From eac172ab6c633a2d3a6ef82248136691bd18a5ca Mon Sep 17 00:00:00 2001 From: Max Kratz Date: Sun, 21 Apr 2024 10:50:29 +0200 Subject: [PATCH 1/2] Adds UFW Docker workaround + allows default ports to any --- infra.yaml | 3 ++ roles/firewall-block/tasks/main.yml | 84 +++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 roles/firewall-block/tasks/main.yml diff --git a/infra.yaml b/infra.yaml index 17a3e36..7bfd2d3 100644 --- a/infra.yaml +++ b/infra.yaml @@ -26,3 +26,6 @@ become: true - role: swap become: true + - role: firewall-block + when: "role_config.firewall_enable" + become: true diff --git a/roles/firewall-block/tasks/main.yml b/roles/firewall-block/tasks/main.yml new file mode 100644 index 0000000..fe9ad2c --- /dev/null +++ b/roles/firewall-block/tasks/main.yml @@ -0,0 +1,84 @@ +--- +- name: Install UFW + ansible.builtin.apt: + pkg: + - ufw + +- name: Enable UFW Docker forwarding + ansible.builtin.blockinfile: + path: /etc/ufw/after.rules + append_newline: true + prepend_newline: true + block: | + # BEGIN UFW AND DOCKER + *filter + :ufw-user-forward - [0:0] + :ufw-docker-logging-deny - [0:0] + :DOCKER-USER - [0:0] + -A DOCKER-USER -j ufw-user-forward + + -A DOCKER-USER -j RETURN -s 10.0.0.0/8 + -A DOCKER-USER -j RETURN -s 172.16.0.0/12 + -A DOCKER-USER -j RETURN -s 192.168.0.0/16 + + -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN + + -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 + -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 + -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 + -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 + -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 + -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 + + -A DOCKER-USER -j RETURN + + -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " + -A ufw-docker-logging-deny -j DROP + + COMMIT + # END UFW AND DOCKER + +- name: Restart UFW + ansible.builtin.shell: + cmd: ufw reload + +# ufw route insert 1 allow proto tcp from any to any port 80 +- name: Allow port 22 + community.general.ufw: + rule: allow + port: 22 + proto: tcp + insert: 1 + route: true + +- name: Allow port 80 + community.general.ufw: + rule: allow + port: 80 + proto: tcp + insert: 2 + route: true + +- name: Allow port 443 + community.general.ufw: + rule: allow + port: 443 + proto: tcp + insert: 3 + route: true + +- name: Allow port 9100 + community.general.ufw: + rule: allow + port: 9100 + proto: tcp + insert: 4 + route: true + +- name: Allow port 50001 + community.general.ufw: + rule: allow + port: 50001 + proto: tcp + insert: 5 + route: true From 6c8e1cc719bb44dec1d20f95efda1c0e0f23116d Mon Sep 17 00:00:00 2001 From: Max Kratz Date: Sun, 21 Apr 2024 11:04:29 +0200 Subject: [PATCH 2/2] Blocks some IPs --- inventory/group_vars/all.yml | 8 ++++++++ roles/firewall-block/tasks/main.yml | 20 ++++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml index de798b7..0f8135e 100644 --- a/inventory/group_vars/all.yml +++ b/inventory/group_vars/all.yml @@ -40,3 +40,11 @@ forgejo_release: "1.21.11-1" swap_size: "2048" swap_file: "/swapfile" + +# +# Blocked IPs +# + +blocked_ips: + - 47.76.99.127 + - 47.76.209.138 diff --git a/roles/firewall-block/tasks/main.yml b/roles/firewall-block/tasks/main.yml index fe9ad2c..f6d3204 100644 --- a/roles/firewall-block/tasks/main.yml +++ b/roles/firewall-block/tasks/main.yml @@ -82,3 +82,23 @@ proto: tcp insert: 5 route: true + +# +# Block IPs from list +# + +- name: Block IP (normal) + community.general.ufw: + rule: deny + insert: 1 + route: true + src: '{{ item }}' + loop: "{{ blocked_ips }}" + +- name: Block IP (fwd) + community.general.ufw: + rule: deny + insert: 1 + route: false + src: '{{ item }}' + loop: "{{ blocked_ips }}"