ansible/oopen-server
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add ipt-server role with firewall configuration and management

Browse Source 
- Created handlers for reloading systemd and restarting firewall services.
- Implemented tasks to ensure the existence of configuration directories and files.
- Deployed host-specific and shared configuration files using templates.
- Added scripts for managing IPv4 and IPv6 firewalls.
- Configured systemd service units for ipt-firewall and ip6t-firewall.
- Enabled and started firewall services on system boot.
This commit is contained in:
Christoph
2026-06-26 19:30:01 +02:00
parent 0158e3738f
commit 9798ca9cd6
24 changed files with 10019 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+14
View File
@@ -1 +1,15 @@
# Editor
*.swp
*.swo
*~
# Python
__pycache__/
*.py[cod]
# Ansible
*.retry
.vault_pass
# OS
.DS_Store
extract-fw-host-vars.py
Executable
+726
View File
@@ -0,0 +1,726 @@
#!/usr/bin/env python3
"""
Extract ipt-firewall configuration from a host and generate host_vars YAML.
Reads /etc/ipt-firewall/{interfaces,main}_ipv{4,6}.conf via SSH,
maps all variables to Ansible fw_* names, and writes a host_vars file.
Usage:
./extract-fw-host-vars.py <hostname> [--user USER] [--port PORT] [--dry-run]
Example:
./extract-fw-host-vars.py cl-01.oopen.de
./extract-fw-host-vars.py cl-01.oopen.de --user root --dry-run
"""
import argparse
import re
import subprocess
import sys
from pathlib import Path
# ---------------------------------------------------------------------------
# Defaults matching roles/ipt-firewall/defaults/main.yml
# Only values that differ from these will be emitted.
# ---------------------------------------------------------------------------
DEFAULTS = {
"fw_do_not_firewall_bridged_traffic": False,
"fw_do_not_firewall_lx_guest_systems": False,
"fw_drop_icmp": False,
"fw_drop_mndp": True,
"fw_drop_mdns": True,
"fw_allow_all_outgoing_traffic": False,
"fw_blocked_ifs": "",
"fw_unprotected_ifs": "",
"fw_forward_private_ips_v4": "",
"fw_forward_private_ips_v6": "",
"fw_restrict_local_service_to_net_v4": "",
"fw_restrict_local_service_to_net_v6": "",
"fw_restrict_local_net_to_net_v4": "",
"fw_restrict_local_net_to_net_v6": "",
"fw_allow_ext_service_v4": "",
"fw_allow_ext_service_v6": "",
"fw_allow_ext_net_v4": "",
"fw_allow_ext_net_v6": "",
"fw_allow_local_service_v4": "",
"fw_allow_local_service_v6": "",
"fw_allow_local_service_from_networks_v4": "",
"fw_allow_local_service_from_networks_v6": "",
"fw_vpn_server_ips": "",
"fw_forward_vpn_server_ips": "",
"fw_vpn_ports": "$standard_vpn_port",
"fw_wireguard_server_ips": "",
"fw_forward_wireguard_server_ips": "",
"fw_wireguard_server_ports": "$standard_wireguard_port",
"fw_wireguard_out_ports": "$standard_wireguard_port",
"fw_local_ntp_service": False,
"fw_ntp_port": "$standard_ntp_port",
"fw_ntp_allowed_net": "",
"fw_dhcp_server_ifs": "",
"fw_dhcp_client_ifs": "",
"fw_dns_server_ips": "",
"fw_forward_dns_server_ips": "",
"fw_local_resolver_service": False,
"fw_resolver_port": "$standard_dns_port",
"fw_resolver_allowed_networks_v4": "",
"fw_resolver_allowed_networks_v6": "",
"fw_ssh_server_ips": "$ext_ips",
"fw_forward_ssh_server_ips": "",
"fw_ssh_ports": "$standard_ssh_port",
"fw_http_server_ips": "",
"fw_forward_http_server_ips": "",
"fw_http_ports": "$standard_http_ports",
"fw_log_cgi_traffic_out": False,
"fw_cgi_script_users": "",
"fw_mm_server_ips": "",
"fw_forward_mm_server_ips": "",
"fw_smtpd_ips": "",
"fw_forward_smtpd_ips": "",
"fw_smtpd_additional_listen_ports": "",
"fw_smtpd_additional_outgoing_ports": "",
"fw_mail_server_ips": "",
"fw_forward_mail_server_ips": "",
"fw_mail_user_ports": "$standard_mailuser_ports",
"fw_mail_client_ips": "",
"fw_forward_mail_client_ips": "",
"fw_dovecot_auth_service": False,
"fw_dovecot_auth_port": "$dovecot_external_auth_port",
"fw_dovecot_auth_allowed_networks_v4": "",
"fw_dovecot_auth_allowed_networks_v6": "",
"fw_ftp_server_ips": "",
"fw_forward_ftp_server_ips": "",
"fw_ftp_passive_port_range": "50000:50400",
"fw_xmpp_server_ips": "",
"fw_forward_xmpp_server_ips": "",
"fw_xmmp_tcp_in_ports": "5222 5223 5269",
"fw_xmmp_tcp_out_ports": "5269",
"fw_xmmp_remote_out_services_v4": "",
"fw_xmmp_remote_out_services_v6": "",
"fw_mumble_server_ips": "",
"fw_forward_mumble_server_ips": "",
"fw_mumble_ports": "$standard_mumble_port",
"fw_jitsi_server_ips": "",
"fw_forward_jitsi_server_ips": "",
"fw_jitsi_dovecot_auth": False,
"fw_jitsi_dovecot_host": "",
"fw_jitsi_jibri_remote_auth": False,
"fw_jitsi_jibri_remote_ips": "",
"fw_jibri_server_ips": "",
"fw_forward_jibri_server_ips": "",
"fw_jibri_remote_jitsi_server": "",
"fw_nc_turn_server_ips": "",
"fw_forward_nc_turn_server_ips": "",
"fw_nc_turn_ports": "$standard_turn_service_ports",
"fw_nc_turn_udp_ports": "$standard_turn_service_udp_ports",
"fw_tftp_server_ips": "",
"fw_prometheus_local_server_ips": "",
"fw_prometheus_local_client_ips": "",
"fw_prometheus_remote_server_ips": "",
"fw_munin_server_ips": "",
"fw_forward_munin_server_ips": "",
"fw_munin_remote_port": "$standard_munin_port",
"fw_munin_local_port": "4949",
"munin_remote_ipv4": "",
"munin_remote_ipv6": "",
"fw_xymon_server_ips": "",
"fw_local_xymon_client": False,
"fw_xymon_port": "$standard_xymon_port",
"fw_rsync_out_ips": "",
"fw_forward_rsync_out_ips": "",
"fw_rsync_ports": "873",
"fw_tcp_out_ports": "",
"fw_forward_tcp_out_ports": "",
"fw_udp_out_ports": "",
"fw_forward_udp_out_ports": "",
"fw_portforward_tcp_v4": "",
"fw_portforward_udp_v4": "",
"fw_portforward_tcp_v6": "",
"fw_portforward_udp_v6": "",
"fw_blocked_ips": "",
"fw_block_tcp_ports": "111 113 135 137:139 445",
"fw_block_udp_ports": "111 137:139",
"fw_create_traffic_counter": True,
"fw_create_iperf_rules": True,
"fw_protection_against_syn_flooding": True,
"fw_protection_against_port_scanning": True,
"fw_protection_against_ssh_brute_force_attacks": True,
"fw_limit_connections_per_source_IP": True,
"fw_per_IP_connection_limit": "$default_per_IP_connection_limit",
"fw_limit_new_tcp_connections_per_seconds_per_source_IP": True,
"fw_limit_new_tcp_connections_per_seconds_ports": "",
"fw_kernel_activate_forwarding": False,
"fw_kernel_support_dynaddr": False,
"fw_dynaddr_flag": "5",
"fw_kernel_reduce_timeouts": True,
"fw_kernel_tcp_syncookies": True,
"fw_kernel_protect_against_icmp_bogus_messages": True,
"fw_kernel_ignore_broadcast_ping": True,
"fw_kernel_deactivate_source_route": True,
"fw_kernel_dont_accept_redirects": True,
"fw_kernel_activate_rp_filter": True,
"fw_kernel_log_martians": False,
"fw_kernel_forward_between_interfaces": False,
"fw_vpn_ifs": "tun+",
"fw_wg_ifs": "wg+",
"fw_nat_devices": "",
}
# ---------------------------------------------------------------------------
# Variable mapping: (bash_varname, source) → ansible_varname
# source: 'iface_v4', 'iface_v6', 'main_v4', 'main_v6', 'main_shared'
# ---------------------------------------------------------------------------
# Shared service variables (read from main_ipv4.conf, same in both)
MAIN_SHARED = {
"do_not_firewall_bridged_traffic": "fw_do_not_firewall_bridged_traffic",
"do_not_firewall_lx_guest_systems": "fw_do_not_firewall_lx_guest_systems",
"drop_icmp": "fw_drop_icmp",
"drop_mndp": "fw_drop_mndp",
"drop_mdns": "fw_drop_mdns",
"allow_all_outgoing_traffic": "fw_allow_all_outgoing_traffic",
"blocked_ifs": "fw_blocked_ifs",
"unprotected_ifs": "fw_unprotected_ifs",
"vpn_server_ips": "fw_vpn_server_ips",
"forward_vpn_server_ips": "fw_forward_vpn_server_ips",
"vpn_ports": "fw_vpn_ports",
"wireguard_server_ips": "fw_wireguard_server_ips",
"forward_wireguard_server_ips": "fw_forward_wireguard_server_ips",
"wireguard_server_ports": "fw_wireguard_server_ports",
"wireguard_out_ports": "fw_wireguard_out_ports",
"local_ntp_service": "fw_local_ntp_service",
"ntp_port": "fw_ntp_port",
"ntp_allowed_net": "fw_ntp_allowed_net",
"dns_server_ips": "fw_dns_server_ips",
"forward_dns_server_ips": "fw_forward_dns_server_ips",
"local_resolver_service": "fw_local_resolver_service",
"resolver_port": "fw_resolver_port",
"ssh_server_ips": "fw_ssh_server_ips",
"forward_ssh_server_ips": "fw_forward_ssh_server_ips",
"ssh_ports": "fw_ssh_ports",
"http_server_ips": "fw_http_server_ips",
"forward_http_server_ips": "fw_forward_http_server_ips",
"http_ports": "fw_http_ports",
"log_cgi_traffic_out": "fw_log_cgi_traffic_out",
"cgi_script_users": "fw_cgi_script_users",
"mm_server_ips": "fw_mm_server_ips",
"forward_mm_server_ips": "fw_forward_mm_server_ips",
"smtpd_ips": "fw_smtpd_ips",
"forward_smtpd_ips": "fw_forward_smtpd_ips",
"smtpd_additional_listen_ports": "fw_smtpd_additional_listen_ports",
"smtpd_additional_outgoung_ports": "fw_smtpd_additional_outgoing_ports",
"mail_server_ips": "fw_mail_server_ips",
"forward_mail_server_ips": "fw_forward_mail_server_ips",
"mail_user_ports": "fw_mail_user_ports",
"mail_client_ips": "fw_mail_client_ips",
"forward_mail_client_ips": "fw_forward_mail_client_ips",
"dovecot_auth_service": "fw_dovecot_auth_service",
"dovecot_auth_port": "fw_dovecot_auth_port",
"ftp_server_ips": "fw_ftp_server_ips",
"forward_ftp_server_ips": "fw_forward_ftp_server_ips",
"ftp_passive_port_range": "fw_ftp_passive_port_range",
"xmpp_server_ips": "fw_xmpp_server_ips",
"forward_xmpp_server_ips": "fw_forward_xmpp_server_ips",
"xmmp_tcp_in_ports": "fw_xmmp_tcp_in_ports",
"xmmp_tcp_out_ports": "fw_xmmp_tcp_out_ports",
"mumble_server_ips": "fw_mumble_server_ips",
"forward_mumble_server_ips": "fw_forward_mumble_server_ips",
"mumble_ports": "fw_mumble_ports",
"jitsi_server_ips": "fw_jitsi_server_ips",
"forward_jitsi_server_ips": "fw_forward_jitsi_server_ips",
"jitsi_tcp_ports": "fw_jitsi_tcp_ports",
"jitsi_udp_port_range": "fw_jitsi_udp_port_range",
"jitsi_tcp_ports_out": "fw_jitsi_tcp_ports_out",
"jitsi_udp_ports_out": "fw_jitsi_udp_ports_out",
"jitsi_dovecot_auth": "fw_jitsi_dovecot_auth",
"jitsi_dovecot_host": "fw_jitsi_dovecot_host",
"jitsi_jibri_remote_auth": "fw_jitsi_jibri_remote_auth",
"jitsi_jibri_remote_ips": "fw_jitsi_jibri_remote_ips",
"jibri_server_ips": "fw_jibri_server_ips",
"forward_jibri_server_ips": "fw_forward_jibri_server_ips",
"jibri_remote_jitsi_server": "fw_jibri_remote_jitsi_server",
"nc_turn_server_ips": "fw_nc_turn_server_ips",
"forward_nc_turn_server_ips": "fw_forward_nc_turn_server_ips",
"nc_turn_ports": "fw_nc_turn_ports",
"nc_turn_udp_ports": "fw_nc_turn_udp_ports",
"tftp_server_ips": "fw_tftp_server_ips",
"prometheus_local_server_ips": "fw_prometheus_local_server_ips",
"prometheus_local_client_ips": "fw_prometheus_local_client_ips",
"prometheus_remote_server_ips": "fw_prometheus_remote_server_ips",
"munin_server_ips": "fw_munin_server_ips",
"forward_munin_server_ips": "fw_forward_munin_server_ips",
"munin_remote_port": "fw_munin_remote_port",
"munin_local_port": "fw_munin_local_port",
"xymon_server_ips": "fw_xymon_server_ips",
"local_xymon_client": "fw_local_xymon_client",
"xymon_port": "fw_xymon_port",
"rsync_out_ips": "fw_rsync_out_ips",
"forward_rsync_out_ips": "fw_forward_rsync_out_ips",
"rsync_ports": "fw_rsync_ports",
"tcp_out_ports": "fw_tcp_out_ports",
"forward_tcp_out_ports": "fw_forward_tcp_out_ports",
"udp_out_ports": "fw_udp_out_ports",
"forward_udp_out_ports": "fw_forward_udp_out_ports",
"blocked_ips": "fw_blocked_ips",
"block_tcp_ports": "fw_block_tcp_ports",
"block_udp_ports": "fw_block_udp_ports",
"create_traffic_counter": "fw_create_traffic_counter",
"create_iperf_rules": "fw_create_iperf_rules",
"protection_against_syn_flooding": "fw_protection_against_syn_flooding",
"protection_against_port_scanning": "fw_protection_against_port_scanning",
"protection_against_ssh_brute_force_attacks": "fw_protection_against_ssh_brute_force_attacks",
"limit_connections_per_source_IP": "fw_limit_connections_per_source_IP",
"per_IP_connection_limit": "fw_per_IP_connection_limit",
"limit_new_tcp_connections_per_seconds_per_source_IP": "fw_limit_new_tcp_connections_per_seconds_per_source_IP",
"limit_new_tcp_connections_per_seconds_ports": "fw_limit_new_tcp_connections_per_seconds_ports",
}
# IPv4-only variables (from main_ipv4.conf)
MAIN_V4_ONLY = {
"forward_private_ips": "fw_forward_private_ips_v4",
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v4",
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v4",
"allow_ext_service": "fw_allow_ext_service_v4",
"allow_ext_net": "fw_allow_ext_net_v4",
"allow_local_service": "fw_allow_local_service_v4",
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v4",
"portforward_tcp": "fw_portforward_tcp_v4",
"portforward_udp": "fw_portforward_udp_v4",
"munin_remote_ip": "munin_remote_ipv4",
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v4",
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v4",
"resolver_allowed_networks": "fw_resolver_allowed_networks_v4",
"dhcp_server_ifs": "fw_dhcp_server_ifs",
"dhcp_client_ifs": "fw_dhcp_client_ifs",
"kernel_activate_forwarding": "fw_kernel_activate_forwarding",
"kernel_support_dynaddr": "fw_kernel_support_dynaddr",
"dynaddr_flag": "fw_dynaddr_flag",
"kernel_reduce_timeouts": "fw_kernel_reduce_timeouts",
"kernel_tcp_syncookies": "fw_kernel_tcp_syncookies",
"kernel_protect_against_icmp_bogus_messages": "fw_kernel_protect_against_icmp_bogus_messages",
"kernel_ignore_broadcast_ping": "fw_kernel_ignore_broadcast_ping",
"kernel_activate_rp_filter": "fw_kernel_activate_rp_filter",
"kernel_log_martians": "fw_kernel_log_martians",
"kernel_deactivate_source_route": "fw_kernel_deactivate_source_route",
"kernel_dont_accept_redirects": "fw_kernel_dont_accept_redirects",
}
# IPv6-only variables (from main_ipv6.conf)
MAIN_V6_ONLY = {
"forward_private_ips": "fw_forward_private_ips_v6",
"restrict_local_service_to_net": "fw_restrict_local_service_to_net_v6",
"restrict_local_net_to_net": "fw_restrict_local_net_to_net_v6",
"allow_ext_service": "fw_allow_ext_service_v6",
"allow_ext_net": "fw_allow_ext_net_v6",
"allow_local_service": "fw_allow_local_service_v6",
"allow_local_service_from_networks": "fw_allow_local_service_from_networks_v6",
"portforward_tcp": "fw_portforward_tcp_v6",
"portforward_udp": "fw_portforward_udp_v6",
"munin_remote_ip": "munin_remote_ipv6",
"dovecot_auth_allowed_networks": "fw_dovecot_auth_allowed_networks_v6",
"xmmp_remote_out_services": "fw_xmmp_remote_out_services_v6",
"resolver_allowed_networks": "fw_resolver_allowed_networks_v6",
"kernel_forward_between_interfaces": "fw_kernel_forward_between_interfaces",
}
# ---------------------------------------------------------------------------
# Parsing
# ---------------------------------------------------------------------------
def parse_bash_config(text):
"""
Parse key=value pairs from a bash config file.
