From 13d12faa86a4f647f47b7f42a8b86e751066465f Mon Sep 17 00:00:00 2001
From: Ryan Cavicchioni <ryan@cavi.cc>
Date: Sun, 24 Nov 2019 19:10:21 -0600
Subject: [PATCH] Add iptable SSH whitelist

---
 roles/firewall/defaults/main.yaml     | 2 ++
 roles/firewall/templates/ip6tables.j2 | 8 +++++++-
 roles/firewall/templates/iptables.j2  | 8 +++++++-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/roles/firewall/defaults/main.yaml b/roles/firewall/defaults/main.yaml
index 52cad21..c258cbe 100644
--- a/roles/firewall/defaults/main.yaml
+++ b/roles/firewall/defaults/main.yaml
@@ -64,6 +64,8 @@ firewall_limit_ssh_hitcount: 10
 
 firewall_bogon_interface: "{{ ansible_default_ipv4.interface }}"
 
+firewall_ssh_whitelist: {}
+
 # ipset's
 firewall_ipset_cooloff_timeout: 600
 
diff --git a/roles/firewall/templates/ip6tables.j2 b/roles/firewall/templates/ip6tables.j2
index c572395..94a9450 100644
--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@@ -50,12 +50,18 @@
 
 -A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT
 
--A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP
+{% if firewall_ssh_whitelist.v6 %}
+{% for ip in firewall_ssh_whitelist.v6 %}
+-A INPUT -p tcp -m tcp --dport 22 --source {{ ip }} -m comment --comment "accept {{ ip }} ssh 22/tcp6" -j ACCEPT
+{% endfor %}
+{% endif %}
 
 {% if firewall_ipset_mgmt.v6 is defined %}
 -A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v6 src -m comment --comment "accept mgmt ssh 22/tcp6" -j ACCEPT
 {% endif %}
 
+-A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP
+
 {% if firewall_ipset_blacklist.v6 is defined %}
 -A INPUT -m set --match-set mgmt_v6 src -m comment --comment "drop blacklist inet6" -j LOG_DROP
 {% endif %}
diff --git a/roles/firewall/templates/iptables.j2 b/roles/firewall/templates/iptables.j2
index 9be97c9..9e109e6 100644
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@@ -50,12 +50,18 @@
 
 -A INPUT -i lo -m comment --comment "lo accept all" -j ACCEPT
 
--A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP
+{% if firewall_ssh_whitelist.v4 %}
+{% for ip in firewall_ssh_whitelist.v4 %}
+-A INPUT -p tcp -m tcp --dport 22 --source {{ ip }} -m comment --comment "accept {{ ip }} ssh 22/tcp" -j ACCEPT
+{% endfor %}
+{% endif %}
 
 {% if firewall_ipset_mgmt.v4 is defined %}
 -A INPUT -p tcp -m tcp --dport 22 -m set --match-set mgmt_v4 src -m comment --comment "accept mgmt ssh 22/tcp" -j ACCEPT
 {% endif %}
 
+-A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP
+
 {% if firewall_ipset_blacklist.v4 is defined %}
 -A INPUT -m set --match-set mgmt_v4 src -m comment --comment "drop blacklist" -j LOG_DROP
 {% endif %}