From 169bd35d83682d8c20b382e84f4c5777defee6a6 Mon Sep 17 00:00:00 2001
From: Alex <caskd@420blaze.it>
Date: Wed, 8 Apr 2020 03:30:18 +0200
Subject: [PATCH] Remove some firewall rules, fix typo, add required dep, run
 stuff only when required, prompt for things, use default username

---
 files/iptables-rules/rules.v4 |  8 ++++----
 files/iptables-rules/rules.v6 | 27 +++++++++++++++++++++++++++
 handlers/main.yml             | 29 +++++++++++++++++++++++++++--
 tasks/main.yml                | 28 +++++++++-------------------
 vars/main.yml                 |  1 +
 5 files changed, 68 insertions(+), 25 deletions(-)
 create mode 100644 files/iptables-rules/rules.v6
 create mode 100644 vars/main.yml

diff --git a/files/iptables-rules/rules.v4 b/files/iptables-rules/rules.v4
index 33478d5..276608b 100644
--- a/files/iptables-rules/rules.v4
+++ b/files/iptables-rules/rules.v4
@@ -1,15 +1,15 @@
 *filter
 :INPUT DROP [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [10:1692]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -i lo -j ACCEPT
+-A INPUT -i ens10 -j ACCEPT
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
 -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
--A INPUT -m conntrack --ctstate INVALID -j DROP
--A INPUT -p tcp -m multiport --dports 22 -j ACCEPT
--A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 COMMIT
 *nat
 :PREROUTING ACCEPT [2:162]
diff --git a/files/iptables-rules/rules.v6 b/files/iptables-rules/rules.v6
new file mode 100644
index 0000000..9b2bff8
--- /dev/null
+++ b/files/iptables-rules/rules.v6
@@ -0,0 +1,27 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [10:1692]
+-A INPUT -m conntrack --ctstate INVALID -j DROP
+-A INPUT -i lo -j ACCEPT
+-A INPUT -i ens10 -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
+-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+COMMIT
+*nat
+:PREROUTING ACCEPT [2:162]
+:INPUT ACCEPT [1:110]
+:OUTPUT ACCEPT [1:110]
+:POSTROUTING ACCEPT [1:110]
+COMMIT
+*mangle
+:PREROUTING ACCEPT [8:1024]
+:INPUT ACCEPT [8:1024]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [11:1802]
+:POSTROUTING ACCEPT [11:1802]
+-A OUTPUT -j TOS --set-tos 0x10/0xff
+-A OUTPUT -j DSCP --set-dscp 0x22
+COMMIT
diff --git a/handlers/main.yml b/handlers/main.yml
index db92bcc..24caa2d 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,5 +1,30 @@
+- name: Disable the root account
+  user:
+        name: root
+        password: '!'
+        password_lock: yes
+  notify:
+        - Disable SSH login for root
+        - Disable SSH password authentication
+- name: Disable SSH login for root
+  replace:
+        path: /etc/ssh/sshd_config
+        regexp: "^.*PermitRootLogin.*$"
+        replace: "PermitRootLogin no"
+  notify:
+        - Reload SSH service
+- name: Disable SSH password authentication
+  replace:
+        path: /etc/ssh/sshd_config
+        regexp: "^.*PasswordAuthentication.*$"
+        replace: "PasswordAuthentication no"
+  notify:
+        - Reload SSH service
+- name: Reload SSH service
+  systemd:
+        name: ssh
+        state: reloaded
 - name: Enable and restart iptables
   systemd:
-        daemon_reload: yes
         name: netfilter-persistent
-        state: restart
+        state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index ca6bbd6..69085e7 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,6 +2,7 @@
   apt:
         install_recommends: no
         name:
+                - iptables-persistent
                 - netfilter-persistent
                 - sed
                 - git
@@ -10,14 +11,17 @@
                 - sudo
                 - iptables
         cache_valid_time: 3600
+  when: packages|bool == true
 - name: Upgrade all packages to the latest version
   apt:
         name: "*"
         state: latest
+  when: packages|bool == true
 - name: Clean up unused dependencies and packages
   apt:
         autoremove: yes
         autoclean: yes
+  when: packages|bool == true
 - name: Create unpriviledged user
   user:
         name: '{{ username }}'
@@ -25,33 +29,19 @@
         shell: /bin/zsh
         groups: sudo
         append: yes
+  when: user|bool == true
+  notify:
+        - Disable the root account
 - name: Copy ssh key for unpriviledged user
   authorized_key:
         key: "{{lookup('file', '{{ role_path }}/files/ssh.pub')}}"
         follow: yes
         user: '{{ username }}'
-- name: Disable the root account
-  user:
-        name: root
-        password: '!'
-        password_lock: yes
-- name: Disable SSH login for root
-  replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*PermitRootLogin.*$"
-        replace: "PermitRootLogin no"
-- name: Disable SSH password authentication
-  replace:
-        path: /etc/ssh/sshd_config
-        regexp: "^.*PasswordAuthentication.*$"
-        replace: "PasswordAuthentication no"
-- name: Reload SSH service
-  systemd:
-        name: ssh
-        state: reloaded
+  when: user|bool == true
 - name: Set base iptables filter
   copy:
         src: '{{ role_path }}/files/iptables-rules/'
         dest: '/etc/iptables/'
   notify:
         - Enable and restart iptables
+  when: iptables|bool == true
diff --git a/vars/main.yml b/vars/main.yml
new file mode 100644
index 0000000..6ce2bbb
--- /dev/null
+++ b/vars/main.yml
@@ -0,0 +1 @@
+username: caskd