all demo

ansible/playbook/roles/gate/README.md

@@ -0,0 +1,6 @@
+Получаем данные напрямую из naupp
+
+        url: "https://{{ gate_naupp_fqdn }}/sd/services/rest/exec?accessKey={{ accesskey }}&func=modules.externalAccess.getExternalAccesses&params=user"
+
+На текущий момент роль ставит все необходимые для работы пакеты, настраивает их автозапуск и разрешает проброс пакетов, после чего настраивает файлы для iptables-save и перезапускает службу при необходимости.
+Для отключения проброса пакетов, например, в случае подозрения на несанкционированный доступ, поменять переменную iptables_ip_forward

ansible/playbook/roles/gate/gate.yml

@@ -0,0 +1,5 @@
+- hosts: sd-gw
+  become: yes
+  remote_user: root
+  roles:
+    - gate

ansible/playbook/roles/gate/roles/gate/defaults/main.yml

@@ -0,0 +1,15 @@
+---
+# Fast disable forward if we have a problem now
+gate_iptables_ip_forward: 1
+
+# Name of the service to reload
+gate_iptables_rules_file: /etc/iptables/rules
+
+# gate host ext and int ip.
+gate_local_net: 192.168.0.0/16,10.0.0.0/8
+gate_int_if: ens18
+gate_ext_if: ens19
+
+# naupp site and access_key
+gate_naupp_fqdn: naupp.nau.com
+gate_access_key: akfjj666-f897-9978-b5006c-0508938848

ansible/playbook/roles/gate/roles/gate/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart netfilter-persistent
+  service:
+    name: netfilter-persistent
+    state: restarted
+    sleep: 10

ansible/playbook/roles/gate/roles/gate/tasks/main.yml

@@ -0,0 +1,62 @@
+---
+- name: install iptables
+  apt: 
+    name: iptables
+    state: present
+  tags: packages
+
+- name: install iptables-persistent for Debian
+  apt: 
+    pkg: iptables-persistent
+    state: present
+  tags: packages
+
+- name: GET RESULT
+  uri:
+    url: "https://{{ gate_naupp_fqdn }}/sd/services/rest/exec?accessKey={{ gate_access_key }}&func=modules.externalAccess.getExternalAccesses&params=user"
+    method: GET
+    return_content: yes
+  delegate_to: 127.0.0.1
+  register: _result
+  until: _result.status != -1
+  retries: 15
+  delay: 15
+
+- set_fact:
+    endpoint_naupp: "{{ _result['content'] }}"
+
+- debug:
+    msg: "{{ endpoint_naupp }}"
+
+- name: setup IP forwarding for IPv4
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: "{{ gate_iptables_ip_forward }}"
+  tags: configuration
+
+- name: start iptables and add to boot runlevel
+  service:
+    name: netfilter-persistent
+    enabled: true
+    state: started
+
+- name: configure rules
+  template:
+    src: rules.iptables.j2
+    dest: "{{ gate_iptables_rules_file }}"
+  notify: restart netfilter-persistent
+  tags: configuration
+
+- name: symlink IPv4 rules
+  file:
+    src: "{{ gate_iptables_rules_file }}"
+    dest: /etc/iptables/rules.v4
+    state: link
+  tags: configuration
+
+- name: disable IPv6 on all interfaces
+  sysctl:
+    name: net.ipv6.conf.all.disable_ipv6
+    value: 1
+  tags: configuration
+

