Remove some firewall rules, fix typo, add required dep, run stuff only when required, prompt for things, use default username

2020-04-08 03:30:18 +02:00 · 2020-04-08 03:30:18 +02:00 · 169bd35d83
commit 169bd35d83
parent 80752bb548
5 changed files with 68 additions and 25 deletions
--- a/files/iptables-rules/rules.v4
+++ b/files/iptables-rules/rules.v4
@ -1,15 +1,15 @@
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [10:1692]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -i lo -j ACCEPT
+-A INPUT -i ens10 -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 COMMIT
 *nat
 :PREROUTING ACCEPT [2:162]
--- a/files/iptables-rules/rules.v6
+++ b/files/iptables-rules/rules.v6
@ -0,0 +1,27 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [10:1692]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i ens10 -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT [2:162]
+:INPUT ACCEPT [1:110]
+:OUTPUT ACCEPT [1:110]
+:POSTROUTING ACCEPT [1:110]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [8:1024]
+:INPUT ACCEPT [8:1024]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [11:1802]
+:POSTROUTING ACCEPT [11:1802]
+-A OUTPUT -j TOS --set-tos 0x10/0xff
+-A OUTPUT -j DSCP --set-dscp 0x22
+COMMIT
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,5 +1,30 @@
+- name: Disable the root account
+  user:
+        name: root
+        password: '!'
+        password_lock: yes
+  notify:
+        - Disable SSH login for root
+        - Disable SSH password authentication
+- name: Disable SSH login for root
+  replace:
+        path: /etc/ssh/sshd_config
+        regexp: "^.*PermitRootLogin.*$"
+        replace: "PermitRootLogin no"
+  notify:
+        - Reload SSH service
+- name: Disable SSH password authentication
+  replace:
+        path: /etc/ssh/sshd_config
+        regexp: "^.*PasswordAuthentication.*$"
+        replace: "PasswordAuthentication no"
+  notify:
+        - Reload SSH service
+- name: Reload SSH service
+  systemd:
+        name: ssh
+        state: reloaded
 - name: Enable and restart iptables
  systemd:
-        daemon_reload: yes
        name: netfilter-persistent
-        state: restart
+        state: restarted
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,6 +2,7 @@
  apt:
        install_recommends: no
        name:
+                - iptables-persistent
                - netfilter-persistent
                - sed
                - git
@ -10,14 +11,17 @@
                - sudo
                - iptables
        cache_valid_time: 3600
+  when: packages|bool == true
 - name: Upgrade all packages to the latest version
  apt:
        name: "*"
        state: latest
+  when: packages|bool == true
 - name: Clean up unused dependencies and packages
  apt:
        autoremove: yes
        autoclean: yes
+  when: packages|bool == true
 - name: Create unpriviledged user
  user:
        name: '{{ username }}'
@ -25,33 +29,19 @@
        shell: /bin/zsh
        groups: sudo
        append: yes
+  when: user|bool == true
+  notify:
+        - Disable the root account
 - name: Copy ssh key for unpriviledged user
  authorized_key:
        key: "{{lookup('file', '{{ role_path }}/files/ssh.pub')}}"
        follow: yes
        user: '{{ username }}'
- name: Disable the root account
-  user:
-        name: root
-        password: '!'
-        password_lock: yes
- name: Disable SSH login for root
-  replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*PermitRootLogin.*$"
-        replace: "PermitRootLogin no"
- name: Disable SSH password authentication
-  replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*PasswordAuthentication.*$"
-        replace: "PasswordAuthentication no"
- name: Reload SSH service
-  systemd:
-        name: ssh
-        state: reloaded
+  when: user|bool == true
 - name: Set base iptables filter
  copy:
        src: '{{ role_path }}/files/iptables-rules/'
        dest: '/etc/iptables/'
  notify:
        - Enable and restart iptables
+  when: iptables|bool == true
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1 @@
+username: caskd