Handles: var="value", var=value, var=true/false
Multiline values (var="line1\n line2\n") are joined as a single string.
Returns dict of {varname: value_string}
"""
result = {}
warnings = []
# Collapse multiline quoted strings: "...\n ..." → "... ..."
# Strategy: scan char by char for opening " after =, collect until closing "
lines = text.splitlines()
i = 0
while i < len(lines):
line = lines[i].strip()
# Skip comments and blank lines
if not line or line.startswith('#'):
i += 1
continue
# Match assignment
m = re.match(r'^([A-Za-z_][A-Za-z0-9_]*)=(.*)', line)
if not m:
i += 1
continue
varname = m.group(1)
rest = m.group(2).strip()
# Quoted value
if rest.startswith('"'):
# Collect until closing quote (may span multiple lines)
collected = rest[1:] # strip opening "
closed = False
extra_lines = []
while True:
# Check if closing " is in collected
close_pos = collected.find('"')
if close_pos != -1:
value = collected[:close_pos].strip()
if extra_lines:
warnings.append(f" # {varname}: multiline value — verify manually")
result[varname] = value
closed = True
break
else:
# Value continues on next line
extra_lines.append(collected.strip())
i += 1
if i >= len(lines):
break
collected = lines[i].strip()
if not closed:
warnings.append(f" # {varname}: unterminated quoted string — skipped")
else:
# Unquoted value (true, false, $var_ref, number, etc.)
# Strip trailing comment
value = re.sub(r'\s+#.*$', '', rest).strip()
result[varname] = value
i += 1
return result, warnings
def ssh_cat(host, user, port, path, sudo_password=None):
"""Read a file from a remote host via SSH. Returns file content or None."""
ssh_cmd = ["ssh"]
if user:
ssh_cmd += ["-l", user]
if port:
ssh_cmd += ["-p", str(port)]
ssh_cmd += ["-o", "BatchMode=yes", "-o", "ConnectTimeout=10", host]
if sudo_password is not None:
# Use sudo -S to read password from stdin; -p '' suppresses the prompt
ssh_cmd += [f"sudo -S -p '' cat {path}"]
stdin_data = sudo_password + "\n"
else:
ssh_cmd += [f"cat {path}"]
stdin_data = None
try:
result = subprocess.run(
ssh_cmd, input=stdin_data, capture_output=True, text=True, timeout=30
)
if result.returncode != 0:
print(f" WARNING: could not read {path}: {result.stderr.strip()}", file=sys.stderr)
return None
return result.stdout
except subprocess.TimeoutExpired:
print(f" ERROR: SSH timeout reading {path}", file=sys.stderr)
return None
def coerce_bool(value):
"""Convert bash true/false string to Python bool, or return string."""
if value.lower() in ("true", "yes", "1"):
return True
if value.lower() in ("false", "no", "0"):
return False
return value # keep as string (e.g. $standard_ssh_port)
def yaml_value(v):
"""Format a Python value as a YAML-safe string."""
if isinstance(v, bool):
return "true" if v else "false"
if v == "":
return '""'
# Quote if contains special YAML characters
if any(c in str(v) for c in [':', '#', '{', '}', '[', ']', ',', '&', '*', '?', '|', '-', '<', '>', '=', '!', '%', '@', '`', '"', "'"]):
# Use double-quote with escaping
escaped = str(v).replace('\\', '\\\\').replace('"', '\\"')
return f'"{escaped}"'
return str(v)
def build_host_vars(parsed_iface_v4, parsed_iface_v6, parsed_main_v4, parsed_main_v6):
"""
Map parsed bash variables to Ansible fw_* variables.
Returns dict of {ansible_var: value} containing only non-default values.
"""
result = {}
# --- Interfaces: extract lists from numbered vars ---
def extract_list(parsed, prefix, suffix="", count=3):
items = []
for i in range(1, count + 1):
v = parsed.get(f"{prefix}{i}{suffix}", "").strip()
if v:
items.append(v)
return items
fw_ext_interfaces = extract_list(parsed_iface_v4, "ext_if_")
fw_ext_ips_v4 = extract_list(parsed_iface_v4, "ext_", suffix="_ip") # ext_1_ip, ext_2_ip, ext_3_ip
fw_ext_ips_v6 = extract_list(parsed_iface_v6, "ext_", suffix="_ip")
fw_local_interfaces = extract_list(parsed_iface_v4, "local_if_")
fw_local_ips_v4 = extract_list(parsed_iface_v4, "local_", suffix="_ip")
fw_local_ips_v6 = extract_list(parsed_iface_v6, "local_", suffix="_ip")
fw_lxc_guest_ips_v4 = extract_list(parsed_iface_v4, "lxc_guest_", suffix="_ip", count=7)
fw_lxc_guest_ips_v6 = extract_list(parsed_iface_v6, "lxc_guest_", suffix="_ip", count=7)
if fw_ext_interfaces:
result["fw_ext_interfaces"] = fw_ext_interfaces
if fw_ext_ips_v4:
result["fw_ext_ips_v4"] = fw_ext_ips_v4
if fw_ext_ips_v6:
result["fw_ext_ips_v6"] = fw_ext_ips_v6
if fw_local_interfaces:
result["fw_local_interfaces"] = fw_local_interfaces
if fw_local_ips_v4:
result["fw_local_ips_v4"] = fw_local_ips_v4
if fw_local_ips_v6:
result["fw_local_ips_v6"] = fw_local_ips_v6
if fw_lxc_guest_ips_v4:
result["fw_lxc_guest_ips_v4"] = fw_lxc_guest_ips_v4
if fw_lxc_guest_ips_v6:
result["fw_lxc_guest_ips_v6"] = fw_lxc_guest_ips_v6
# vpn_ifs / wg_ifs / nat_devices (same in both interface files)
for bash_var, ansible_var in [("vpn_ifs", "fw_vpn_ifs"), ("wg_ifs", "fw_wg_ifs"), ("nat_devices", "fw_nat_devices")]:
v = parsed_iface_v4.get(bash_var, "")
if v and v != DEFAULTS.get(ansible_var, ""):
result[ansible_var] = v
# --- Shared main variables (read from ipv4) ---
for bash_var, ansible_var in MAIN_SHARED.items():
raw = parsed_main_v4.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
# --- IPv4-only main variables ---
for bash_var, ansible_var in MAIN_V4_ONLY.items():
raw = parsed_main_v4.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
# --- IPv6-only main variables ---
for bash_var, ansible_var in MAIN_V6_ONLY.items():
raw = parsed_main_v6.get(bash_var)
if raw is None:
continue
v = coerce_bool(raw) if raw.lower() in ("true", "false") else raw
default = DEFAULTS.get(ansible_var)
if v != default:
result[ansible_var] = v
return result
def render_yaml(hostname, host_vars, all_warnings):
"""Render the host_vars as YAML text."""
lines = [
"---",
f"# ipt-firewall configuration for {hostname}",
"# Generated by extract-fw-host-vars.py - review before committing!",
"# Place in: host_vars/<hostname>/ipt_firewall.yml",
"",
]
if all_warnings:
lines.append("# WARNINGS — manual review needed:")
for w in all_warnings:
lines.append(w)
lines.append("")
# Group output by section
sections = [
("Network", ["fw_ext_interfaces", "fw_ext_ips_v4", "fw_ext_ips_v6",
"fw_local_interfaces", "fw_local_ips_v4", "fw_local_ips_v6",
"fw_lxc_guest_ips_v4", "fw_lxc_guest_ips_v6",
"fw_vpn_ifs", "fw_wg_ifs", "fw_nat_devices"]),
("Munin", ["munin_remote_ipv4", "munin_remote_ipv6", "fw_munin_local_port",
"fw_munin_server_ips", "fw_forward_munin_server_ips", "fw_munin_remote_port"]),
("Bridged / LXC", ["fw_do_not_firewall_bridged_traffic", "fw_do_not_firewall_lx_guest_systems"]),
("Drop policies", ["fw_drop_icmp", "fw_drop_mndp", "fw_drop_mdns"]),
("Outgoing / interfaces", ["fw_allow_all_outgoing_traffic", "fw_blocked_ifs", "fw_unprotected_ifs"]),
("Forwarding", ["fw_forward_private_ips_v4", "fw_forward_private_ips_v6",
"fw_kernel_activate_forwarding", "fw_kernel_forward_between_interfaces"]),
("Access control IPv4", ["fw_restrict_local_service_to_net_v4", "fw_restrict_local_net_to_net_v4",
"fw_allow_ext_service_v4", "fw_allow_ext_net_v4",
"fw_allow_local_service_v4", "fw_allow_local_service_from_networks_v4"]),
("Access control IPv6", ["fw_restrict_local_service_to_net_v6", "fw_restrict_local_net_to_net_v6",
"fw_allow_ext_service_v6", "fw_allow_ext_net_v6",
"fw_allow_local_service_v6", "fw_allow_local_service_from_networks_v6"]),
("SSH", ["fw_ssh_server_ips", "fw_forward_ssh_server_ips", "fw_ssh_ports"]),
("HTTP", ["fw_http_server_ips", "fw_forward_http_server_ips", "fw_http_ports",
"fw_log_cgi_traffic_out", "fw_cgi_script_users"]),
("Mail", ["fw_smtpd_ips", "fw_forward_smtpd_ips", "fw_smtpd_additional_listen_ports",
"fw_smtpd_additional_outgoing_ports", "fw_mail_server_ips", "fw_forward_mail_server_ips",
"fw_mail_user_ports", "fw_mail_client_ips", "fw_forward_mail_client_ips",
"fw_dovecot_auth_service", "fw_dovecot_auth_port",
"fw_dovecot_auth_allowed_networks_v4", "fw_dovecot_auth_allowed_networks_v6"]),
("DNS", ["fw_dns_server_ips", "fw_forward_dns_server_ips",
"fw_local_resolver_service", "fw_resolver_port",
"fw_resolver_allowed_networks_v4", "fw_resolver_allowed_networks_v6"]),
("NTP", ["fw_local_ntp_service", "fw_ntp_port", "fw_ntp_allowed_net"]),
("DHCP", ["fw_dhcp_server_ifs", "fw_dhcp_client_ifs"]),
("VPN / WireGuard", ["fw_vpn_server_ips", "fw_forward_vpn_server_ips", "fw_vpn_ports",
"fw_wireguard_server_ips", "fw_forward_wireguard_server_ips",
"fw_wireguard_server_ports", "fw_wireguard_out_ports"]),
("FTP", ["fw_ftp_server_ips", "fw_forward_ftp_server_ips", "fw_ftp_passive_port_range"]),
("XMPP", ["fw_xmpp_server_ips", "fw_forward_xmpp_server_ips",
"fw_xmmp_tcp_in_ports", "fw_xmmp_tcp_out_ports",
"fw_xmmp_remote_out_services_v4", "fw_xmmp_remote_out_services_v6"]),
("Mumble", ["fw_mumble_server_ips", "fw_forward_mumble_server_ips", "fw_mumble_ports"]),
("Jitsi", ["fw_jitsi_server_ips", "fw_forward_jitsi_server_ips",
"fw_jitsi_tcp_ports", "fw_jitsi_udp_port_range",
"fw_jitsi_dovecot_auth", "fw_jitsi_dovecot_host",
"fw_jitsi_jibri_remote_auth", "fw_jitsi_jibri_remote_ips",
"fw_jibri_server_ips", "fw_forward_jibri_server_ips", "fw_jibri_remote_jitsi_server"]),
("TURN / STUN", ["fw_nc_turn_server_ips", "fw_forward_nc_turn_server_ips",
"fw_nc_turn_ports", "fw_nc_turn_udp_ports"]),
("Mattermost", ["fw_mm_server_ips", "fw_forward_mm_server_ips"]),
("Prometheus", ["fw_prometheus_local_server_ips", "fw_prometheus_local_client_ips",
"fw_prometheus_remote_server_ips"]),
("Xymon", ["fw_xymon_server_ips", "fw_local_xymon_client", "fw_xymon_port"]),
("Rsync", ["fw_rsync_out_ips", "fw_forward_rsync_out_ips", "fw_rsync_ports"]),
("Out ports", ["fw_tcp_out_ports", "fw_forward_tcp_out_ports",
"fw_udp_out_ports", "fw_forward_udp_out_ports"]),
("Portforwarding", ["fw_portforward_tcp_v4", "fw_portforward_udp_v4",
"fw_portforward_tcp_v6", "fw_portforward_udp_v6"]),
("Block", ["fw_blocked_ips", "fw_block_tcp_ports", "fw_block_udp_ports"]),
("Protection / limits", ["fw_protection_against_syn_flooding",
"fw_protection_against_port_scanning",
"fw_protection_against_ssh_brute_force_attacks",
"fw_limit_connections_per_source_IP", "fw_per_IP_connection_limit",
"fw_limit_new_tcp_connections_per_seconds_per_source_IP",
"fw_limit_new_tcp_connections_per_seconds_ports"]),
("Kernel IPv4", ["fw_kernel_support_dynaddr", "fw_dynaddr_flag",
"fw_kernel_reduce_timeouts", "fw_kernel_tcp_syncookies",
"fw_kernel_protect_against_icmp_bogus_messages",
"fw_kernel_ignore_broadcast_ping",
"fw_kernel_deactivate_source_route", "fw_kernel_dont_accept_redirects",
"fw_kernel_activate_rp_filter", "fw_kernel_log_martians"]),
("Special", ["fw_create_traffic_counter", "fw_create_iperf_rules"]),
]
emitted = set()
for section_name, keys in sections:
section_lines = []
for k in keys:
if k in host_vars:
v = host_vars[k]
if isinstance(v, list):