ansible/playbook/roles/gate/roles/gate/templates/rules.iptables.j2

@@ -0,0 +1,192 @@
+###############################################################################
+# The MIT License
+#
+# Copyright 2012-2014 Jakub Jirutka <jakub@jirutka.cz>.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+###############################################################################
+#
+#           Basic iptables/IPv4 template for an ordinary servers
+#
+# This file is in iptables-restore format. See the man pages for 
+# iptables-restore(8) and iptables-save(8).
+#
+# The following is a set of firewall rules that should be applicable to Linux 
+# servers running within departments. It is intended to provide a useful 
+# starting point from which to devise a comprehensive firewall policy for 
+# a host.
+#
+# Parts 1 and 3 of these rules are the same for each host, whilst part 2 can be 
+# populated with rules specific to particular hosts. The optional part 4 is
+# prepared for a NAT rules, e.g. for port forwarding, redirect, masquerade...
+#
+# This template is based on http://jdem.cz/v64a3 from University of Leicester.
+#
+# For the newest version go to https://gist.github.com/jirutka/3742890.
+#
+# @author Jakub Jirutka <jakub@jirutka.cz>
+# @version 1.3.1
+# @date 2014-01-28
+#
+
+###############################################################################
+# 1. COMMON HEADER                                                            #
+#                                                                             #
+# This section is a generic header that should be suitable for most hosts.    #
+###############################################################################
+
+*filter
+
+# Base policy
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Don't attempt to firewall internal traffic on the loopback device.
+-A INPUT -i lo -j ACCEPT
+
+# Continue connections that are already established or related to an established 
+# connection.
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+
+# Drop non-conforming packets, such as malformed headers, etc.
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+
+# Block remote packets claiming to be from a loopback address.
+-A INPUT -s 127.0.0.0/8 ! -i lo -j DROP
+
+# Drop all packets that are going to broadcast, multicast or anycast address.
+-A INPUT -m addrtype --dst-type BROADCAST -j DROP
+-A INPUT -m addrtype --dst-type MULTICAST -j DROP
+-A INPUT -m addrtype --dst-type ANYCAST -j DROP
+-A INPUT -d 224.0.0.0/4 -j DROP
+
+# Chain for preventing SSH brute-force attacks.
+# Permits 10 new connections within 5 minutes from a single host then drops 
+# incomming connections from that host. Beyond a burst of 100 connections we 
+# log at up 1 attempt per second to prevent filling of logs.
+-N SSHBRUTE
+-A SSHBRUTE -m recent --name SSH --set
+-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[SSH-brute]: "
+-A SSHBRUTE -m recent --name SSH --update --seconds 300 --hitcount 10 -j DROP
+-A SSHBRUTE -j ACCEPT
+
+# Chain for preventing ping flooding - up to 6 pings per second from a single 
+# source, again with log limiting. Also prevents us from ICMP REPLY flooding 
+# some victim when replying to ICMP ECHO from a spoofed source.
+-N ICMPFLOOD
+-A ICMPFLOOD -m recent --set --name ICMP --rsource
+-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -m limit --limit 1/sec --limit-burst 1 -j LOG --log-prefix "iptables[ICMP-flood]: "
+-A ICMPFLOOD -m recent --update --seconds 1 --hitcount 6 --name ICMP --rsource --rttl -j DROP
+-A ICMPFLOOD -j ACCEPT
+
+
+###############################################################################
+# 2. HOST SPECIFIC RULES                                                      #
+#                                                                             #
+# This section is a good place to enable your host-specific services.         #
+# ! DO NOT FORGOT TO COPY THESE RULES TO firewall.ip6tables TO ALLOW IPV6 !   #
+###############################################################################
+
+# Accept HTTP and HTTPS
+#-A INPUT -p tcp -m multiport --dports 80,443 --syn -m conntrack --ctstate NEW -j ACCEPT
+
+
+# ACCEPT RULES FROM naupp
+
+{% for params in endpoint_naupp %}
+-A INPUT -p tcp -m tcp -s {{ params.source_ip|join(',') }} --dport {{ params.external_port }} -j ACCEPT
+-A FORWARD -p tcp -m tcp -s {{ params.source_ip|join(',') }} --dport {{ params.target_port }} -j ACCEPT
+{% endfor %}
+
+###############################################################################
+# 3. GENERAL RULES                                                            #
+#                                                                             #
+# This section contains general rules that should be suitable for most hosts. #
+###############################################################################
+
+# Accept worldwide access to SSH and use SSHBRUTE chain for preventing 
+# brute-force attacks.
+-A INPUT -s {{ gate_local_net }} -i {{ gate_int_if }} -j ACCEPT
+-A FORWARD -s {{ gate_local_net }} -i {{ gate_int_if }} -j ACCEPT
+
+-A INPUT -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j SSHBRUTE
+
+# Permit useful IMCP packet types.
+# Note: RFC 792 states that all hosts MUST respond to ICMP ECHO requests.
+# Blocking these can make diagnosing of even simple faults much more tricky.
+# Real security lies in locking down and hardening all services, not by hiding.
+-A INPUT -p icmp --icmp-type 0  -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmp --icmp-type 3  -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmp --icmp-type 8  -m conntrack --ctstate NEW -j ICMPFLOOD
+-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
+
+# Do not log packets that are going to ports used by SMB 
+# (Samba / Windows Sharing).
+-A INPUT -p udp -m multiport --dports 135,445 -j DROP
+-A INPUT -p udp --dport 137:139 -j DROP
+-A INPUT -p udp --sport 137 --dport 1024:65535 -j DROP
+-A INPUT -p tcp -m multiport --dports 135,139,445 -j DROP
+
+# Do not log packets that are going to port used by UPnP protocol.
+-A INPUT -p udp --dport 1900 -j DROP
+
+# Do not log late replies from nameservers.
+-A INPUT -p udp --sport 53 -j DROP
+
+# Good practise is to explicately reject AUTH traffic so that it fails fast.
+-A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
+
+# Prevent DOS by filling log files.
+-A INPUT -m limit --limit 1/second --limit-burst 100 -j LOG --log-prefix "iptables[DOS]: "
+
+COMMIT
+
+
+###############################################################################
+# 4. HOST SPECIFIC NAT RULES                                                  #
+#                                                                             #
+# Uncomment this section if you want to use NAT table, e.g. for port          #
+# forwarding, redirect, masquerade...                                         #
+###############################################################################
+
+*nat
+
+# Base policy
+:PREROUTING ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# Redirect port 21 to local port 2121
+#-A PREROUTING -i eth0 -p tcp --dport 21 -j REDIRECT --to-port 2121
+# Forward port 8080 to port 80 on host 192.168.1.10
+#-A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80
+
+# NAT rules from naupp
+{% for params in endpoint_naupp %}
+-A PREROUTING -i {{ gate_ext_if }} -p tcp --dport {{ params.external_port }} -j DNAT --to-destination {{ params.target_ip }}:{{ params.target_port }}
+{% endfor %}
+
+# mask because not default route 
+-A POSTROUTING -o {{ gate_ext_if }} -j MASQUERADE
+-A POSTROUTING -o {{ gate_int_if }} -j MASQUERADE
+
+COMMIT