changed persistence method of firewall rules

files/check_crontab.sh

@@ -10,13 +10,13 @@ if [ ! -f $md5old ]
 then
     printf "Error: %s don't exist\nCreating %s ...\n" "$md5old" "$md5old" >>$log
     md5sum $cron >$md5old
-    exit 1
+    exit 0
 fi
 if [ ! -s $md5old ]
 then
     printf "Error: %s is empty\nadding md5 hash to %s ...\n" "$md5old" "$md5old" >>$log
     md5sum $cron >$md5old
-    exit 1
+    exit 0
 fi
 if [ ! $(md5sum -c $md5old 2>/dev/null | grep $cron | cut -d' ' -f2) = "OK" ]
 then

files/firewall.conf

@@ -11,6 +11,7 @@
 -A PREROUTING -f -j DROP
 -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
 -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP
+-A PREROUTING -s 192.168.99.0/30 ! -i enp0s8 -j DROP
 -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

files/interfaces

@@ -6,6 +6,7 @@ source /etc/network/interfaces.d/*
 # The loopback network interface
 auto lo
 iface lo inet loopback
+post-up iptables-restore /etc/iptables/rules.v4
 
 # The primary network interface
 auto enp0s3

hosts-init.inv

@@ -1,2 +0,0 @@
-e3r5p2.42.fr	ansible_host=10.13.5.2			ansible_port=2230 	ansible_user=tanguy
-roger-skyline-1 		ansible_host=192.168.99.2								ansible_port=2230	ansible_user=tanguy

init.yml

@@ -1,37 +0,0 @@
-- name: "Initialise network config, packages & user tanguy"
-  hosts: e3r5p2.42.fr
-  become: yes
-  become_user: root
-  become_method: su
-  tasks:
-    - name: "Set up networking"
-      copy:
-        src: "files/interfaces"
-        dest: "/etc/network/"
-        owner: "root"
-        group: "root"
-    - name: "Upload ssh config"
-      copy:
-        src: "files/sshd_config"
-        dest: "/etc/ssh/"
-        owner: "root"
-        group: "root"
-    - name: "Install sudo"
-      apt:
-        name: ['sudo']
-        update_cache: "yes"
-        state: "present"
-    - name: "Add tanguy to sudoers"
-      user:
-        name: "tanguy"
-        groups: "sudo"
-        append: yes
-    - name: "Upload public key for tanguy"
-      authorized_key:
-        user: "tanguy"
-        state: "present"
-        key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDmt03YiHn0kILfc45ylWmSnIYDJvLko2+mHf8wQlap9s6L9RPUwh4FuJ0lxAENelOkzl6CeD8ET7RPLy+EvUjL2B3iLSVlZRFiBNiAbtNHCxxKBl7CF5pRd5Us797BCa1trrfCdW3bznLswkB6aVOqt5GnjXy62/Ambvrb0yBILeQQzEnBdPdxwKLoG57kM1Ag9tulvgM0OkNRgVTzoJrm9MiPPjvHXZxLanC/3hUA5hOKSp0gEcpUm+W/YpyvsrlcAmWSQT3RwvavK+cGa51cNUofKSHUSJmz3QBanYs4EmaTby1QecQA0q7SlIsAdcsznhCC07TWm1qJtjg9DL/nzrinr59BGYkptExod2RGuZeXWB3a7nPvN5pz0whEHfHxARnUMDJFXPToUaeHE/BzyBAzX2cQJuF/eX1ld5WpFNM1aZTuI8LgJbOiNa4xPZEOvnWTRR7i+w6/NrSXggeHcycDmFjiXKUPJMco05T+sropbxB0x/hIdl7KCfr2n+UUZgwfvNnTc/L8x3r8kzXjX76NPeG4qF6T1Q83pcKKCw9Iw4xnNHU7C7hz64CUeWctyxLF3ou6i8lmoqON+olKDWgLVh2oLGEUJKySul292nVgFaW6HExHcdBAESlPts3tN72RuLnvgWAfaSmF4vFkThUr+DsYPxqCa1PdFeCZzw== tmaze@e3r11p6.42.fr"
-    - name: "Restart networking service"
-      service:
-        name: "networking"
-        state: "restarted"

provision.yml

@@ -6,7 +6,7 @@
   tasks:
     - name: "Install necessary packages"
       apt:
-        name: ['sudo', 'mailutils', 'fail2ban', 'apache2', 'python-pip', 'iptables-persistent']
+        name: ['sudo', 'mailutils', 'fail2ban', 'apache2', 'python-pip']
         update_cache: "yes"
         state: "present"
       tags: [ "apt", "sudo" ]
@@ -16,16 +16,6 @@
         groups: "sudo"
         append: yes
       tags: [ "sudo" ]
-    - name: "Upload firewall config"
-      copy:
-        src: "files/firewall.conf"
-        dest: "/etc/iptables/rules.v4"
-        owner: "root"
-        group: "root"
-      tags: [ "firewall" ]
-    - name: "Apply firewall config"
-      command: "iptables-restore -c /etc/iptables/rules.v4"
-      tags: [ "firewall" ]
     - name: "Upload fail2ban config"
       copy:
         src: "files/jail.local"
@@ -44,6 +34,7 @@
         dest: "/usr/sbin/update_script.sh"
         owner: "root"
         group: "root"
+        mode: "755"
       tags: [ "scripts" ]
     - name: "Upload update_script"
       copy:
@@ -58,6 +49,10 @@
         dest: "/usr/sbin/check_crontab.sh"
         owner: "root"
         group: "root"
+        mode: "755"
+      tags: [ "scripts" ]
+    - name: "Run check_crontab.sh to create save file"
+      command: "bash /usr/sbin/check_crontab.sh"
       tags: [ "scripts" ]
     - name: "Upload check_crontab"
       copy:

templates/init.yml.j2

@@ -4,12 +4,26 @@
   become_user: root
   become_method: su
   tasks:
+    - name: "Create iptables directory"
+      file:
+        path: "/etc/iptables"
+        state: "directory"
+    - name: "Upload firewall config"
+      copy:
+        src: "files/firewall.conf"
+        dest: "/etc/iptables/rules.v4"
+        owner: "root"
+        group: "root"
     - name: "Set up networking"
       copy:
         src: "files/interfaces"
         dest: "/etc/network/"
         owner: "root"
         group: "root"
+    - name: "Restart networking service"
+      service:
+        name: "networking"
+        state: "restarted"
     - name: "Upload ssh config"
       copy:
         src: "files/sshd_config"
@@ -17,16 +31,12 @@
         owner: "root"
         group: "root"
       tags: [ "ssh" ]
-    - name: "Restart ssh service"
-      service:
-        name: "ssh"
-        state: "restarted"
     - name: "Upload public key for tanguy"
       authorized_key:
         user: "tanguy"
         state: "present"
         key: "{{ lookup('file', '~/.ssh/id_rsa.pub') }}"
-    - name: "Restart networking service"
+    - name: "Restart ssh service"
       service:
-        name: "networking"
+        name: "ssh"
         state: "restarted"