section_lines.append(f"{k}:")
for item in v:
section_lines.append(f" - \"{item}\"")
elif isinstance(v, bool):
section_lines.append(f"{k}: {'true' if v else 'false'}")
else:
section_lines.append(f"{k}: {yaml_value(str(v))}")
emitted.add(k)
if section_lines:
lines.append(f"# --- {section_name}")
lines.extend(section_lines)
lines.append("")
# Anything not covered by sections
remaining = {k: v for k, v in host_vars.items() if k not in emitted}
if remaining:
lines.append("# --- Other")
for k, v in remaining.items():
if isinstance(v, list):
lines.append(f"{k}:")
for item in v:
lines.append(f" - \"{item}\"")
elif isinstance(v, bool):
lines.append(f"{k}: {'true' if v else 'false'}")
else:
lines.append(f"{k}: {yaml_value(str(v))}")
lines.append("")
return "\n".join(lines)
def main():
parser = argparse.ArgumentParser(description="Extract ipt-firewall host_vars from a remote host")
parser.add_argument("hostname", help="Target hostname (must be in SSH config or known_hosts)")
parser.add_argument("--user", "-u", default="chris", help="SSH user (default: chris)")
parser.add_argument("--port", "-p", type=int, default=None, help="SSH port (default: 22)")
parser.add_argument("--output", "-o", default=None, help="Output file (default: stdout)")
parser.add_argument("--sudo", "-s", action="store_true",
help="Read files via sudo (prompts for sudo password once)")
parser.add_argument("--dry-run", action="store_true", help="Print SSH commands without executing")
args = parser.parse_args()
hostname = args.hostname
conf_dir = "/etc/ipt-firewall"
files = {
"iface_v4": f"{conf_dir}/interfaces_ipv4.conf",
"iface_v6": f"{conf_dir}/interfaces_ipv6.conf",
"main_v4": f"{conf_dir}/main_ipv4.conf",
"main_v6": f"{conf_dir}/main_ipv6.conf",
}
if args.dry_run:
cmd = "sudo -S -p '' cat" if args.sudo else "cat"
for key, path in files.items():
print(f"ssh {args.user}@{hostname} {cmd} {path}")
return
sudo_password = None
if args.sudo:
import getpass
sudo_password = getpass.getpass(f"sudo password for {args.user}@{hostname}: ")
print(f"Connecting to {hostname} as {args.user} ...", file=sys.stderr)
contents = {}
for key, path in files.items():
print(f" Reading {path} ...", file=sys.stderr)
content = ssh_cat(hostname, args.user, args.port, path, sudo_password=sudo_password)
contents[key] = content or ""
all_warnings = []
parsed = {}
for key, text in contents.items():
p, warnings = parse_bash_config(text)
parsed[key] = p
if warnings:
all_warnings.extend([f" # [{key}] {w}" for w in warnings])
host_vars = build_host_vars(
parsed["iface_v4"], parsed["iface_v6"],
parsed["main_v4"], parsed["main_v6"],
)
yaml_text = render_yaml(hostname, host_vars, all_warnings)
if args.output:
out_path = Path(args.output)
out_path.parent.mkdir(parents=True, exist_ok=True)
out_path.write_text(yaml_text)
print(f"Written to {out_path}", file=sys.stderr)
else:
print(yaml_text)
if __name__ == "__main__":
main()
host_vars/test.mx.oopen.de/ipt_firewall.yml
+47
View File
@@ -0,0 +1,47 @@
---
# ipt-firewall configuration for test.mx.oopen.de
# Generated by extract-fw-host-vars.py - review before committing!
fw_manage_config: true
# --- Network
fw_ext_interfaces:
- "eth0"
- "eth1"
fw_ext_ips_v4:
- "83.223.85.205"
- "83.223.85.206"
fw_ext_ips_v6:
- "2a01:30:0:505:2eb:f4ff:feaa:d996 2a01:30:0:13:2eb:f4ff:feaa:d996"
- "2a01:30:0:505:2eb:f4ff:feaa:d997 2a01:30:0:13:2eb:f4ff:feaa:d997"
# --- Munin
munin_remote_ipv4: 37.27.121.227
munin_remote_ipv6: "2a01:4f9:3070:2bda::227"
# --- HTTP
fw_http_server_ips: $ext_1_ip $ext_2_ip
# --- Mail
fw_smtpd_ips: $ext_1_ip
fw_mail_server_ips: $ext_1_ip
fw_mail_client_ips: $ext_1_ip $ext_2_ip
fw_dovecot_auth_service: true
fw_dovecot_auth_allowed_networks_v4: 192.68.11.79
# --- Mumble
fw_mumble_server_ips: 138.201.33.54
# --- Jitsi
fw_jitsi_tcp_ports: $standard_jitsi_tcp_ports
fw_jitsi_udp_port_range: $standard_jitsi_udp_port_range
# --- Rsync
fw_rsync_out_ips: $ext_1_ip
# --- Block
fw_blocked_ips: 222.184.0.0/13 61.160.0.0/16 116.8.0.0/14
# --- Other
fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
ipt-server.yml
+5
View File
@@ -0,0 +1,5 @@
---
- hosts: all
roles:
- ipt-server
roles/ipt-server/MIGRATION.md
+199
View File
@@ -0,0 +1,199 @@
# ipt-server — Migrationsleitfaden
Dieser Leitfaden beschreibt, wie ein bestehender Host vom alten Verfahren
(manuell verwaltete `/etc/ipt-firewall/`-Dateien, ggf. `firewall`- oder
`modify-ipt-server`-Rolle) auf die neue `ipt-server`-Ansible-Rolle umgestellt
wird.
---
## Überblick
Das alte Verfahren:
- Firewall-Skripte und Conf-Dateien wurden manuell oder über die alte `firewall`-Rolle
(lineinfile/blockinfile) gepflegt.
- Änderungen direkt in `/etc/ipt-firewall/` auf dem Host.
Das neue Verfahren:
- Alle Firewall-Einstellungen liegen in `host_vars/<hostname>/ipt_firewall.yml`.
- Ansible deployt die Config-Dateien aus Jinja2-Templates.
- Direktes Editieren auf dem Host ist nicht mehr vorgesehen.
Die Migration ist **nicht-destruktiv**: Bestehende Config-Dateien werden erst
dann überschrieben, wenn die Migration explizit freigegeben wird (`fw_manage_config: true`).
---
## Schritt 1 — Aktuelle Konfiguration auslesen
Das Skript `extract-fw-host-vars.py` liest die vier Conf-Dateien vom Host via SSH,
mappt alle Variablen auf die `fw_*`-Ansible-Variablen und schreibt eine fertige
`host_vars`-Datei:
```bash
cd /path/to/ansible/oopen-server
./extract-fw-host-vars.py <hostname> --sudo \
-o host_vars/<hostname>/ipt_firewall.yml
```
Das Skript fragt einmalig nach dem `sudo`-Passwort.
**Ergebnis prüfen:**
```bash
cat host_vars/<hostname>/ipt_firewall.yml
```
Kontrollpunkte:
- Sind `fw_ext_interfaces`, `fw_ext_ips_v4`, `fw_ext_ips_v6` korrekt?
- Sind aktivierte Dienste (Mail, HTTP, VPN usw.) vorhanden?
- Sind `munin_remote_ipv4` / `munin_remote_ipv6` eingetragen (falls Munin läuft)?
Fehlende oder falsche Werte können direkt in der YAML-Datei korrigiert werden.
Alle Variablen und ihre Bedeutung stehen in `defaults/main.yml`.
---
## Schritt 2 — Erste Ausrollung (Safety-Guard aktiv)
Solange `fw_manage_config` nicht auf `true` gesetzt ist (Default: `false`),
überschreibt Ansible **keine** bestehenden Config-Dateien. Es werden nur
installiert:
- Firewall-Skripte → `/usr/local/sbin/`
- Geteilte Conf-Dateien → `/etc/ipt-firewall/`
- Systemd-Units → `/etc/systemd/system/`
```bash
# Vorschau:
ansible-playbook ipt-server.yml --limit <hostname> --check --diff
# Ausrollen:
ansible-playbook ipt-server.yml --limit <hostname>
```
Die Firewall wird dabei **nicht neu gestartet** — die bestehenden Config-Dateien
bleiben unangetastet.
---
## Schritt 3 — Verifizieren: sind die Rules identisch?
Dieser Schritt prüft, ob ein Neustart der Firewall mit den neuen Skripten und
den bestehenden Config-Dateien exakt dieselben iptables-Rules erzeugt wie aktuell
geladen.
```bash
ssh <hostname> '
# Aktuellen Stand einfrieren (Timestamps und Zähler normalisieren)
iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_before_v4.rules
ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_before_v6.rules
# Firewall neu starten
systemctl restart ipt-firewall
systemctl restart ip6t-firewall
# Neuen Stand einfrieren
iptables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_after_v4.rules
ip6tables-save | grep -v "^#" | sed "s/\[[0-9]*:[0-9]*\]/[0:0]/g" \
> /tmp/fw_after_v6.rules
# Vergleichen
echo "=== IPv4 diff ==="
diff /tmp/fw_before_v4.rules /tmp/fw_after_v4.rules
echo "=== IPv6 diff ==="
diff /tmp/fw_before_v6.rules /tmp/fw_after_v6.rules
'
```
**Erwartetes Ergebnis:** Beide Diffs sind leer.
Falls Unterschiede erscheinen: die abweichenden Rules identifizieren, die
entsprechenden Variablen in `host_vars/<hostname>/ipt_firewall.yml` nachpflegen
und den Diff wiederholen bevor weitergemacht wird.
---
## Schritt 4 — Ansible als autoritative Quelle freischalten
Erst wenn Schritt 3 erfolgreich war (leere Diffs), wird die Migration abgeschlossen.
Dazu `fw_manage_config: true` in der host_vars-Datei setzen:
```yaml
# host_vars/<hostname>/ipt_firewall.yml
---
fw_manage_config: true # ← hinzufügen / auf true setzen
fw_ext_interfaces:
- "eth0"
# ...
```
Dann erneut ausrollen:
```bash
# Vorschau — zeigt jetzt auch die Config-Dateien im Diff:
ansible-playbook ipt-server.yml --limit <hostname> --check --diff
# Anwenden:
ansible-playbook ipt-server.yml --limit <hostname>
```
Ab jetzt:
- Ansible überschreibt die vier Config-Dateien bei jedem Run aus den Templates.
- Bei Änderungen an Templates oder host_vars wird die Firewall automatisch
neu gestartet.
- Direktes Editieren von `/etc/ipt-firewall/interfaces_*.conf` oder `main_*.conf`
auf dem Host wird beim nächsten Ansible-Run überschrieben.
---
## Schritt 5 — Altes System deaktivieren
### Altes Ansible-Vorgehen abschalten
Sicherstellen, dass der Host nicht mehr durch die alte `firewall`-Rolle oder
`modify-ipt-server`-Rolle verwaltet wird. Falls der Host in einem Playbook
eingetragen ist, das diese Rollen verwendet, den Host dort entfernen oder das
Playbook anpassen.
### Altes git-Repository auf dem Host entfernen (optional)
Das Repository `/usr/local/src/ipt-server` wird von der neuen Rolle nicht mehr
benötigt. Es kann entfernt werden:
```bash
ssh <hostname> 'rm -rf /usr/local/src/ipt-server'
```
Vorher prüfen, ob das Verzeichnis noch anderweitig verwendet wird.
### Sicherstellen, dass niemand mehr direkt editiert
Da `fw_manage_config: true` gesetzt ist, werden direkte Änderungen in
`/etc/ipt-firewall/` beim nächsten Ansible-Run überschrieben. Als zusätzliche
Absicherung kann eine kurze Warnung oben in die Config-Dateien geschrieben
werden — das erledigt Ansible automatisch über den `{{ ansible_managed }}`-Kommentar
am Anfang jedes generierten Templates:
```bash
# Ansible managed
# DO NOT EDIT - changes will be overwritten on the next Ansible run.
# Edit host_vars/<hostname>/ipt_firewall.yml instead.
```
---
## Zusammenfassung
| Schritt | Befehl / Aktion | Wann |
|---|---|---|
| 1 | `extract-fw-host-vars.py` ausführen | Einmalig pro Host |
| 2 | `ansible-playbook ... --check --diff` + ausrollen | Einmalig pro Host |
| 3 | iptables-Rules vergleichen (vor/nach Restart) | Einmalig pro Host |
| 4 | `fw_manage_config: true` setzen + ausrollen | Einmalig pro Host |
| 5 | Alte Rolle deaktivieren, git-Repo auf Host entfernen | Einmalig pro Host |
| — | Änderungen: host_vars editieren + `ansible-playbook` | Ab jetzt immer so |
roles/ipt-server/README.md
+204
View File
@@ -0,0 +1,204 @@
# ipt-server — Ansible Role
Verwaltet die iptables/ip6tables-basierte Firewall (`ipt-firewall-server` /
`ip6t-firewall-server`) auf Debian-Hosts.
Die Rolle ist die **einzige** autorisierte Stelle für Firewall-Änderungen. Direkte
Edits in `/etc/ipt-firewall/` auf dem Host werden beim nächsten Ansible-Run
überschrieben, sobald `fw_manage_config: true` gesetzt ist.
