mirror of
https://github.com/FAUSheppy/no-secrets-athq-ansible
synced 2025-12-06 07:51:35 +01:00
85 lines
2.0 KiB
YAML
85 lines
2.0 KiB
YAML
- name: Install iptables
|
|
apt:
|
|
state: present
|
|
pkg:
|
|
- iptables
|
|
|
|
- name: Allow related and established connections
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
ctstate: ESTABLISHED,RELATED
|
|
jump: ACCEPT
|
|
|
|
- name: Allow Hypervisor
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.1
|
|
jump: ACCEPT
|
|
comment: "allow hypervisor"
|
|
|
|
- name: Allow ping from monitoring
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.107
|
|
protocol: icmp
|
|
jump: ACCEPT
|
|
comment: "allow monitoring to ping"
|
|
|
|
- name: Allow TLS Check from monitoring on mail
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.107
|
|
protocol: tcp
|
|
destination_port: "{{ item }}"
|
|
jump: ACCEPT
|
|
comment: "allow monitoring to check mail TLS ports"
|
|
with_items:
|
|
- 465
|
|
- 993
|
|
|
|
- name: Allow ping from zabbix
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.117
|
|
protocol: icmp
|
|
jump: ACCEPT
|
|
comment: "allow zabbix to ping"
|
|
|
|
- name: Allow zabbix-agent from zabbix
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.117
|
|
protocol: tcp
|
|
destination_port: "10050"
|
|
jump: ACCEPT
|
|
comment: "allow zabbix to connect to agent"
|
|
|
|
- name: Allow node-exporter from prometheus
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.120
|
|
protocol: tcp
|
|
destination_port: "9100"
|
|
jump: ACCEPT
|
|
comment: "allow prometheus to access node-exporter"
|
|
|
|
- name: Open Configured internal ports
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
destination_port: "{{ item.port }}"
|
|
source: 192.168.122.0/24
|
|
protocol: "{{ item.protocol }}"
|
|
comment: "{{ item.comment }}"
|
|
jump: ACCEPT
|
|
loop: "{{ extra_internal_iptables_ports_allow }}"
|
|
when: extra_internal_iptables_ports_allow is defined
|
|
|
|
- name: Reject everything else in internal network
|
|
ansible.builtin.iptables:
|
|
chain: INPUT
|
|
source: 192.168.122.0/24
|
|
comment: "Block internal network"
|
|
jump: REJECT
|
|
reject_with: icmp-admin-prohibited
|
|
state: present
|