Add ipt-server role with firewall configuration and management

- Created handlers for reloading systemd and restarting firewall services. - Implemented tasks to ensure the existence of configuration directories and files. - Deployed host-specific and shared configuration files using templates. - Added scripts for managing IPv4 and IPv6 firewalls. - Configured systemd service units for ipt-firewall and ip6t-firewall. - Enabled and started firewall services on system boot.
2026-06-26 19:30:01 +02:00
parent 0158e3738f
commit 9798ca9cd6
24 changed files with 10019 additions and 0 deletions
@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+
+# -------------
+# --- Logging
+# -------------
+
+if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then 
+   tag_log_prefix="--nflog-prefix"
+   LOG_TARGET="NFLOG --nflog-group 12"
+else 
+   # - Log using the specified syslog level. 7 (debug) is a good choice 
+   # - unless you specifically need something else. 
+   # -
+   log_level=debug
+   LOG_TARGET="LOG --log-level $log_level"
+   tag_log_prefix="--log-prefix"
+fi
+
+log_all=false
+
+log_syn_flood=false
+log_port_scanning=false
+log_ssh_brute_force=false
+log_fragments=false
+log_mdns=false
+log_mndp=false
+log_new_not_sync=false
+log_syn_with_suspicious_mss=false
+log_invalid_packets=false
+log_invalid_state=false
+log_invalid_flags=false
+log_spoofed=false
+log_spoofed_out=false
+log_private_network_out=false
+log_to_lo=false
+log_not_wanted=false
+log_blocked=false
+log_unprotected=false
+log_forwarding_priv_ip=false
+log_prohibited=false
+log_voip=false
+log_rejected=true
+
+log_blocked_ip=false
+
+log_ssh=false
+
+# - logging messages
+# -
+log_prefix="[ IPv6 ]"
+
+
+# ---
+# - Log all traffic for givven ip address
+# ---
+
+# - You can also give hostname(s)
+# -
+# - Blank seoarated list of ips/hostnames
+# -
+log_ips=""
+