---
## Verzeichnisstruktur
```
roles/ipt-server/
├── defaults/main.yml # Alle Variablen mit Defaults
├── files/
│ ├── etc/ipt-firewall/ # Geteilte Conf-Dateien (nicht host-spezifisch)
│ │ ├── default_settings.conf
│ │ ├── include_functions.conf
│ │ ├── logging_ipv4.conf
│ │ ├── logging_ipv6.conf
│ │ ├── post_declarations.conf
│ │ ├── ban_ipv4.list.sample
│ │ └── ban_ipv6.list.sample
│ ├── etc/systemd/system/
│ │ ├── ipt-firewall.service
│ │ └── ip6t-firewall.service
│ └── usr/local/sbin/
│ ├── ipt-firewall-server # IPv4-Firewall-Skript
│ └── ip6t-firewall-server # IPv6-Firewall-Skript
├── handlers/main.yml
├── tasks/main.yml
└── templates/
└── etc/ipt-firewall/
├── interfaces_ipv4.conf.j2 # Host-spezifisch: Interfaces + IPs
├── interfaces_ipv6.conf.j2
├── main_ipv4.conf.j2 # Host-spezifisch: Dienste, Regeln
└── main_ipv6.conf.j2
```
Host-spezifische Konfiguration liegt ausschließlich in:
```
host_vars/<hostname>/ipt_firewall.yml
```
---
## Neuen Host aufnehmen
### Voraussetzungen
- Host ist im Ansible-Inventory (`hosts`) eingetragen.
- SSH-Zugang mit `sudo`-Rechten ist vorhanden.
- `git` ist auf dem Host installiert (wird für keinen anderen Zweck gebraucht —
die Rolle selbst benötigt kein git auf dem Host).
### Schritt 1 — host_vars anlegen
```bash
cd /path/to/ansible/oopen-server
# Interfaces und IPs von Hand in die Datei eintragen:
mkdir -p host_vars/<hostname>
cat > host_vars/<hostname>/ipt_firewall.yml << 'EOF'
---
fw_manage_config: true
# --- Netzwerk
fw_ext_interfaces:
- "eth0"
fw_ext_ips_v4:
- "1.2.3.4"
fw_ext_ips_v6:
- "2001:db8::1"
EOF
```
Alle weiteren Variablen sind optional — sie greifen auf die Defaults in
`defaults/main.yml` zurück. Nur abweichende Werte müssen gesetzt werden.
Für eine vollständige Variablenreferenz: `defaults/main.yml`.
### Schritt 2 — Dry-run
```bash
ansible-playbook ipt-server.yml --limit <hostname> --check --diff
```
Der Diff zeigt genau, welche Dateien angelegt und welche Config-Werte gesetzt
werden. Prüfen, ob Interfaces, IPs und Dienste stimmen.
### Schritt 3 — Scharf stellen
```bash
ansible-playbook ipt-server.yml --limit <hostname>
```
Was passiert:
- Firewall-Skripte werden nach `/usr/local/sbin/` kopiert.
- Geteilte Conf-Dateien werden nach `/etc/ipt-firewall/` kopiert.
- Systemd-Units werden installiert, Dienste werden aktiviert und gestartet.
- Config-Dateien (`interfaces_*.conf`, `main_*.conf`) werden aus den Templates
erzeugt und die Firewall wird gestartet.
---
## Konfiguration ändern
Alle Änderungen erfolgen ausschließlich in der host_vars-Datei des Hosts:
```
host_vars/<hostname>/ipt_firewall.yml
```
Danach:
```bash
# Vorschau:
ansible-playbook ipt-server.yml --limit <hostname> --check --diff
# Anwenden (ändert Config, startet Firewall bei Änderungen neu):
ansible-playbook ipt-server.yml --limit <hostname>
```
Ansible erkennt automatisch, ob sich eine Config-Datei geändert hat. Nur bei
tatsächlichen Änderungen wird die Firewall neu gestartet.
### Beispiel: HTTP-Server aktivieren
```yaml
# host_vars/<hostname>/ipt_firewall.yml
fw_http_server_ips: "$ext_ips" # oder konkrete IP
```
### Beispiel: SSH auf bestimmten Port einschränken
```yaml
fw_ssh_ports: "2222"
```
### Beispiel: LXC-Gäste eintragen
```yaml
fw_lxc_guest_ips_v4:
- "10.0.3.10"
- "10.0.3.11"
fw_lxc_guest_ips_v6:
- "fd00::10"
- "fd00::11"
```
---
## Firewall-Skripte aktualisieren
Wenn `ipt-firewall-server` oder `ip6t-firewall-server` im `ipt-server`-Repository
aktualisiert werden, müssen die neuen Versionen manuell in die Rolle übernommen
werden:
```bash
SRC=/path/to/ipt-server
DST=roles/ipt-server/files/usr/local/sbin
cp $SRC/ipt-firewall-server $DST/
cp $SRC/ip6t-firewall-server $DST/
chmod 750 $DST/ipt-firewall-server $DST/ip6t-firewall-server
```
Ebenso für geteilte Conf-Dateien in `roles/ipt-server/files/etc/ipt-firewall/`.
Nach dem Commit werden die neuen Skripte beim nächsten Ansible-Run auf alle
Hosts deployed.
---
## Wichtige Variablen
| Variable | Default | Bedeutung |
|---|---|---|
| `fw_manage_config` | `false` | `true` = Ansible verwaltet Config-Dateien vollständig |
| `fw_ext_interfaces` | `[]` | Externe Netzwerk-Interfaces, z.B. `["eth0"]` |
| `fw_ext_ips_v4` | `[]` | Externe IPv4-Adressen |
| `fw_ext_ips_v6` | `[]` | Externe IPv6-Adressen |
| `fw_ssh_server_ips` | `"$ext_ips"` | IPs auf denen SSH erlaubt ist |
| `fw_ssh_ports` | `"$standard_ssh_port"` | SSH-Port(s) |
| `fw_http_server_ips` | `""` | IPs auf denen HTTP/HTTPS erlaubt ist |
| `munin_remote_ipv4` | `""` | Munin-Server IPv4 |
| `munin_remote_ipv6` | `""` | Munin-Server IPv6 |
Alle Variablen mit Beschreibung und Defaults: `defaults/main.yml`.
Variablen die mit `$` beginnen (z.B. `$ext_ips`, `$standard_ssh_port`) sind
Bash-Variablen — sie werden nicht von Ansible aufgelöst, sondern zur Laufzeit
vom Firewall-Skript expandiert.
---
## Ban-Listen
`/etc/ipt-firewall/ban_ipv4.list` und `ban_ipv6.list` werden beim ersten
Ausrollen aus den Beispiel-Dateien der Rolle erzeugt und danach **nicht mehr
durch Ansible angefasst** — sie können auf dem Host direkt bearbeitet werden.
roles/ipt-server/defaults/main.yml
+376
View File
@@ -0,0 +1,376 @@
---
# ---
# ipt-firewall role defaults
# Override per host in host_vars/<hostname>/ipt_firewall.yml
# ---
# ---
# Config management mode.
# false (default): config files are only deployed when absent (safe for unmanaged hosts).
# true: Ansible is authoritative — config is always written from templates and
# the firewall is restarted on any change. Set this after migrating a host.
# ---
fw_manage_config: false
# ---
# Network interfaces and addresses (set per host in host_vars)
# ---
fw_ext_interfaces: [] # e.g. ["eth0"]
fw_ext_ips_v4: [] # e.g. ["83.223.86.98"]
fw_ext_ips_v6: [] # e.g. ["2a01:30:0:13:211:84ff:feb7:7f9c"]
fw_local_interfaces: []
fw_local_ips_v4: []
fw_local_ips_v6: []
fw_vpn_ifs: "tun+"
fw_wg_ifs: "wg+"
fw_lxc_guest_ips_v4: []
fw_lxc_guest_ips_v6: []
fw_nat_devices: ""
# ---
# Munin monitoring (often set in group_vars or role defaults)
# ---
munin_remote_ipv4: ""
munin_remote_ipv6: ""
# ---
# Bridged / LXC traffic
# ---
fw_do_not_firewall_bridged_traffic: false
fw_do_not_firewall_lx_guest_systems: false
# ---
# Drop policies
# ---
fw_drop_icmp: false
fw_drop_mndp: true
fw_drop_mdns: true
# ---
# Outgoing / interface policy
# ---
fw_allow_all_outgoing_traffic: false
fw_blocked_ifs: ""
fw_unprotected_ifs: ""
# ---
# Forwarding (protocol-specific addresses)
# ---
fw_forward_private_ips_v4: ""
fw_forward_private_ips_v6: ""
# ---
# Access control (protocol-specific: IPv4 uses ':', IPv6 uses ',')
# ---
fw_restrict_local_service_to_net_v4: ""
fw_restrict_local_service_to_net_v6: ""
fw_restrict_local_net_to_net_v4: ""
fw_restrict_local_net_to_net_v6: ""
fw_allow_ext_service_v4: ""
fw_allow_ext_service_v6: ""
fw_allow_ext_net_v4: ""
fw_allow_ext_net_v6: ""
fw_allow_local_service_v4: ""
fw_allow_local_service_v6: ""
fw_allow_local_service_from_networks_v4: ""
fw_allow_local_service_from_networks_v6: ""
# ---
# Services: VPN / WireGuard
# ---
fw_vpn_server_ips: ""
fw_forward_vpn_server_ips: ""
fw_vpn_ports: "$standard_vpn_port"
fw_wireguard_server_ips: ""
fw_forward_wireguard_server_ips: ""
fw_wireguard_server_ports: "$standard_wireguard_port"
fw_wireguard_out_ports: "$standard_wireguard_port"
# ---
# Services: NTP
# ---
fw_local_ntp_service: false
fw_ntp_port: "$standard_ntp_port"
fw_ntp_allowed_net: ""
# ---
# Services: DHCP (IPv4 only)
# ---
fw_dhcp_server_ifs: ""
fw_dhcp_client_ifs: ""
# ---
# Services: DNS
# ---
fw_dns_server_ips: ""
fw_forward_dns_server_ips: ""
fw_local_resolver_service: false
fw_resolver_port: "$standard_dns_port"
fw_resolver_allowed_networks_v4: ""
fw_resolver_allowed_networks_v6: ""
# ---
# Services: SSH
# Uses $ext_ips by default so SSH is always reachable via all external IPs.
# Override in host_vars to restrict to specific IPs.
# ---
fw_ssh_server_ips: "$ext_ips"
fw_forward_ssh_server_ips: ""
fw_ssh_ports: "$standard_ssh_port"
# ---
# Services: HTTP(S)
# ---
fw_http_server_ips: ""
fw_forward_http_server_ips: ""
fw_http_ports: "$standard_http_ports"
fw_log_cgi_traffic_out: false
fw_cgi_script_users: ""
# ---
# Services: Mattermost
# ---
fw_mm_server_ips: ""
fw_forward_mm_server_ips: ""
fw_mm_udp_ports_in: "$stansard_mattermost_udp_ports_in"
fw_mm_udp_ports_out: "$stansard_mattermost_udp_ports_out"
# ---
# Services: Mail
# ---
fw_smtpd_ips: ""
fw_forward_smtpd_ips: ""
fw_smtpd_additional_listen_ports: ""
fw_smtpd_additional_outgoing_ports: ""
fw_mail_server_ips: ""
fw_forward_mail_server_ips: ""
fw_mail_user_ports: "$standard_mailuser_ports"
fw_mail_client_ips: ""
fw_forward_mail_client_ips: ""
fw_dovecot_auth_service: false
fw_dovecot_auth_port: "$dovecot_external_auth_port"
fw_dovecot_auth_allowed_networks_v4: ""
fw_dovecot_auth_allowed_networks_v6: ""
# ---
# Services: FTP
# ---
fw_ftp_server_ips: ""
fw_forward_ftp_server_ips: ""
fw_ftp_passive_port_range: "50000:50400"
# ---
# Services: XMPP (Jabber / Prosody)
# ---
fw_xmpp_server_ips: ""
fw_forward_xmpp_server_ips: ""
fw_xmmp_tcp_in_ports: "5222 5223 5269"
fw_xmmp_tcp_out_ports: "5269"
fw_xmmp_remote_out_services_v4: ""
fw_xmmp_remote_out_services_v6: ""
# ---
# Services: Mumble
# ---
fw_mumble_server_ips: ""
fw_forward_mumble_server_ips: ""
fw_mumble_ports: "$standard_mumble_port"
# ---
# Services: Jitsi / Jibri
# ---
fw_jitsi_server_ips: ""
fw_forward_jitsi_server_ips: ""
fw_jitsi_tcp_ports: "$standard_jitsi_tcp_ports"
fw_jitsi_udp_port_range: "$standard_jitsi_udp_port_range"
fw_jitsi_tcp_ports_out: "$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_udp_ports_out: "$standard_http_ports,$standard_turn_service_ports,4443,4444,4445,4446"
fw_jitsi_dovecot_auth: false
fw_jitsi_dovecot_host: ""
fw_jitsi_dovecot_port: "$default_jitsi_dovecout_auth_port"
fw_jitsi_jibri_remote_auth: false
fw_jitsi_jibri_remote_ips: ""
fw_jitsi_jibri_remote_auth_port: "$default_jibri_out_port"
fw_jibri_server_ips: ""
fw_forward_jibri_server_ips: ""
fw_jibri_remote_jitsi_server: ""
fw_jibri_remote_auth_port: "$default_jibri_out_port"
# ---
# Services: TURN / STUN (Nextcloud Talk)
# ---
fw_nc_turn_server_ips: ""
fw_forward_nc_turn_server_ips: ""
fw_nc_turn_ports: "$standard_turn_service_ports"
fw_nc_turn_udp_ports: "$standard_turn_service_udp_ports"
# ---
# Services: TFTP
# ---
fw_tftp_server_ips: ""
# ---
# Services: Prometheus
# ---
fw_prometheus_local_server_ips: ""
fw_prometheus_remote_client_ports: "$standard_prometheus_ports"
fw_prometheus_local_client_ips: ""
fw_prometheus_local_client_ports: "$standard_prometheus_ports"
fw_prometheus_remote_server_ips: ""
# ---
# Services: Munin
# ---
fw_munin_server_ips: ""
fw_forward_munin_server_ips: ""
fw_munin_remote_port: "$standard_munin_port"
fw_munin_local_port: "4949"
# ---
# Services: Xymon
# ---
fw_xymon_server_ips: ""
fw_local_xymon_client: false
fw_xymon_port: "$standard_xymon_port"
# ---
# Protocols out: Rsync
# ---
fw_rsync_out_ips: ""
fw_forward_rsync_out_ips: ""
fw_rsync_ports: "873"
# ---
# Special ports (OUT)
# ---
fw_tcp_out_ports: ""
fw_forward_tcp_out_ports: ""
fw_udp_out_ports: ""
fw_forward_udp_out_ports: ""
# ---
# Portforwarding (protocol-specific formats)
# IPv4: "<device>:<src-ip>:<port-in>:<ip-fwd>:<port-out>"
# IPv6: "<device>,<src-ip>,<port-in>,<ip-fwd>,<port-out>"
# ---
fw_portforward_tcp_v4: ""
fw_portforward_udp_v4: ""
fw_portforward_tcp_v6: ""
fw_portforward_udp_v6: ""
# ---
# Blocked IPs / ports
# ---
fw_blocked_ips: ""
fw_block_tcp_ports: "111 113 135 137:139 445"
fw_block_udp_ports: "111 137:139"
# ---
# Special / counters
# ---
fw_create_traffic_counter: true
fw_create_iperf_rules: true
# ---
# Protection
# ---
fw_protection_against_syn_flooding: true
fw_protection_against_port_scanning: true
fw_protection_against_ssh_brute_force_attacks: true
# ---
# Connection limits
# ---
fw_limit_connections_per_source_IP: true
fw_per_IP_connection_limit: "$default_per_IP_connection_limit"
fw_limit_new_tcp_connections_per_seconds_per_source_IP: true
fw_limit_new_tcp_connections_per_seconds_ports: ""
# ---
# Kernel parameters — IPv4
# ---
fw_kernel_activate_forwarding: false
fw_kernel_support_dynaddr: false
fw_dynaddr_flag: "5"
