feat: iptables restriction in internal network

group_vars/monitoring.yaml

@@ -1 +1,5 @@
 monitoring_master: true
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 8086, "comment" : "influx" }
+    - { "protocol" : "tcp", "port" : 514, "comment" : "rsyslog" }
+    - { "protocol" : "tcp", "port" : 5668, "comment" : "nsca-ng" }

group_vars/usermanagement.yaml

@@ -7,5 +7,8 @@ ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
 ldap_user_dn: "ou=People,dc=atlantishq,dc=de"
 ldap_connection_url: ldap://192.168.122.112
 
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 389, "comment" : "ldap" }
+
 extra_sheppy_pubkeys: |
     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaABPy9h009vUQj+gewvhIO9kDpUBkkW5dGz6HsDxp6FLeZ0KOMTPZyRkwPHkC3Jee8vkTl2fFi7wjXhkWSpPe7H/RFdn6nHf5RSvM4aEwhkjD7E1lvf9lLRUXnISeFXFOdD3hpRXqT5yVP9O1S3Rk3b+i9HPlcw1vDmFHS5mZ+rXmxQSyHD8uuyCEL1Ri5IOz9XxycaJ/MHX2XaHWU+xgrQ2uvWrvhnibB3bhtf94GrHJQXRfjUc4nF3SG3937Fkdit5LozuDE3/mLoNN6PwXz13Z2acClpjiyOZQxpa2+TpwE5i2rWoZwsXv//yzohHbA30+qYSxJYQrYZ1XRyOSPFWSp3wwcuj8yMMqMJT2e75ZyWaHuoYuindOFW4VMR7pFppssnnbdLHvJGe5PZMSDxlyhUtkAK4p1nf2nEng3VjCBcn6UWK1po5DQmcLwkd0cQbWTLxHjH4sAtfyp7A8jsGLXrhWraMOOoU0JVkamZrq2BuSyaC5S7+KdvGCg3U= backupvm

group_vars/web1.yaml

@@ -0,0 +1,2 @@
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 5004, "comment" : "signal-gateway" }

group_vars/zabbix.yaml

@@ -0,0 +1,2 @@
+extra_internal_iptables_ports_allow:
+    - { "protocol" : "tcp", "port" : 10051, "comment" : "zabbix-server" }

playbook.yaml

@@ -7,6 +7,7 @@
     - { role : monitoring-influx, tags : [ "influx" ] }
     - { role : base,              tags : [ "base" ] }
     - { role : zabbix-agent,      tags : [ "zabbix-agent" ] }
+    - { role : iptables,          tags : [ "iptables" ] }
 
 - hosts: web1
   roles:

roles/iptables/tasks/main.yaml

@@ -0,0 +1,84 @@
+- name: Install iptables
+  apt:
+    state: present
+    pkg:
+        - iptables
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+
+- name: Allow Hypervisor
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.1
+    jump: ACCEPT
+    comment: "allow hypervisor"
+
+- name: Allow ping from monitoring
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.107
+    protocol: icmp
+    jump: ACCEPT
+    comment: "allow monitoring to ping"
+
+- name: Allow TLS Check from monitoring on mail
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.107
+    protocol: tcp
+    destination_port: "{{ item }}"
+    jump: ACCEPT
+    comment: "allow monitoring to check mail TLS ports"
+  with_items:
+      - 465
+      - 993
+
+- name: Allow ping from zabbix
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.117
+    protocol: icmp
+    jump: ACCEPT
+    comment: "allow zabbix to ping"
+
+- name: Allow zabbix-agent from zabbix
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.117
+    protocol: tcp
+    destination_port: "10050"
+    jump: ACCEPT
+    comment: "allow zabbix to connect to agent"
+
+- name: Allow node-exporter from prometheus
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.120
+    protocol: tcp
+    destination_port: "9100"
+    jump: ACCEPT
+    comment: "allow prometheus to access node-exporter"
+
+- name: Open Configured internal ports
+  ansible.builtin.iptables:
+    chain: INPUT
+    destination_port: "{{ item.port }}"
+    source: 192.168.122.0/24
+    protocol: "{{ item.protocol }}"
+    comment: "{{ item.comment }}"
+    jump: ACCEPT
+  loop: "{{ extra_internal_iptables_ports_allow }}"
+  when: extra_internal_iptables_ports_allow is defined
+
+- name: Reject everything else in internal network
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: 192.168.122.0/24
+    comment: "Block internal network"
+    jump: REJECT
+    reject_with: icmp-admin-prohibited
+    state: present