Git Product home page Git Product logo

ansible-ipset's Introduction

ansible-ipset

An Ansible role to install/configure ipset

NOTE: This role will also manage IPTables rules as part of configuring ipset. Any existing IPTables rules WILL be removed.

Related Info

We have also put together a blog post which is related to this role.

Using Block Lists

We have also included the ability to use various different IP block lists to generate ipset rules and iptables rules. These can be easily implemented to block traffic inbound, outbound, or both inboud/outbound.

Current supported block lists:

Enabling supported block lists:

In order to enable the supported block lists you must set the following variables to true as their defaults are false:

# Defines if DShield top 20 block lists should be defined from https://www.dshield.org/block.txt
ipset_enable_dshield_block_list: false

# Defines if FireHOL ip lists should be defined from http://iplists.firehol.org/
ipset_enable_firehol_block_list: false

# Defines if Spamhaus block lists should be defined from https://www.spamhaus.org/drop/
ipset_enable_spamhaus_block_list: false

IP Sets Rules Management

We have added functionality to check if existing rules exist by the same name. If they do exist, a temporary rule set is created which will then be populated. Once the population has completed the existing rule set will be swapped with the temporary rule set, and then the temporary rule set will be destroyed. This will ensure that there is not a time period in which all rules are flushed and then repopulated therefore leaving a short period of time of being out of scope.

Requirements

The following requirements MUST be met on the Ansible host that is executing this role:

Role Variables

defaults/main.yml

Dependencies

Example Playbook

playbook.yml

Examples

Example ipset list

Displaying the list of ipset rule names:

vagrant@node0:~$ sudo ipset list -n
safe_input
dshield_block_list
firehol_block_list
spamhaus_drop_block_list
spamhaus_edrop_block_list

Displaying the complete list of ipset rules:

NOTE: This list is just an example and does not show all of the ipset rules shown above.

vagrant@node0:~$ sudo ipset list
Name: safe_input
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1000111222
Size in memory: 448
References: 1
Members:
10.0.0.0/8

Name: dshield_block_list
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 1000111222
Size in memory: 1664
References: 4
Members:
85.93.20.0/24
5.188.203.0/24
104.236.178.0/24
77.72.85.0/24
77.72.82.0/24
181.214.87.0/24
5.188.11.0/24
46.29.162.0/24
141.212.122.0/24
80.82.77.0/24
180.97.106.0/24
185.35.62.0/24
216.158.238.0/24
5.188.86.0/24
191.101.167.0/24
93.174.93.0/24
109.248.9.0/24
5.188.10.0/24
80.82.70.0/24
196.52.43.0/24

Example iptables list

vagrant@node0:~$ sudo iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
  824  666K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set dshield_block_list src
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set firehol_block_list src
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_drop_block_list src
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_edrop_block_list src
    1    44 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,2202,2222 ctstate NEW match-set safe_input src
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
  733 61601 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set dshield_block_list dst
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set firehol_block_list dst
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_drop_block_list dst
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set spamhaus_edrop_block_list dst
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
   12   808 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,123 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22,80,443 ctstate NEW
    0     0 LOGGING-DROPPED  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGGING-DROPPED (10 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 2/min burst 5 LOG flags 0 level 4 prefix "IPTables-Dropped: "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

License

MIT

Author Information

Larry Smith Jr.

Jeroen Ketelaar

ansible-ipset's People

Contributors

goetzk avatar jketelaar avatar mrlesmithjr avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

patlegu fedor-git msaf1980 goetzk harmakhis971

ansible-ipset's Issues

Skip Creating ipset systemd Service with --check

When run with --check the role currently fails due to this systemd config related error:

TASK [ansible-ipset : services | Creating ipset systemd Service] *********************************************************************************************
fatal: [bastion-00.sc.tpac.org.au]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: 'dict object' has no attribute 'stdout'"}

set_facts reports ok.

TASK [ansible-ipset : set_facts | Setting Debian Facts] ******************************************************************************************************
ok: [bastion-00.sc.tpac.org.au]

Generates invalid iptables rules without warning

Hi,
The iptables generation bit can be run with invalid data which then causes the rules loading further down to fail.

ansible-ipset/tasks/configure.yml

Line 27 in db67dbb

- name: configure | Generating IPTables Rules {{ ipset_iptables_config_file }}

ansible-ipset/tasks/configure.yml

Line 65 in db67dbb

- name: configure | Restoring IPTables Rules {{ ipset_iptables_config_file }}

I'm not sure of the specifics but adding something like validate: /usr/sbin/iptables-restore --test %s might be enough to make it pass.

Option to Log successful connections

Hi,

In my local tree i hacked in logging of sucessful connections. I'd like to see this upstreamed - could you offer some guidance as to how you'd like it done?

diff --git a/templates/iptables.j2 b/templates/iptables.j2
index b6dab71..0182321 100644
--- a/templates/iptables.j2
+++ b/templates/iptables.j2
@@ -6,6 +6,7 @@
 {% if ipset_iptables_log_dropped %}
 -N {{ ipset_iptables_log_dropped_chain }}
 -A {{ ipset_iptables_log_dropped_chain }} -m limit --limit {{ ipset_iptables_log_dropped_limit }} -j LOG --log-prefix "{{ ipset_iptables_log_dropped_prefix }}: " --log-level {{ ipset_iptables_log_dropped_level }}
+-A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -j LOG --log-prefix "Connection established: "
 -A {{ ipset_iptables_log_dropped_chain }} -j DROP
 {% endif %}
 {% if ipset_iptables_default_input_policy|upper != "ACCEPT" %}

https://github.com/goetzk/ansible-ipset/tree/local-workarounds

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.