fw_kernel_reduce_timeouts: true
fw_kernel_tcp_syncookies: true
fw_kernel_protect_against_icmp_bogus_messages: true
fw_kernel_ignore_broadcast_ping: true
fw_kernel_deactivate_source_route: true
fw_kernel_dont_accept_redirects: true
fw_kernel_activate_rp_filter: true
fw_kernel_log_martians: false
# ---
# Kernel parameters — IPv6
# ---
fw_kernel_forward_between_interfaces: false
roles/ipt-server/files/etc/ipt-firewall/ban_ipv4.list.sample
+36
View File
@@ -0,0 +1,36 @@
# - IPv4 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv4 adresses like 1.2.3.4 (will be converted to 1.2.3.0/32)
# - partial IPv4 addresses like 1.2.3 (will be converted to 1.2.3.0/24)
# - network/nn CIDR notation like 1.2.3.0/27
# - network/netmask notaions like 1.2.3.0/255.255.255.0
# - network/partial_netmask like 1.2.3.4/255
# -
# - Note:
# - - wrong addresses like 1.2.3.256 or 1.2.3.4/33 will be ignored
# -
# - Example:
# - 79.171.81.0/24
# - 79.171.81.0/255.255.255.0
# - 79.171.81.0/255.255.255
# - 79.171.81
# CHINANET-JS
222.184.0.0/13
61.160.0.0/16
# CHINANET-GX
116.8.0.0/14
# BAIDU-HK - Hong Kong
103.235.44.0/22
# UNICOM-HE - China Unicom Hebei province network
110.240.0.0/12
# CMNET - China Mobile Communications Corporation
39.128.0.0/10
roles/ipt-server/files/etc/ipt-firewall/ban_ipv6.list.sample
+20
View File
@@ -0,0 +1,20 @@
# - IPv6 addresses listet here will be completly banned by the firewall
# -
# - - Line beginning with '#' will be ignored.
# - - Blank lines will be ignored
# - - Only the first entry (until space sign or end of line) of each line will be considered.
# -
# - Valid values are:
# - complete IPv6 adresses like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c
# - network/nn CIDR notation like 240e:1ec0:4ab1:feba:e8b4:4fb1:7984:4c/56
# -
# -
# - Note:
# - - If no mask is given mask will be set to '64'
# - - wrong addresses like '2g01::1' or '2a01::1/129' will be ignored
# -
# - Example:
# - 240e:ec:4ab1:feba:e8b4:4fb1:7984:4c
# - 2a01:30:0:13:5054:ff::1
# - 2a01:30:0:13:5054:ff::1/56
roles/ipt-server/files/etc/ipt-firewall/default_settings.conf
+157
View File
@@ -0,0 +1,157 @@
#!/usr/bin/env bash
# -------------
# --- Default Parameter / Options
# -------------
default_per_IP_connection_limit=111
# -------------
# --- Default Ports for Services out
# -------------
standard_checkmk_port=6556
standard_cpan_wait_port=1404
standard_dns_port=53
standard_ftp_port=21
standard_ftp_data_port=20
standard_git_port=9418
standard_hbci_port=3000
standard_http_port=80
standard_https_port=443
standard_ident_port=113
standard_ipp_port=631
standard_cups_port=$standard_ipp_port
standard_irc_port=6667
standard_jabber_port=5222
standard_ldap_port=389
standard_ldaps_port=636
standard_mdns_port=5353
standard_mndp_port=5678
standard_mumble_port=64738
standard_munin_port=4949
standard_mysql_port=3306
standard_ntp_port=123
standard_pgp_keyserver_port=11371
standard_print_port=9100
standard_print_raw_port=515
standard_remote_console_port=5900
standard_silc_port=706
standard_smtp_port=25
standard_snmp_port=161
standard_snmp_trap_port=162
standard_ssh_port=22
standard_telnet_port=23
standard_tftp_udp_port=69
standard_timeserver_port=37
standard_vpn_port=1194
standard_wireguard_port=51820
standard_whois_port=43
standard_xymon_port=1984
# - Prometheus services
# -
standard_prometheus_ports="9100,9256"
# - Mattermost (MM) Service
# -
stansard_mattermost_udp_ports_in="8443"
stansard_mattermost_udp_ports_out="3478"
# - IPsec - Internet Security Association and
# - Key Management Protocol
standard_isakmp_port=500
standard_ipsec_nat_t=4500
# - Comma separated lists
# -
standard_http_ports="80,443"
standard_mailuser_ports="587,465,110,995,143,993"
# - Dovecot Service
# -
dovecot_external_auth_port="44444"
# - Jitsi Video Conference Service
# -
standard_jitsi_tcp_ports="$standard_http_ports"
standard_jitsi_udp_port_range="10000:20000"
default_jitsi_dovecout_auth_port="$dovecot_external_auth_port"
# - Jibri Service
# -
default_jibri_out_port=5222
# default_outbound_streaming_tcp_ports
#
# - outbound port 1935/TCP : outbound streaming over RTMP to most
# streaming providers such as YouTube Live, Vimeo or Twitch
#
# - outbound port 1936/TCP : outbound streaming over RTMP to LinkedIn
# Live (port 1935 is also used for RTMP streaming to LinkedIn)
#
# - outbound ports 2935/TCP and 2396/TCP : outbound streaming over
# RTMPS to LinkedIn Live
#
# - outbound port 443/TCP (HTTPS) : used for authentication with the
# built-in providers such as YouTube Live, Facebook Live, Ustream,
# Livestream, and Twitch
#
# - outbound port 53/UDP (DNS) used for DNS lookups converting
# hostnames to IP addresses
#
default_outbound_streaming_tcp_ports="1935,1936,2935,2396"
# - TURN Server (Stun Server) (for Nextcloud 'talk' app)
# -
standard_turn_service_ports="3478:3479,5349:5350"
standard_turn_service_udp_ports="49152:65535"
# -------------
# --- Predefined Ports
# -------------
# - unpriviligierte Ports
# -
unprivports="1024:65535"
# -------------
# --- Some IPv4-Address Configuration
# -------------
# - Loopback
loopback_ipv4="127.0.0.0/8"
# - Private Networks
priv_class_a="10.0.0.0/8"
priv_class_b="172.16.0.0/12"
priv_class_c="192.168.0.0/16"
link_local_rfc_5735="169.254.0.0/16"
test_net_1_rfc_5735="192.0.2.0/24"
this_net_rfc_5735="0.0.0.0/8"
# - Multicast Addresse
class_d_multicast="224.0.0.0/3"
# Reserved Addresse
class_e_reserved="240.0.0.0/5"
# -------------
# --- Some IPv6-Address Configuration
# -------------
# unique local address (ULA) - private address block
ula_block="fc00::/7"
link_local_unicast_block="fe80::/10"
multicast_ipv6="ff00::/8"
# - Loopback
loopback_ipv6="::1/128"
roles/ipt-server/files/etc/ipt-firewall/include_functions.conf
+268
View File
@@ -0,0 +1,268 @@
#!/usr/bin/env bash
# - Set firewall command (either iptables or ip6tables)
#
if [[ -x "${ip6t}" ]] ; then
fw_command="${ip6t}"
elif [[ -x "${ipt}" ]] ; then
fw_command="${ipt}"
fi
# -------------
# --- Some functions
# -------------
echononl(){
echo X\\c > /tmp/shprompt$$
if [ `wc -c /tmp/shprompt$$ | awk '{print $1}'` -eq 1 ]; then
echo -e -n "$*\\c" 1>&2
else
echo -e -n "$*" 1>&2
fi
rm /tmp/shprompt$$
}
echo_done() {
echo -e "\033[75G[ \033[32mdone\033[m ]"
}
echo_ok() {
echo -e "\033[75G[ \033[32mok\033[m ]"
}
echo_warning() {
echo -e "\033[75G[ \033[33m\033[1mwarn\033[m ]"
}
echo_failed(){
echo -e "\033[75G[ \033[1;31mfailed\033[m ]"
}
echo_skipped() {
echo -e "\033[75G[ \033[33m\033[1mskipped\033[m ]"
}
fatal (){
echo ""
echo -e "fatal Error: $*"
echo ""
echo -e "\t\033[31m\033[1mScript will be interrupted..\033[m\033[m"
echo ""
exit 1
}
error(){
echo ""
echo -e "\t[ \033[31m\033[1mFehler\033[m ]: $*"
echo ""
}
warn (){
echo ""
echo -e "\t[ \033[33m\033[1mWarning\033[m ]: $*"
echo ""
}
info (){
echo ""
echo -e "\t[ \033[32m\033[1mInfo\033[m ]: $*"
echo ""
}
## - Check if a given array (parameter 2) contains a given string (parameter 1)
## -
containsElement () {
local e
for e in "${@:2}"; do [[ "$e" == "$1" ]] && return 0; done
return 1
}
is_number() {
return $(test ! -z "${1##*[!0-9]*}" > /dev/null 2>&1);
# - also possible
# -
#[[ ! -z "${1##*[!0-9]*}" ]] && return 0 || return 1
#return $([[ ! -z "${1##*[!0-9]*}" ]])
}
trim() {
local var="$*"
var="${var#"${var%%[![:space:]]*}"}" # remove leading whitespace characters
var="${var%"${var##*[![:space:]]}"}" # remove trailing whitespace characters
echo -n "$var"
}
is_container() {
command -v systemd-detect-virt >/dev/null 2>&1 && systemd-detect-virt --container >/dev/null 2>&1
}
# -------------
# - IPv6 handling
# -------------
ENABLE_IPV6="auto" # auto | yes | no
IPV6_ACTIVE=0
ipv6_sysctl_enabled() {
sysctl -n net.ipv6.conf.all.disable_ipv6 2>/dev/null | grep -qx 0
}
has_ipv6_addr() {
ip -6 addr show scope global 2>/dev/null | grep -q "inet6"
}
detect_ipv6() {
case "$ENABLE_IPV6" in
yes) return 0 ;;
no) return 1 ;;
auto) ipv6_sysctl_enabled ;;
*) return 1 ;;
esac
}
# -------------
# - Network Device Stuff
# -------------
# get virtual ethernet interfaces and the master of the given bridge
#
get_vth_ports() {
local br="$1"
# lists virtual interfaces (veth*)) and the master interface of the given bridge
ip -o link show master "$br" 2>/dev/null | awk -F': ' '{print $2}'
}
# -------------
# - Fail2ban
# -------------
FAIL2BAN_CONFIG_FILE="/etc/fail2ban/jail.local"
FAIL2BAN_WAS_RUNNING=false
fail2ban_client="$(command -v fail2ban-client 2>/dev/null)"
has_fail2ban() {
command -v fail2ban-client >/dev/null 2>&1
}
fail2ban_running() {
systemctl is-active --quiet fail2ban >/dev/null 2>&1
}
# -------------
# - Debian 12/13 compatibility helpers (best effort)
# -------------
ensure_mod() {
# ---
# Load a kernel module if possible (no hard failure).
# NOTE: In containers module loading is not possible; modules must be loaded on the host.
# ---
local m="$1"
# Already loaded?
if lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$m" ; then
return 0
fi
# Skip in containers/guests without module loading capability
#
is_container && return 0
# Best effort modprobe
/sbin/modprobe "$m" >/dev/null 2>&1 || warn "Loading module '$m' failed (ok if not needed on this host)."
}
# --- Feature detection helpers (Debian 12/13 + containers)
module_loaded() {
lsmod 2>/dev/null | awk '{print $1}' | grep -qx "$1"
}
can_use_recent() {
# xt_recent is the kernel module behind "-m recent"
# In containers lsmod may be restricted; also accept presence of /proc/net/xt_recent.
module_loaded xt_recent && return 0
[ -d /proc/net/xt_recent ] && return 0
# As a last resort, ask iptables to parse the match (works if userspace has it)
"$ipt" -m recent -h >/dev/null 2>&1 && return 0
return 1
}
can_use_hashlimit() {
# xt_hashlimit is the kernel module behind "-m hashlimit"
module_loaded xt_hashlimit && return 0
[ -d /proc/net/xt_hashlimit ] && return 0
"${fw_command}" -m hashlimit -h >/dev/null 2>&1 && return 0
return 1
}
can_use_connlimit() {
# xt_connlimit is the kernel module behind "-m connlimit"
module_loaded xt_connlimit && return 0
"${fw_command}" -m connlimit -h >/dev/null 2>&1 && return 0
return 1
}
can_use_owner() {
# xt_owner is the kernel module behind "-m owner"
module_loaded xt_owner && return 0
"${fw_command}" -m owner -h >/dev/null 2>&1 && return 0
return 1
}
can_use_ct_target() {
# Check if iptables CT target exists (iptables-nft should support it when kernel has nf_tables CT support)
"${fw_command}" -t raw -j CT -h >/dev/null 2>&1 && return 0
return 1
}
can_use_helper_match() {
# Check if helper match exists
"${fw_command}" -m helper -h >/dev/null 2>&1 && return 0
return 1
}
can_use_nft() {
command -v nft >/dev/null 2>&1 && return 0
return 1
}
setup_ftp_conntrack_helper_output() {
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
if can_use_ct_target ; then
"${fw_command}" -A OUTPUT -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
return 0
fi
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
if can_use_nft ; then
# Best-effort; may fail in containers without CAP_NET_ADMIN
nft add table ip fwhelper >/dev/null 2>&1 || true
nft add chain ip fwhelper output '{ type filter hook output priority raw; policy accept; }' >/dev/null 2>&1 || true
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
nft add rule ip fwhelper output tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
fi
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP active/passive may fail; FTPS workaround relies on recent/port rules."
