	ansible_host={{ ansible_default_ipv4.address }}			ansible_port=2230 	ansible_user=tanguy
+roger-skyline-1 		ansible_host=192.168.99.2								ansible_port=2230	ansible_user=tanguy

templates/init.yml.j2

@@ -0,0 +1,37 @@
+- name: "Initialise network config, packages & user tanguy"
+  hosts: {{ ansible_nodename }}
+  become: yes
+  become_user: root
+  become_method: su
+  tasks:
+    - name: "Set up networking"
+      copy:
+        src: "files/interfaces"
+        dest: "/etc/network/"
+        owner: "root"
+        group: "root"
+    - name: "Upload ssh config"
+      copy:
+        src: "files/sshd_config"
+        dest: "/etc/ssh/"
+        owner: "root"
+        group: "root"
+    - name: "Install sudo"
+      apt:
+        name: ['sudo']
+        update_cache: "yes"
+        state: "present"
+    - name: "Add tanguy to sudoers"
+      user:
+        name: "tanguy"
+        groups: "sudo"
+        append: yes
+    - name: "Upload public key for tanguy"
+      authorized_key:
+        user: "tanguy"
+        state: "present"
+        key: "{{ lookup('file', '/Users/tmaze/.ssh/id_rsa.pub') }}"
+    - name: "Restart networking service"
+      service:
+        name: "networking"
+        state: "restarted"