diff --git a/roles/iptables/handlers/main.yml b/roles/iptables/handlers/main.yml index 353ba8b..9861c00 100644 --- a/roles/iptables/handlers/main.yml +++ b/roles/iptables/handlers/main.yml @@ -1,3 +1,6 @@ --- - name: restart iptables service: name=iptables.service state=restarted + +- name: restart ip6tables + service: name=ip6tables.service state=restarted diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 89e6ba9..cbf8dd1 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -1,8 +1,16 @@ --- -- name: Push firewall config +- name: Push ipv4 firewall config template: src=iptables.rules.j2 dest=/etc/iptables/iptables.rules notify: - restart iptables - name: Enable and start iptables service: name=iptables.service enabled=yes state=started + +- name: Push ipv6 firewall config + template: src=ip6tables.rules.j2 dest=/etc/iptables/ip6tables.rules + notify: + - restart ip6tables + +- name: Enable and start ip6tables + service: name=ip6tables.service enabled=yes state=started diff --git a/roles/iptables/templates/ip6tables.rules.j2 b/roles/iptables/templates/ip6tables.rules.j2 new file mode 100644 index 0000000..e5f9231 --- /dev/null +++ b/roles/iptables/templates/ip6tables.rules.j2 @@ -0,0 +1,27 @@ +# {{ ansible_managed }} +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A PREROUTING -m rpfilter -j ACCEPT +-A PREROUTING -j DROP +COMMIT +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] +:TCP - [0:0] +:UDP - [0:0] +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT +-A INPUT -p ipv6-icmp --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT +-A INPUT -p udp -m conntrack --ctstate NEW -j UDP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP +-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited +-A INPUT -p tcp -j REJECT --reject-with tcp-reset +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +{% if ssh.enable_sshd %} +-A TCP -p tcp -m tcp --dport {{ ssh.port }} -j ACCEPT +{% endif %} +COMMIT