return 1
}
setup_ftp_conntrack_helper_prerouting() {
# Prefer explicit helper assignment (safe with nf_conntrack_helper=0)
if can_use_ct_target ; then
"$ipt" -A PREROUTING -t raw -p tcp --dport "$standard_ftp_port" -j CT --helper ftp
return 0
fi
# nft fallback (nft-native helper assignment); keeps us "nft-ready"
if can_use_nft ; then
nft add table ip fwhelper >/dev/null 2>&1 || true
nft add chain ip fwhelper prerouting '{ type filter hook prerouting priority raw; policy accept; }' >/dev/null 2>&1 || true
nft add ct helper ip fwhelper ftp '{ type "ftp" protocol tcp; }' >/dev/null 2>&1 || true
nft add rule ip fwhelper prerouting tcp dport "$standard_ftp_port" ct helper set "ftp" >/dev/null 2>&1 && return 0
fi
warn "No CT helper assignment available (iptables CT target and nft fallback both unavailable). FTP server traffic may fail; consider enabling passive port ranges."
return 1
}
roles/ipt-server/files/etc/ipt-firewall/logging_ipv4.conf
+62
View File
@@ -0,0 +1,62 @@
#!/usr/bin/env bash
# -------------
# --- Logging
# -------------
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
tag_log_prefix="--nflog-prefix"
LOG_TARGET="NFLOG --nflog-group 11"
else
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
LOG_TARGET="LOG --log-level $log_level"
tag_log_prefix="--log-prefix"
fi
log_all=false
log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_private_network_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_forwarding_priv_ip=false
log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
# -
log_prefix="[ IPv4 ]"
# ---
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""
roles/ipt-server/files/etc/ipt-firewall/logging_ipv6.conf
+63
View File
@@ -0,0 +1,63 @@
#!/usr/bin/env bash
# -------------
# --- Logging
# -------------
if $(ps -e f | grep -q -E "/usr/sbin/ulogd2?\s" 2>/dev/null) ; then
tag_log_prefix="--nflog-prefix"
LOG_TARGET="NFLOG --nflog-group 12"
else
# - Log using the specified syslog level. 7 (debug) is a good choice
# - unless you specifically need something else.
# -
log_level=debug
LOG_TARGET="LOG --log-level $log_level"
tag_log_prefix="--log-prefix"
fi
log_all=false
log_syn_flood=false
log_port_scanning=false
log_ssh_brute_force=false
log_fragments=false
log_mdns=false
log_mndp=false
log_new_not_sync=false
log_syn_with_suspicious_mss=false
log_invalid_packets=false
log_invalid_state=false
log_invalid_flags=false
log_spoofed=false
log_spoofed_out=false
log_private_network_out=false
log_to_lo=false
log_not_wanted=false
log_blocked=false
log_unprotected=false
log_forwarding_priv_ip=false
log_prohibited=false
log_voip=false
log_rejected=true
log_blocked_ip=false
log_ssh=false
# - logging messages
# -
log_prefix="[ IPv6 ]"
# ---
# - Log all traffic for givven ip address
# ---
# - You can also give hostname(s)
# -
# - Blank seoarated list of ips/hostnames
# -
log_ips=""
roles/ipt-server/files/etc/ipt-firewall/post_declarations.conf
+621
View File
@@ -0,0 +1,621 @@
#!/usr/bin/env bash
# -----------
# --- Define Arrays
# -----------
# ---
# NAT (Masquerade) Network interfaces
# ---
declare -a nat_device_arr=()
for _dev in $nat_devices ; do
if ! containsElement $_dev "${nat_device_arr[@]}" ; then
nat_device_arr+=("$_dev")
fi
done
# ---
# IP Addresses LX Guest System
# ---
declare -a lxc_guest_ip_arr=()
for _ip in $lxc_guest_ips ; do
lxc_guest_ip_arr+=("$_ip")
done
# ---
# local Interfaces
# ---
declare -a local_ip_arr=()
for _ip in $local_ips ; do
local_ip_arr+=("$_ip")
done
# ---
# - IP Addresses to log
# ---
declare -a log_ip_arr
for _ip in $log_ips ; do
log_ip_arr+=("$_ip")
done
# ---
# - LOG CGI script Traffic out
# ---
declare -a cgi_script_user_arr=()
for _user in $cgi_script_users ; do
cgi_script_user_arr+=($_user)
done
# ---
# - IP-Addresses (Host, Guests (VServer, LX_Container)
# ---
declare -a ext_ip_arr
for _ip in $ext_ips ; do
host_ip_arr+=("$_ip")
done
# ---
# - Extern Interfaces
# ---
declare -a ext_if_arr
for _dev in $ext_ifs ; do
ext_if_arr+=("$_dev")
done
# ---
# - VPN Interfaces
# ---
declare -a vpn_if_arr
for _dev in $vpn_ifs ; do
vpn_if_arr+=("$_dev")
done
# ---
# - WireGuard Interfaces
# ---
declare -a wg_if_arr
for _dev in $wg_ifs ; do
wg_if_arr+=("$_dev")
done
# ---
# - Local Network Interfaces
# ---
declare -a local_if_arr
for _dev in $local_ifs ; do
local_if_arr+=("$_dev")
done
# ---
# - Network Interfaces completly blocked
# ---
declare -a blocked_if_arr
for _dev in $blocked_ifs ; do
blocked_if_arr+=("$_dev")
done
# ---
# - Network Interfaces not firewalled
# ---
declare -a unprotected_if_arr
for _dev in $unprotected_ifs ; do
unprotected_if_arr+=("$_dev")
done
# ---
# - Restrict local Servive to given IP-Address/Network
# ---
declare -a restrict_local_service_to_net_arr
for _val in $restrict_local_service_to_net ; do
restrict_local_service_to_net_arr+=("$_val")
done
# ---
# - Restrict local Network to given IP-Address/Network
# ---
declare -a restrict_local_net_to_net_arr
for _val in $restrict_local_net_to_net ; do
restrict_local_net_to_net_arr+=("$_val")
done
# ---
# - Allow extern Service
# ---
declare -a allow_ext_service_arr
for _val in $allow_ext_service ; do
allow_ext_service_arr+=("$_val")
done
# ---
# - Allow extern IP-Address/Network
# ---
declare -a allow_ext_net_arr
for _net in $allow_ext_net ; do
allow_ext_net_arr+=("$_net")
done
# ---
# - Allow (non-standard) local Services
# ---
declare -a allow_local_service_arr
for _val in $allow_local_service ; do
allow_local_service_arr+=("$_val")
done
# ---
# - Allow (non-standard) local Services from specified network
# ---
declare -a allow_local_service_from_network_arr
for _service in $allow_local_service_from_networks ; do
allow_local_service_from_network_arr+=("$_service")
done
# ---
# - Generally block ports
# ---
declare -a block_tcp_port_arr
for _port in $block_tcp_ports ; do
block_tcp_port_arr+=("$_port")
done
declare -a block_udp_port_arr
for _port in $block_udp_ports ; do
block_udp_port_arr+=("$_port")
done
# ---
# - Private IPs / IP-Ranges allowed to forward
# ---
declare -a forward_private_ip_arr
for _ip in $forward_private_ips ; do
forward_private_ip_arr+=("$_ip")
done
# ---
# - Network Interfaces DHCP Service
# ---
declare -a dhcp_server_if_arr
for _dev in $dhcp_server_ifs ; do
dhcp_server_if_arr+=($_dev)
done
declare -a dhcp_client_if_arr
for _dev in $dhcp_client_ifs ; do
dhcp_client_if_arr+=($_dev)
done
# ---
# - IP Addresses DNS Server
# ---
# - local
declare -a dns_server_ip_arr
for _ip in $dns_server_ips ; do
dns_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_dns_server_ip_arr
for _ip in $forward_dns_server_ips ; do
forward_dns_server_ip_arr+=("$_ip")
done
# ---
# - Netwoks allowed access to local DNS Resolver
# ---
declare -a resolver_allowed_network_arr
for _net in $resolver_allowed_networks ; do
resolver_allowed_network_arr+=("$_net")
done
# ---
# - IP Addresses VPN Server
# ---
# local
declare -a vpn_server_ip_arr
for _ip in $vpn_server_ips ; do
vpn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_vpn_server_ip_arr
for _ip in $forward_vpn_server_ips ; do
forward_vpn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses WireGuard Service
# ---
# local
declare -a wireguard_server_ip_arr
for _ip in $wireguard_server_ips ; do
wireguard_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_wireguard_server_ip_arr
for _ip in $forward_wireguard_server_ips ; do
forward_wireguard_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses SSH Server
# ---
# local
declare -a ssh_server_ip_arr
for _ip in $ssh_server_ips ; do
ssh_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ssh_server_ip_arr
for _ip in $forward_ssh_server_ips ; do
forward_ssh_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses HTTP Server
# ---
# local
declare -a http_server_ip_arr
for _ip in $http_server_ips ; do
http_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_http_server_ip_arr
for _ip in $forward_http_server_ips ; do
forward_http_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses MatterMost Service
# ---
# local
declare -a mm_server_ip_arr
for _ip in $mm_server_ips ; do
mm_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mm_server_ip_arr
for _ip in $forward_mm_server_ips ; do
forward_mm_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses FTP Server
# ---
# local
declare -a ftp_server_ip_arr
for _ip in $ftp_server_ips ; do
ftp_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_ftp_server_ip_arr
for _ip in $forward_ftp_server_ips ; do
forward_ftp_server_ip_arr+=("$_ip")
done
# ---
# - Mail SMTP Server
# ---
# local
declare -a smtpd_ips_arr
for _ip in $smtpd_ips ; do
smtpd_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_smtpd_ip_arr
for _ip in $forward_smtpd_ips ; do
forward_smtpd_ip_arr+=("$_ip")
done
# ---
# Additional SMTP Listen Ports
# ---
declare -a smtpd_additional_listen_port_arr
for _port in $smtpd_additional_listen_ports ; do
smtpd_additional_listen_port_arr+=("$_port")
done
# ---
# Additional SMTP Outgoing Ports
# ---
declare -a smtpd_additional_outgoung_port_arr
for _port in $smtpd_additional_outgoung_ports ; do
smtpd_additional_outgoung_port_arr+=("$_port")
done
# ---
# - IP Addresses XMPP Service (Jabber - Prosody)
# ---
declare -a xmpp_server_ip_arr
for _ip in $xmpp_server_ips ; do
xmpp_server_ip_arr+=("$_ip")
done
declare -a forward_xmpp_server_ip_arr
for _ip in $forward_xmpp_server_ips ; do
forward_xmpp_server_ip_arr+=("$_ip")
done
# ---
# - XMPP Remote Dovecote Out Service
# ---
declare -a xmmp_remote_out_service_arr
for _val in $xmmp_remote_out_services ; do
xmmp_remote_out_service_arr+=("$_val")
done
# ---
# - Mail Services (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_server_ips_arr
for _ip in $mail_server_ips ; do
mail_server_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_server_ip_arr
for _ip in $forward_mail_server_ips ; do
forward_mail_server_ip_arr+=("$_ip")
done
# ---
# - Mail client (smtps/pop(s)/imap(s)
# ---
# local
declare -a mail_client_ips_arr
for _ip in $mail_client_ips ; do
mail_client_ips_arr+=("$_ip")
done
# DMZ
declare -a forward_mail_client_ip_arr
for _ip in $forward_mail_client_ips ; do
forward_mail_client_ip_arr+=("$_ip")
done
# ---
# - (local) Dovecot auth service
# ---
declare -a dovecot_auth_allowed_network_arr
for _ip in $dovecot_auth_allowed_networks ; do
dovecot_auth_allowed_network_arr+=("$_ip")
done
# ---
# - IP Addresses Mumble Server
# ---
# local
declare -a mumble_server_ip_arr
for _ip in $mumble_server_ips ; do
mumble_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_mumble_server_ip_arr
for _ip in $forward_mumble_server_ips ; do
forward_mumble_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jitsi Video Conferencing Server
# ---
declare -a jitsi_server_ip_arr
for _ip in $jitsi_server_ips ; do
jitsi_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jitsi_server_ip_arr
for _ip in $forward_jitsi_server_ips ; do
forward_jitsi_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Remote Jibri Server
# ---
declare -a jitsi_jibri_remote_ip_arr
for _ip in $jitsi_jibri_remote_ips ; do
jitsi_jibri_remote_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Jibri Recording / Streaming Server
# ---
declare -a jibri_server_ip_arr
for _ip in $jibri_server_ips ; do
jibri_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_jibri_server_ip_arr
for _ip in $forward_jibri_server_ips ; do
forward_jibri_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses TURN Server (Stun Server) (for Nextcloud 'talk' app)
# ---
# local
declare -a nc_turn_server_ip_arr
for _ip in $nc_turn_server_ips ; do
nc_turn_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_nc_turn_server_ip_arr
for _ip in $forward_nc_turn_server_ips ; do
forward_nc_turn_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Telephone Systems
# ---
declare -a tel_sys_ip_arr
for _ip in $tel_sys_ips ; do
tel_sys_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Server
# ---
declare -a prometheus_local_server_ip_arr
for _ip in $prometheus_local_server_ips ; do
prometheus_local_server_ip_arr+=("$_ip")
done
# ---
# - Prometheus Monitoring - local Client
# ---
declare -a prometheus_local_client_ip_arr
for _ip in $prometheus_local_client_ips; do
prometheus_local_client_ip_arr+=("$_ip")
done
declare -a prometheus_remote_server_ip_arr
for _ip in $prometheus_remote_server_ips ; do
prometheus_remote_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Munin
# ---
# local
declare -a munin_server_ip_arr
for _ip in $munin_server_ips ; do
munin_server_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_munin_server_ip_arr
for _ip in $forward_munin_server_ips ; do
forward_munin_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses XyMon
# ---
declare -a xymon_server_ip_arr
for _ip in $xymon_server_ips ; do
xymon_server_ip_arr+=("$_ip")
done
# ---
# - IP Addresses Rsync Out
# ---
# local
declare -a rsync_out_ip_arr
for _ip in $rsync_out_ips ; do
rsync_out_ip_arr+=("$_ip")
done
# DMZ
declare -a forward_rsync_out_ip_arr
for _ip in $forward_rsync_out_ips ; do
forward_rsync_out_ip_arr+=("$_ip")
done
# ---
# - SSH Ports
# ---
declare -a ssh_port_arr
for _port in $ssh_ports ; do
ssh_port_arr+=("$_port")
done
# ---
# - XMPP Service (Jabber - Prosody)
# ---
declare -a xmmp_tcp_in_port_arr
for _port in $xmmp_tcp_in_ports ; do
xmmp_tcp_in_port_arr+=("$_port")
done
declare -a xmmp_tcp_out_port_arr
for _port in $xmmp_tcp_out_ports ; do
xmmp_tcp_out_port_arr+=("$_port")
done
# ---
# - VPN Ports
# ---
# local
declare -a vpn_port_arr
for _port in $vpn_ports ; do
vpn_port_arr+=("$_port")
done
# ---
# - Wireguard Ports (local Service)
# ---
# local
declare -a wireguard_server_port_arr
for _port in $wireguard_server_ports ; do
wireguard_server_port_arr+=("$_port")
done
# ---
# - Wireguard out Ports
# ---
# local
declare -a wireguard_out_port_port_arr
for _port in $wireguard_out_ports ; do
wireguard_out_port_port_arr+=("$_port")
done
# ---
# - Rsync Out Ports
# --
declare -a rsync_port_arr
for _port in $rsync_ports ; do
rsync_port_arr+=("$_port")
done
# ---
# - Special TCP Ports OUT
# ---
# local
declare -a tcp_out_port_arr
for _port in $tcp_out_ports ; do
tcp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_tcp_out_port_arr
for _port in $forward_tcp_out_ports ; do
forward_tcp_out_port_arr+=("$_port")
done
# ---
# - Special UDP Ports OUT
# ---
# local
declare -a udp_out_port_arr
for _port in $udp_out_ports ; do
udp_out_port_arr+=("$_port")
done
# DMZ
declare -a forward_udp_out_port_arr
for _port in $forward_udp_out_ports ; do
forward_udp_out_port_arr+=("$_port")
done
# ---
# - Portforwrds TCP
# ---
declare -a portforward_tcp_arr
for _str in $portforward_tcp ; do
portforward_tcp_arr+=("$_str")
done
# ---
# - Portforwrds UDP
# ---
declare -a portforward_udp_arr
for _str in $portforward_udp ; do
portforward_udp_arr+=("$_str")
done
roles/ipt-server/files/etc/systemd/system/ip6t-firewall.service
+13
View File
@@ -0,0 +1,13 @@
[Unit]
Description=IPv6 Firewall with ip6tables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ip6t-firewall-server start
ExecStop=/usr/local/sbin/ip6t-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target
roles/ipt-server/files/etc/systemd/system/ipt-firewall.service
+13
View File
@@ -0,0 +1,13 @@
[Unit]
Description=IPv4 Firewall with iptables
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/local/sbin/ipt-firewall-server start
ExecStop=/usr/local/sbin/ipt-firewall-server stop
User=root
[Install]
WantedBy=multi-user.target
roles/ipt-server/files/usr/local/sbin/ip6t-firewall-server
Executable
+2952
View File
File diff suppressed because it is too large Load Diff
roles/ipt-server/files/usr/local/sbin/ipt-firewall-server
Executable
+3178
View File
File diff suppressed because it is too large Load Diff
roles/ipt-server/handlers/main.yml
+15
View File
@@ -0,0 +1,15 @@
---
- name: Reload systemd daemon
systemd:
daemon_reload: true
- name: Restart IPv4 Firewall
service:
name: ipt-firewall
state: restarted
- name: Restart IPv6 Firewall
service:
name: ip6t-firewall
state: restarted
roles/ipt-server/tasks/main.yml
+215
View File
@@ -0,0 +1,215 @@
---
# ===
# Ensure /etc/ipt-firewall directory exists
# ===
- name: Create /etc/ipt-firewall if not present
file:
path: /etc/ipt-firewall
state: directory
owner: root
group: root
mode: "0750"
# ===
# Check presence of host-specific config files
# ===
- name: Check if interfaces_ipv4.conf exists
stat:
path: /etc/ipt-firewall/interfaces_ipv4.conf
register: interfaces_ipv4_exists
- name: Check if interfaces_ipv6.conf exists
stat:
path: /etc/ipt-firewall/interfaces_ipv6.conf
register: interfaces_ipv6_exists
- name: Check if main_ipv4.conf exists
stat:
path: /etc/ipt-firewall/main_ipv4.conf
register: main_ipv4_exists
- name: Check if main_ipv6.conf exists
stat:
