From 6f436dde605a42bee4c9fdc2781d582804b210a4 Mon Sep 17 00:00:00 2001 From: Kristijan Mitrovic Date: Fri, 26 Jun 2020 14:24:55 +0200 Subject: [PATCH] Fix iptables entries again --- .../tasks/algo_firewall.yml} | 38 ++++++++++--------- .../ansible/roles/algo/tasks/main.yml | 4 ++ .../ansible/roles/finalizer/tasks/main.yml | 7 ++-- .../ansible/roles/mitmproxy/tasks/main.yml | 2 - .../packer/roles/firewall/tasks/rules.yml | 12 +++--- 5 files changed, 34 insertions(+), 29 deletions(-) rename bubble-server/src/main/resources/ansible/roles/{finalizer/tasks/firewall.yml => algo/tasks/algo_firewall.yml} (56%) diff --git a/bubble-server/src/main/resources/ansible/roles/finalizer/tasks/firewall.yml b/bubble-server/src/main/resources/ansible/roles/algo/tasks/algo_firewall.yml similarity index 56% rename from bubble-server/src/main/resources/ansible/roles/finalizer/tasks/firewall.yml rename to bubble-server/src/main/resources/ansible/roles/algo/tasks/algo_firewall.yml index 59cbbe05..145c7cbb 100644 --- a/bubble-server/src/main/resources/ansible/roles/finalizer/tasks/firewall.yml +++ b/bubble-server/src/main/resources/ansible/roles/algo/tasks/algo_firewall.yml @@ -3,39 +3,41 @@ # # Insert additional firewall rules to allow required services to function # Insert them all on rule_num 5, and insert them in reverse order here: -- name: Allow HTTPS on port {{ item }} +- name: Allow SSH iptables: chain: INPUT - action: used_iptabples_action - rule_num: 5 protocol: tcp - destination_port: {{ item }} + destination_port: 22 ctstate: NEW syn: match jump: ACCEPT - comment: Accept new HTTPS ({{ item }}) connections - with_items: - - 1443 - - 443 + comment: Accept new SSH connections become: yes -- name: Allow HTTP on port {{ item }} +- name: "Allow HTTP on port {{ item }}" iptables: chain: INPUT - action: used_iptabples_action - rule_num: 5 protocol: tcp - destination_port: {{ item }} + destination_port: "{{ item }}" ctstate: NEW syn: match jump: ACCEPT - comment: Accept new HTTP ({{ item }}) connections + comment: "Accept new HTTP ({{ item }}) connections" with_items: - - 1080 - 80 + - 1080 become: yes -- name: Restart iptables - service: - name: netfilter-persistent - state: restarted +- name: "Allow HTTPS on port {{ item }}" + iptables: + chain: INPUT + protocol: tcp + destination_port: "{{ item }}" + ctstate: NEW + syn: match + jump: ACCEPT + comment: "Accept new HTTPS ({{ item }}) connections" + with_items: + - 443 + - 1443 + become: yes diff --git a/bubble-server/src/main/resources/ansible/roles/algo/tasks/main.yml b/bubble-server/src/main/resources/ansible/roles/algo/tasks/main.yml index 5efbe0f6..84120dac 100644 --- a/bubble-server/src/main/resources/ansible/roles/algo/tasks/main.yml +++ b/bubble-server/src/main/resources/ansible/roles/algo/tasks/main.yml @@ -16,3 +16,7 @@ - name: Run algo playbook to install algo shell: /root/ansible/roles/algo/algo/install_algo.sh tags: algo_related + +# Algo installation clears out iptable rules. Add needed bubble rules back: +- include: algo_firewall.yml + tags: algo_related diff --git a/bubble-server/src/main/resources/ansible/roles/finalizer/tasks/main.yml b/bubble-server/src/main/resources/ansible/roles/finalizer/tasks/main.yml index fd064b46..25fcf100 100644 --- a/bubble-server/src/main/resources/ansible/roles/finalizer/tasks/main.yml +++ b/bubble-server/src/main/resources/ansible/roles/finalizer/tasks/main.yml @@ -25,9 +25,10 @@ src: "supervisor_bubble.conf.j2" dest: /etc/supervisor/conf.d/bubble.conf -- include: firewall.yml - vars: - used_iptabples_action: "{{ 'append' if restore_key is defined else 'insert' }}" +- name: Restart iptables + service: + name: netfilter-persistent + state: restarted # We cannot receive notifications until nginx is running, so start bubble API as the very last step - name: reload supervisord diff --git a/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml b/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml index 7ba528ea..433e9b24 100644 --- a/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml +++ b/bubble-server/src/main/resources/ansible/roles/mitmproxy/tasks/main.yml @@ -34,8 +34,6 @@ - name: Allow MITM private port iptables: chain: INPUT - action: insert - rule_num: 5 protocol: tcp destination_port: 8888 ctstate: NEW diff --git a/bubble-server/src/main/resources/packer/roles/firewall/tasks/rules.yml b/bubble-server/src/main/resources/packer/roles/firewall/tasks/rules.yml index e97c6e08..cd98059a 100644 --- a/bubble-server/src/main/resources/packer/roles/firewall/tasks/rules.yml +++ b/bubble-server/src/main/resources/packer/roles/firewall/tasks/rules.yml @@ -29,30 +29,30 @@ become: yes when: fw_enable_ssh -- name: Allow HTTP on port {{ item }} +- name: "Allow HTTP on port {{ item }}" iptables: chain: INPUT protocol: tcp - destination_port: {{ item }} + destination_port: "{{ item }}" ctstate: NEW syn: match jump: ACCEPT - comment: Accept new HTTP ({{ item }}) connections + comment: "Accept new HTTP ({{ item }}) connections" with_items: - 80 - 1080 become: yes when: fw_enable_http -- name: Allow HTTPS on port {{ item }} +- name: "Allow HTTPS on port {{ item }}" iptables: chain: INPUT protocol: tcp - destination_port: {{ item }} + destination_port: "{{ item }}" ctstate: NEW syn: match jump: ACCEPT - comment: Accept new HTTPS ({{ item }}) connections + comment: "Accept new HTTPS ({{ item }}) connections" with_items: - 443 - 1443