ryanc/ansible
1
0
Fork 0
Code Issues 4 Pull Requests Releases Wiki Activity

DNS firewall rules

Browse Source
This commit is contained in:
Ryan Cavicchioni
2020-09-20 22:40:03 -05:00
parent 9e0ada65f2
commit c7d8b074cf
2 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
roles/firewall/templates/ip6tables.j2
View File

@@ -48,11 +48,14 @@
-A ICMP_FLOOD -j ACCEPT -A ICMP_FLOOD -j ACCEPT
{% endif %} {% endif %}
{% if firewall_dns_whitelist is defined %} {% if firewall_dns_whitelist is defined and
firewall_dns_whitelist | length %}
-N ACCEPT_DNS -N ACCEPT_DNS
-A ACCEPT_DNS -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp6" -j LOG_ACCEPT {% for ip in firewall_dns_whitelist | ipv6 %}
-A ACCEPT_DNS -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp6" -j LOG_ACCEPT -A ACCEPT_DNS -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j LOG_ACCEPT
-A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop inet6" -j LOG_DROP -A ACCEPT_DNS -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j LOG_ACCEPT
{% endfor %}
-A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop" -j LOG_DROP
{% endif %} {% endif %}
-A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT -A INPUT -i lo -m comment --comment "lo accept all inet6" -j ACCEPT
@@ -69,10 +72,8 @@
{% if firewall_dns_whitelist is defined and {% if firewall_dns_whitelist is defined and
firewall_dns_whitelist | length %} firewall_dns_whitelist | length %}
{% for ip in firewall_dns_whitelist | ipv6 %} -A INPUT -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j ACCEPT_DNS
-A INPUT -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp6" -j ACCEPT_DNS -A INPUT -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j ACCEPT_DNS
-A INPUT -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp6" -j ACCEPT_DNS
{% endfor %}
{% endif %} {% endif %}
-A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP -A INPUT -m state --state INVALID -m comment --comment "drop invalid inet6" -j DROP

15
roles/firewall/templates/iptables.j2
View File

@@ -48,10 +48,13 @@
-A ICMP_FLOOD -j ACCEPT -A ICMP_FLOOD -j ACCEPT
{% endif %} {% endif %}
{% if firewall_dns_whitelist is defined %} {% if firewall_dns_whitelist is defined and
firewall_dns_whitelist | length %}
-N ACCEPT_DNS -N ACCEPT_DNS
-A ACCEPT_DNS -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j LOG_ACCEPT {% for ip in firewall_dns_whitelist | ipv4 %}
-A ACCEPT_DNS -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j LOG_ACCEPT -A ACCEPT_DNS -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j LOG_ACCEPT
-A ACCEPT_DNS -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j LOG_ACCEPT
{% endfor %}
-A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop" -j LOG_DROP -A ACCEPT_DNS -m comment --comment "ACCEPT_DNS default drop" -j LOG_DROP
{% endif %} {% endif %}
@@ -69,10 +72,8 @@
{% if firewall_dns_whitelist is defined and {% if firewall_dns_whitelist is defined and
firewall_dns_whitelist | length %} firewall_dns_whitelist | length %}
{% for ip in firewall_dns_whitelist | ipv4 %} -A INPUT -m tcp -p tcp --dport 53 -m comment --comment "accept dns 53/tcp" -j ACCEPT_DNS
-A INPUT -m tcp -p tcp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/tcp" -j ACCEPT_DNS -A INPUT -m udp -p udp --dport 53 -m comment --comment "accept dns 53/udp" -j ACCEPT_DNS
-A INPUT -m udp -p udp --dport 53 --source {{ ip }} -m comment --comment "accept {{ ip }} dns 53/udp" -j ACCEPT_DNS
{% endfor %}
{% endif %} {% endif %}
-A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP -A INPUT -m state --state INVALID -m comment --comment "drop invalid" -j DROP