path: /etc/ipt-firewall/main_ipv6.conf
register: main_ipv6_exists
# ===
# Deploy host-specific config files from templates.
#
# Safety guard: by default (fw_manage_config: false) a file is only written
# when it does not yet exist on the host — so existing hosts are never touched
# accidentally.
#
# Once a host has been migrated (host_vars populated and diff verified), set
# fw_manage_config: true
# in its host_vars. From that point on Ansible is the authoritative source and
# will update the config on every run, triggering a firewall restart on changes.
# ===
- name: Deploy interfaces_ipv4.conf from template
template:
src: etc/ipt-firewall/interfaces_ipv4.conf.j2
dest: /etc/ipt-firewall/interfaces_ipv4.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not interfaces_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: Deploy interfaces_ipv6.conf from template
template:
src: etc/ipt-firewall/interfaces_ipv6.conf.j2
dest: /etc/ipt-firewall/interfaces_ipv6.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not interfaces_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
- name: Deploy main_ipv4.conf from template
template:
src: etc/ipt-firewall/main_ipv4.conf.j2
dest: /etc/ipt-firewall/main_ipv4.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not main_ipv4_exists.stat.exists
notify:
- Restart IPv4 Firewall
- name: Deploy main_ipv6.conf from template
template:
src: etc/ipt-firewall/main_ipv6.conf.j2
dest: /etc/ipt-firewall/main_ipv6.conf
owner: root
group: root
mode: "0640"
when: fw_manage_config or not main_ipv6_exists.stat.exists
notify:
- Restart IPv6 Firewall
# ===
# Firewall scripts
# ===
- name: Deploy ipt-firewall-server
copy:
src: usr/local/sbin/ipt-firewall-server
dest: /usr/local/sbin/ipt-firewall-server
owner: root
group: root
mode: "0750"
- name: Deploy ip6t-firewall-server
copy:
src: usr/local/sbin/ip6t-firewall-server
dest: /usr/local/sbin/ip6t-firewall-server
owner: root
group: root
mode: "0750"
# ===
# Shared conf files (not host-specific — always kept in sync with the role)
# ===
- name: Deploy shared conf files
copy:
src: "etc/ipt-firewall/{{ item }}"
dest: "/etc/ipt-firewall/{{ item }}"
owner: root
group: root
mode: "0640"
loop:
- default_settings.conf
- include_functions.conf
- logging_ipv4.conf
- logging_ipv6.conf
- post_declarations.conf
# ===
# Ban lists — copy from sample once; the file can be customised per host.
# ===
- name: Check if ban_ipv4.list exists
stat:
path: /etc/ipt-firewall/ban_ipv4.list
register: ban_ipv4_exists
- name: Copy ban_ipv4.list from sample (first install only)
copy:
src: etc/ipt-firewall/ban_ipv4.list.sample
dest: /etc/ipt-firewall/ban_ipv4.list
owner: root
group: root
mode: "0640"
when: not ban_ipv4_exists.stat.exists
- name: Check if ban_ipv6.list exists
stat:
path: /etc/ipt-firewall/ban_ipv6.list
register: ban_ipv6_exists
- name: Copy ban_ipv6.list from sample (first install only)
copy:
src: etc/ipt-firewall/ban_ipv6.list.sample
dest: /etc/ipt-firewall/ban_ipv6.list
owner: root
group: root
mode: "0640"
when: not ban_ipv6_exists.stat.exists
# ===
# Systemd service units
# ===
- name: Deploy ipt-firewall.service
copy:
src: etc/systemd/system/ipt-firewall.service
dest: /etc/systemd/system/ipt-firewall.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd daemon
- Restart IPv4 Firewall
- name: Deploy ip6t-firewall.service
copy:
src: etc/systemd/system/ip6t-firewall.service
dest: /etc/systemd/system/ip6t-firewall.service
owner: root
group: root
mode: "0644"
notify:
- Reload systemd daemon
- Restart IPv6 Firewall
# ===
# Enable and start services
# ===
- name: Enable and start ipt-firewall
systemd:
name: ipt-firewall
enabled: true
state: started
daemon_reload: true
- name: Enable and start ip6t-firewall
systemd:
name: ip6t-firewall
enabled: true
state: started
daemon_reload: true
roles/ipt-server/templates/etc/ipt-firewall/interfaces_ipv4.conf.j2
+74
View File
@@ -0,0 +1,74 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
# -------------
# --- Network Interfaces
# -------------
# - External interface(s)
#
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
# - VPN Interfaces
# - (comma separated list)
vpn_ifs="{{ fw_vpn_ifs }}"
# - Wireguard Interfaces
# - (comma separated list)
wg_ifs="{{ fw_wg_ifs }}"
# - Local Interfaces
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
local_ifs="{{ fw_local_interfaces | join(' ') }}"
# -------------
# --- IP-Addresses
# -------------
# - Extern IP Addresses on this Host
#
ext_1_ip="{{ fw_ext_ips_v4[0] if fw_ext_ips_v4 | length >= 1 else '' }}"
ext_2_ip="{{ fw_ext_ips_v4[1] if fw_ext_ips_v4 | length >= 2 else '' }}"
ext_3_ip="{{ fw_ext_ips_v4[2] if fw_ext_ips_v4 | length >= 3 else '' }}"
ext_ips="{{ fw_ext_ips_v4 | join(' ') }}"
local_1_ip="{{ fw_local_ips_v4[0] if fw_local_ips_v4 | length >= 1 else '' }}"
local_2_ip="{{ fw_local_ips_v4[1] if fw_local_ips_v4 | length >= 2 else '' }}"
local_3_ip="{{ fw_local_ips_v4[2] if fw_local_ips_v4 | length >= 3 else '' }}"
local_ips="{{ fw_local_ips_v4 | join(' ') }}"
# -------------
# --- IP-Addresses LXC Guest Systems
# -------------
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v4[0] if fw_lxc_guest_ips_v4 | length >= 1 else '' }}"
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v4[1] if fw_lxc_guest_ips_v4 | length >= 2 else '' }}"
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v4[2] if fw_lxc_guest_ips_v4 | length >= 3 else '' }}"
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v4[3] if fw_lxc_guest_ips_v4 | length >= 4 else '' }}"
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v4[4] if fw_lxc_guest_ips_v4 | length >= 5 else '' }}"
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v4[5] if fw_lxc_guest_ips_v4 | length >= 6 else '' }}"
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v4[6] if fw_lxc_guest_ips_v4 | length >= 7 else '' }}"
lxc_guest_ips="{{ fw_lxc_guest_ips_v4 | join(' ') }}"
# - Devices given in list "nat_devices" will be natted
# -
# - Blank separated list
# -
nat_devices="{{ fw_nat_devices }}"
roles/ipt-server/templates/etc/ipt-firewall/interfaces_ipv6.conf.j2
+67
View File
@@ -0,0 +1,67 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
# -------------
# --- Network Interfaces
# -------------
# - External interface(s)
#
ext_if_1="{{ fw_ext_interfaces[0] if fw_ext_interfaces | length >= 1 else '' }}"
ext_if_2="{{ fw_ext_interfaces[1] if fw_ext_interfaces | length >= 2 else '' }}"
ext_if_3="{{ fw_ext_interfaces[2] if fw_ext_interfaces | length >= 3 else '' }}"
ext_ifs="{{ fw_ext_interfaces | join(' ') }}"
# - VPN Interfaces
# - (comma separated list)
vpn_ifs="{{ fw_vpn_ifs }}"
# - Wireguard Interfaces
# - (comma separated list)
wg_ifs="{{ fw_wg_ifs }}"
# - Local Interfaces
local_if_1="{{ fw_local_interfaces[0] if fw_local_interfaces | length >= 1 else '' }}"
local_if_2="{{ fw_local_interfaces[1] if fw_local_interfaces | length >= 2 else '' }}"
local_if_3="{{ fw_local_interfaces[2] if fw_local_interfaces | length >= 3 else '' }}"
local_ifs="{{ fw_local_interfaces | join(' ') }}"
# -------------
# --- IP-Addresses
# -------------
# - Extern IP Addresses on this Host
#
ext_1_ip="{{ fw_ext_ips_v6[0] if fw_ext_ips_v6 | length >= 1 else '' }}"
ext_2_ip="{{ fw_ext_ips_v6[1] if fw_ext_ips_v6 | length >= 2 else '' }}"
ext_3_ip="{{ fw_ext_ips_v6[2] if fw_ext_ips_v6 | length >= 3 else '' }}"
ext_ips="{{ fw_ext_ips_v6 | join(' ') }}"
local_1_ip="{{ fw_local_ips_v6[0] if fw_local_ips_v6 | length >= 1 else '' }}"
local_2_ip="{{ fw_local_ips_v6[1] if fw_local_ips_v6 | length >= 2 else '' }}"
local_3_ip="{{ fw_local_ips_v6[2] if fw_local_ips_v6 | length >= 3 else '' }}"
local_ips="{{ fw_local_ips_v6 | join(' ') }}"
# -------------
# --- IP-Addresses LXC Guest Systems
# -------------
lxc_guest_1_ip="{{ fw_lxc_guest_ips_v6[0] if fw_lxc_guest_ips_v6 | length >= 1 else '' }}"
lxc_guest_2_ip="{{ fw_lxc_guest_ips_v6[1] if fw_lxc_guest_ips_v6 | length >= 2 else '' }}"
lxc_guest_3_ip="{{ fw_lxc_guest_ips_v6[2] if fw_lxc_guest_ips_v6 | length >= 3 else '' }}"
lxc_guest_4_ip="{{ fw_lxc_guest_ips_v6[3] if fw_lxc_guest_ips_v6 | length >= 4 else '' }}"
lxc_guest_5_ip="{{ fw_lxc_guest_ips_v6[4] if fw_lxc_guest_ips_v6 | length >= 5 else '' }}"
lxc_guest_6_ip="{{ fw_lxc_guest_ips_v6[5] if fw_lxc_guest_ips_v6 | length >= 6 else '' }}"
lxc_guest_7_ip="{{ fw_lxc_guest_ips_v6[6] if fw_lxc_guest_ips_v6 | length >= 7 else '' }}"
lxc_guest_ips="{{ fw_lxc_guest_ips_v6 | join(' ') }}"
roles/ipt-server/templates/etc/ipt-firewall/main_ipv4.conf.j2
+357
View File
@@ -0,0 +1,357 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
## ----------------------------------------------------------------
## --- Main Configurations IPv4 Firewall
## ----------------------------------------------------------------
# -------------
# --- Bridged / LXC traffic
# -------------
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------
drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}
# -------------
# --- Outgoing traffic
# -------------
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
# -------------
# --- Interface policy
# -------------
blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"
# -------------
# --- Forwarding / Routing
# -------------
# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v4 }}"
# -------------
# --- Access control (source-based)
# -------------
# restrict_local_service_to_net="ext-net:local-address:port:protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v4 }}"
# restrict_local_net_to_net="<src-ext-net>:<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v4 }}"
# allow_ext_service="<ext-ip>:<ext_port>:<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v4 }}"
# allow_ext_net="<ext-ip/net>" (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v4 }}"
# allow_local_service="<port>:<protocol>" (blank separated)
allow_local_service="{{ fw_allow_local_service_v4 }}"
# allow_local_service_from_networks="<ext-net>:<local-port>:<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v4 }}"
# -------------
# --- Services: VPN / WireGuard
# -------------
vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
# -------------
# --- Services: NTP
# -------------
local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
# -------------
# --- Services: DHCP (IPv4 only)
# -------------
# Comma separated list of interfaces providing DHCP
dhcp_server_ifs="{{ fw_dhcp_server_ifs }}"
# Comma separated list of interfaces acting as DHCP clients
dhcp_client_ifs="{{ fw_dhcp_client_ifs }}"
# -------------
# --- Services: DNS
# -------------
dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="192.68.11.64/27 194.150.169.139"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v4 }}"
# -------------
# --- Services: SSH
# -------------
ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"
# -------------
# --- Services: HTTP(S)
# -------------
http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"
# -------------
# --- Services: Mattermost
# -------------
mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------
smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"
mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="192.68.11.64/27 194.150.169.139"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v4 }}"
# -------------
# --- Services: FTP
# -------------
ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="192.68.11.81:44444 83.223.86.91:44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v4 }}"
# -------------
# --- Services: Mumble
# -------------
mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"
# -------------
# --- Services: Jitsi / Jibri
# -------------
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
