feat: iptables restriction in internal network

2025-12-06 09:01:38 +01:00 · 2023-07-04 20:09:19 +00:00
parent 2fa76b1e0f
commit 5824fd5778
6 changed files with 96 additions and 0 deletions
--- a/roles/iptables/tasks/main.yaml
+++ b/roles/iptables/tasks/main.yaml
@@ -0,0 +1,84 @@
+- name: Install iptables
+  apt:
+    state: present
+    pkg:
+        - iptables
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+- name: Allow Hypervisor
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.1
+    jump: ACCEPT
+    comment: "allow hypervisor"
+
+- name: Allow ping from monitoring
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.107
+    protocol: icmp
+    jump: ACCEPT
+    comment: "allow monitoring to ping"
+
+- name: Allow TLS Check from monitoring on mail
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.107
+    protocol: tcp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: "allow monitoring to check mail TLS ports"
+  with_items:
+      - 465
+      - 993
+
+- name: Allow ping from zabbix
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.117
+    protocol: icmp
+    jump: ACCEPT
+    comment: "allow zabbix to ping"
+
+- name: Allow zabbix-agent from zabbix
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.117
+    protocol: tcp
+    destination_port: "10050"
+    jump: ACCEPT
+    comment: "allow zabbix to connect to agent"
+
+- name: Allow node-exporter from prometheus
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.120
+    protocol: tcp
+    destination_port: "9100"
+    jump: ACCEPT
+    comment: "allow prometheus to access node-exporter"
+
+- name: Open Configured internal ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    destination_port: "{{ item.port }}"
+    source: 192.168.122.0/24
+    protocol: "{{ item.protocol }}"
+    comment: "{{ item.comment }}"
+    jump: ACCEPT
+  loop: "{{ extra_internal_iptables_ports_allow }}"
+  when: extra_internal_iptables_ports_allow is defined
+
+- name: Reject everything else in internal network
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.0/24
+    comment: "Block internal network"
+    jump: REJECT
+    reject_with: icmp-admin-prohibited
+    state: present