From 5824fd577841327fe07ceb4b872221fe8de3db63 Mon Sep 17 00:00:00 2001
From: Sheppy <sheppy@atlantishq.de>
Date: Tue, 4 Jul 2023 20:09:19 +0000
Subject: [PATCH] feat: iptables restriction in internal network

---
 group_vars/monitoring.yaml     |  4 ++
 group_vars/usermanagement.yaml |  3 ++
 group_vars/web1.yaml           |  2 +
 group_vars/zabbix.yaml         |  2 +
 playbook.yaml                  |  1 +
 roles/iptables/tasks/main.yaml | 84 ++++++++++++++++++++++++++++++++++
 6 files changed, 96 insertions(+)
 create mode 100644 group_vars/web1.yaml
 create mode 100644 group_vars/zabbix.yaml
 create mode 100644 roles/iptables/tasks/main.yaml

diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml
index a36d398..d50d06d 100644
--- a/group_vars/monitoring.yaml
+++ b/group_vars/monitoring.yaml
@@ -1 +1,5 @@
 monitoring_master: true
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 8086, "comment" : "influx" }
+    - { "protocol" : "tcp", "port" : 514, "comment" : "rsyslog" }
+    - { "protocol" : "tcp", "port" : 5668, "comment" : "nsca-ng" }
diff --git a/group_vars/usermanagement.yaml b/group_vars/usermanagement.yaml
index 34aa0a4..a550e92 100644
--- a/group_vars/usermanagement.yaml
+++ b/group_vars/usermanagement.yaml
@@ -7,5 +7,8 @@ ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
 ldap_user_dn: "ou=People,dc=atlantishq,dc=de"
 ldap_connection_url: ldap://192.168.122.112
 
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 389, "comment" : "ldap" }
+
 extra_sheppy_pubkeys: |
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaABPy9h009vUQj+gewvhIO9kDpUBkkW5dGz6HsDxp6FLeZ0KOMTPZyRkwPHkC3Jee8vkTl2fFi7wjXhkWSpPe7H/RFdn6nHf5RSvM4aEwhkjD7E1lvf9lLRUXnISeFXFOdD3hpRXqT5yVP9O1S3Rk3b+i9HPlcw1vDmFHS5mZ+rXmxQSyHD8uuyCEL1Ri5IOz9XxycaJ/MHX2XaHWU+xgrQ2uvWrvhnibB3bhtf94GrHJQXRfjUc4nF3SG3937Fkdit5LozuDE3/mLoNN6PwXz13Z2acClpjiyOZQxpa2+TpwE5i2rWoZwsXv//yzohHbA30+qYSxJYQrYZ1XRyOSPFWSp3wwcuj8yMMqMJT2e75ZyWaHuoYuindOFW4VMR7pFppssnnbdLHvJGe5PZMSDxlyhUtkAK4p1nf2nEng3VjCBcn6UWK1po5DQmcLwkd0cQbWTLxHjH4sAtfyp7A8jsGLXrhWraMOOoU0JVkamZrq2BuSyaC5S7+KdvGCg3U= backupvm
diff --git a/group_vars/web1.yaml b/group_vars/web1.yaml
new file mode 100644
index 0000000..272ad70
--- /dev/null
+++ b/group_vars/web1.yaml
@@ -0,0 +1,2 @@
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 5004, "comment" : "signal-gateway" }
diff --git a/group_vars/zabbix.yaml b/group_vars/zabbix.yaml
new file mode 100644
index 0000000..564b034
--- /dev/null
+++ b/group_vars/zabbix.yaml
@@ -0,0 +1,2 @@
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 10051, "comment" : "zabbix-server" }
diff --git a/playbook.yaml b/playbook.yaml
index 3dae451..e82c7d3 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -7,6 +7,7 @@
     - { role : monitoring-influx, tags : [ "influx" ] }
     - { role : base,              tags : [ "base" ] }
     - { role : zabbix-agent,      tags : [ "zabbix-agent" ] }
+    - { role : iptables,          tags : [ "iptables" ] }
 
 - hosts: web1
   roles:
diff --git a/roles/iptables/tasks/main.yaml b/roles/iptables/tasks/main.yaml
new file mode 100644
index 0000000..b40e666
--- /dev/null
+++ b/roles/iptables/tasks/main.yaml
@@ -0,0 +1,84 @@
+- name: Install iptables
+  apt:
+    state: present
+    pkg:
+        - iptables
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+- name: Allow Hypervisor
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.1
+    jump: ACCEPT
+    comment: "allow hypervisor"
+
+- name: Allow ping from monitoring
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.107
+    protocol: icmp
+    jump: ACCEPT
+    comment: "allow monitoring to ping"
+
+- name: Allow TLS Check from monitoring on mail
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.107
+    protocol: tcp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: "allow monitoring to check mail TLS ports"
+  with_items:
+      - 465
+      - 993
+
+- name: Allow ping from zabbix
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.117
+    protocol: icmp
+    jump: ACCEPT
+    comment: "allow zabbix to ping"
+
+- name: Allow zabbix-agent from zabbix
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.117
+    protocol: tcp
+    destination_port: "10050"
+    jump: ACCEPT
+    comment: "allow zabbix to connect to agent"
+
+- name: Allow node-exporter from prometheus
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.120
+    protocol: tcp
+    destination_port: "9100"
+    jump: ACCEPT
+    comment: "allow prometheus to access node-exporter"
+
+- name: Open Configured internal ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    destination_port: "{{ item.port }}"
+    source: 192.168.122.0/24
+    protocol: "{{ item.protocol }}"
+    comment: "{{ item.comment }}"
+    jump: ACCEPT
+  loop: "{{ extra_internal_iptables_ports_allow }}"
+  when: extra_internal_iptables_ports_allow is defined
+
+- name: Reject everything else in internal network
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.0/24
+    comment: "Block internal network"
+    jump: REJECT
+    reject_with: icmp-admin-prohibited
+    state: present