# -------------
# --- Services: TFTP (not yet implemented)
# -------------
tftp_server_ips="{{ fw_tftp_server_ips }}"
# -------------
# --- Services: Prometheus
# -------------
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
# -------------
# --- Services: Munin
# -------------
munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"
munin_remote_ip="{{ munin_remote_ipv4 }}"
munin_local_port="{{ fw_munin_local_port }}"
# -------------
# --- Services: Xymon (not yet implemented)
# -------------
xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"
# -------------
# --- Protocols out: Rsync
# -------------
rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"
# -------------
# --- Special ports (OUT)
# -------------
tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
# =============
# --- Portforwarding (IPv4)
# --- Format: "<device-in>:<src-ip>:<port-in>:<ip-to-forward>:<port-out>"
# =============
portforward_tcp="{{ fw_portforward_tcp_v4 }}"
portforward_udp="{{ fw_portforward_udp_v4 }}"
# -------------
# --- Blocked IPs / Ports
# -------------
blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"
# -------------
# --- Special / Counters
# -------------
create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}
# -------------
# --- Protection
# -------------
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
# -------------
# --- Connection limits
# -------------
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
# -------------
# --- Kernel parameters (IPv4)
# -------------
kernel_activate_forwarding={{ fw_kernel_activate_forwarding | lower }}
kernel_support_dynaddr={{ fw_kernel_support_dynaddr | lower }}
dynaddr_flag="{{ fw_dynaddr_flag }}"
kernel_reduce_timeouts={{ fw_kernel_reduce_timeouts | lower }}
kernel_tcp_syncookies={{ fw_kernel_tcp_syncookies | lower }}
kernel_protect_against_icmp_bogus_messages={{ fw_kernel_protect_against_icmp_bogus_messages | lower }}
kernel_ignore_broadcast_ping={{ fw_kernel_ignore_broadcast_ping | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}
kernel_activate_rp_filter={{ fw_kernel_activate_rp_filter | lower }}
kernel_log_martians={{ fw_kernel_log_martians | lower }}
roles/ipt-server/templates/etc/ipt-firewall/main_ipv6.conf.j2
+337
View File
@@ -0,0 +1,337 @@
#!/usr/bin/env bash
# {{ ansible_managed }}
## ----------------------------------------------------------------
## --- Main Configurations IPv6 Firewall
## ----------------------------------------------------------------
# -------------
# --- Bridged / LXC traffic
# -------------
do_not_firewall_bridged_traffic={{ fw_do_not_firewall_bridged_traffic | lower }}
do_not_firewall_lx_guest_systems={{ fw_do_not_firewall_lx_guest_systems | lower }}
# -------------
# --- Drop ICMP / MNDP / mDNS
# -------------
drop_icmp={{ fw_drop_icmp | lower }}
drop_mndp={{ fw_drop_mndp | lower }}
drop_mdns={{ fw_drop_mdns | lower }}
# -------------
# --- Outgoing traffic
# -------------
allow_all_outgoing_traffic={{ fw_allow_all_outgoing_traffic | lower }}
# -------------
# --- Interface policy
# -------------
blocked_ifs="{{ fw_blocked_ifs }}"
unprotected_ifs="{{ fw_unprotected_ifs }}"
# -------------
# --- Forwarding / Routing
# -------------
# Private IPs to forward (CIDR notation, blank separated)
forward_private_ips="{{ fw_forward_private_ips_v6 }}"
# -------------
# --- Access control (source-based)
# --- Note: IPv6 uses comma as field separator (not colon)
# -------------
# restrict_local_service_to_net="ext-net,local-address,port,protocol"
restrict_local_service_to_net="{{ fw_restrict_local_service_to_net_v6 }}"
# restrict_local_net_to_net="<src-ext-net>,<dst-local-net>"
restrict_local_net_to_net="{{ fw_restrict_local_net_to_net_v6 }}"
# allow_ext_service="<ext-ip>,<ext_port>,<protocol>"
allow_ext_service="{{ fw_allow_ext_service_v6 }}"
# allow_ext_net="<ext-ip/net>" (blank separated)
allow_ext_net="{{ fw_allow_ext_net_v6 }}"
# allow_local_service="<port>,<protocol>" (blank separated)
allow_local_service="{{ fw_allow_local_service_v6 }}"
# allow_local_service_from_networks="<ext-net>,<local-port>,<protocol>"
allow_local_service_from_networks="{{ fw_allow_local_service_from_networks_v6 }}"
# -------------
# --- Services: VPN / WireGuard
# -------------
vpn_server_ips="{{ fw_vpn_server_ips }}"
forward_vpn_server_ips="{{ fw_forward_vpn_server_ips }}"
vpn_ports="{{ fw_vpn_ports }}"
wireguard_server_ips="{{ fw_wireguard_server_ips }}"
forward_wireguard_server_ips="{{ fw_forward_wireguard_server_ips }}"
wireguard_server_ports="{{ fw_wireguard_server_ports }}"
wireguard_out_ports="{{ fw_wireguard_out_ports }}"
# -------------
# --- Services: NTP
# -------------
local_ntp_service={{ fw_local_ntp_service | lower }}
ntp_port="{{ fw_ntp_port }}"
ntp_allowed_net="{{ fw_ntp_allowed_net }}"
# -------------
# --- Services: DNS
# -------------
dns_server_ips="{{ fw_dns_server_ips }}"
forward_dns_server_ips="{{ fw_forward_dns_server_ips }}"
local_resolver_service={{ fw_local_resolver_service | lower }}
resolver_port="{{ fw_resolver_port }}"
# resolver_allowed_networks="2001:678:a40:3000::/64"
resolver_allowed_networks="{{ fw_resolver_allowed_networks_v6 }}"
# -------------
# --- Services: SSH
# -------------
ssh_server_ips="{{ fw_ssh_server_ips }}"
forward_ssh_server_ips="{{ fw_forward_ssh_server_ips }}"
ssh_ports="{{ fw_ssh_ports }}"
# -------------
# --- Services: HTTP(S)
# -------------
http_server_ips="{{ fw_http_server_ips }}"
forward_http_server_ips="{{ fw_forward_http_server_ips }}"
http_ports="{{ fw_http_ports }}"
log_cgi_traffic_out={{ fw_log_cgi_traffic_out | lower }}
cgi_script_users="{{ fw_cgi_script_users }}"
# -------------
# --- Services: Mattermost
# -------------
mm_server_ips="{{ fw_mm_server_ips }}"
forward_mm_server_ips="{{ fw_forward_mm_server_ips }}"
mm_udp_ports_in="{{ fw_mm_udp_ports_in }}"
mm_udp_ports_out="{{ fw_mm_udp_ports_out }}"
# -------------
# --- Services: Mail (SMTP / IMAP / POP)
# -------------
smtpd_ips="{{ fw_smtpd_ips }}"
forward_smtpd_ips="{{ fw_forward_smtpd_ips }}"
smtpd_additional_listen_ports="{{ fw_smtpd_additional_listen_ports }}"
smtpd_additional_outgoung_ports="{{ fw_smtpd_additional_outgoing_ports }}"
mail_server_ips="{{ fw_mail_server_ips }}"
forward_mail_server_ips="{{ fw_forward_mail_server_ips }}"
mail_user_ports="{{ fw_mail_user_ports }}"
mail_client_ips="{{ fw_mail_client_ips }}"
forward_mail_client_ips="{{ fw_forward_mail_client_ips }}"
dovecot_auth_service={{ fw_dovecot_auth_service | lower }}
dovecot_auth_port="{{ fw_dovecot_auth_port }}"
# dovecot_auth_allowed_networks="2001:678:a40:3000::/64 2a01:30:0:13:2f7:50ff:fed2:cef7"
dovecot_auth_allowed_networks="{{ fw_dovecot_auth_allowed_networks_v6 }}"
# -------------
# --- Services: FTP
# -------------
ftp_server_ips="{{ fw_ftp_server_ips }}"
forward_ftp_server_ips="{{ fw_forward_ftp_server_ips }}"
ftp_passive_port_range="{{ fw_ftp_passive_port_range }}"
# -------------
# --- Services: XMPP (Jabber / Prosody)
# -------------
xmpp_server_ips="{{ fw_xmpp_server_ips }}"
forward_xmpp_server_ips="{{ fw_forward_xmpp_server_ips }}"
xmmp_tcp_in_ports="{{ fw_xmmp_tcp_in_ports }}"
xmmp_tcp_out_ports="{{ fw_xmmp_tcp_out_ports }}"
# xmmp_remote_out_services="2a01:4f8:221:3b4e::247,44444"
xmmp_remote_out_services="{{ fw_xmmp_remote_out_services_v6 }}"
# -------------
# --- Services: Mumble
# -------------
mumble_server_ips="{{ fw_mumble_server_ips }}"
forward_mumble_server_ips="{{ fw_forward_mumble_server_ips }}"
mumble_ports="{{ fw_mumble_ports }}"
# -------------
# --- Services: Jitsi / Jibri
# -------------
jitsi_server_ips="{{ fw_jitsi_server_ips }}"
forward_jitsi_server_ips="{{ fw_forward_jitsi_server_ips }}"
jitsi_tcp_ports="{{ fw_jitsi_tcp_ports }}"
jitsi_udp_port_range="{{ fw_jitsi_udp_port_range }}"
jitsi_tcp_ports_out="{{ fw_jitsi_tcp_ports_out }}"
jitsi_udp_ports_out="{{ fw_jitsi_udp_ports_out }}"
jitsi_dovecot_auth={{ fw_jitsi_dovecot_auth | lower }}
jitsi_dovecot_host="{{ fw_jitsi_dovecot_host }}"
jitsi_dovecot_port="{{ fw_jitsi_dovecot_port }}"
jitsi_jibri_remote_auth={{ fw_jitsi_jibri_remote_auth | lower }}
jitsi_jibri_remote_ips="{{ fw_jitsi_jibri_remote_ips }}"
jitsi_jibri_remote_auth_port="{{ fw_jitsi_jibri_remote_auth_port }}"
jibri_server_ips="{{ fw_jibri_server_ips }}"
forward_jibri_server_ips="{{ fw_forward_jibri_server_ips }}"
jibri_remote_jitsi_server="{{ fw_jibri_remote_jitsi_server }}"
jibri_remote_auth_port="{{ fw_jibri_remote_auth_port }}"
# -------------
# --- Services: TURN / STUN (Nextcloud Talk)
# -------------
nc_turn_server_ips="{{ fw_nc_turn_server_ips }}"
forward_nc_turn_server_ips="{{ fw_forward_nc_turn_server_ips }}"
nc_turn_ports="{{ fw_nc_turn_ports }}"
nc_turn_udp_ports="{{ fw_nc_turn_udp_ports }}"
# -------------
# --- Services: TFTP (not yet implemented)
# -------------
tftp_server_ips="{{ fw_tftp_server_ips }}"
# -------------
# --- Services: Prometheus
# -------------
prometheus_local_server_ips="{{ fw_prometheus_local_server_ips }}"
prometheus_remote_client_ports="{{ fw_prometheus_remote_client_ports }}"
prometheus_local_client_ips="{{ fw_prometheus_local_client_ips }}"
prometheus_local_client_ports="{{ fw_prometheus_local_client_ports }}"
prometheus_remote_server_ips="{{ fw_prometheus_remote_server_ips }}"
# -------------
# --- Services: Munin
# -------------
munin_server_ips="{{ fw_munin_server_ips }}"
forward_munin_server_ips="{{ fw_forward_munin_server_ips }}"
munin_remote_port="{{ fw_munin_remote_port }}"
munin_remote_ip="{{ munin_remote_ipv6 }}"
munin_local_port="{{ fw_munin_local_port }}"
# -------------
# --- Services: Xymon (not yet implemented)
# -------------
xymon_server_ips="{{ fw_xymon_server_ips }}"
local_xymon_client={{ fw_local_xymon_client | lower }}
xymon_port="{{ fw_xymon_port }}"
# -------------
# --- Protocols out: Rsync
# -------------
rsync_out_ips="{{ fw_rsync_out_ips }}"
forward_rsync_out_ips="{{ fw_forward_rsync_out_ips }}"
rsync_ports="{{ fw_rsync_ports }}"
# -------------
# --- Special ports (OUT)
# -------------
tcp_out_ports="{{ fw_tcp_out_ports }}"
forward_tcp_out_ports="{{ fw_forward_tcp_out_ports }}"
udp_out_ports="{{ fw_udp_out_ports }}"
forward_udp_out_ports="{{ fw_forward_udp_out_ports }}"
# =============
# --- Portforwarding (IPv6)
# --- Format: "<device-in>,<src-ip>,<port-in>,<ip-to-forward>,<port-out>"
# =============
portforward_tcp="{{ fw_portforward_tcp_v6 }}"
portforward_udp="{{ fw_portforward_udp_v6 }}"
# -------------
# --- Blocked IPs / Ports
# -------------
blocked_ips="{{ fw_blocked_ips }}"
block_tcp_ports="{{ fw_block_tcp_ports }}"
block_udp_ports="{{ fw_block_udp_ports }}"
# -------------
# --- Special / Counters
# -------------
create_traffic_counter={{ fw_create_traffic_counter | lower }}
create_iperf_rules={{ fw_create_iperf_rules | lower }}
# -------------
# --- Protection
# -------------
protection_against_syn_flooding={{ fw_protection_against_syn_flooding | lower }}
protection_against_port_scanning={{ fw_protection_against_port_scanning | lower }}
protection_against_ssh_brute_force_attacks={{ fw_protection_against_ssh_brute_force_attacks | lower }}
# -------------
# --- Connection limits
# -------------
limit_connections_per_source_IP={{ fw_limit_connections_per_source_IP | lower }}
per_IP_connection_limit={{ fw_per_IP_connection_limit }}
limit_new_tcp_connections_per_seconds_per_source_IP={{ fw_limit_new_tcp_connections_per_seconds_per_source_IP | lower }}
limit_new_tcp_connections_per_seconds_ports="{{ fw_limit_new_tcp_connections_per_seconds_ports }}"
# -------------
# --- Kernel parameters (IPv6)
# -------------
kernel_forward_between_interfaces={{ fw_kernel_forward_between_interfaces | lower }}
kernel_deactivate_source_route={{ fw_kernel_deactivate_source_route | lower }}
kernel_dont_accept_redirects={{ fw_kernel_dont_accept_redirects | lower }}