majic-ansible-roles Files · roles/common/templates/00-base.conf.j2

Files @ 941f4f372672

Branch filter:

Location: majic-ansible-roles/roles/common/templates/00-base.conf.j2

941f4f372672 1.4 KiB text/plain Show Annotation Show as Raw Download as Raw

branko

MAR-12: Updated the common role to deploy ferm, and set-up a basic firewall for allowing incoming SSH and ICMP echo requsts (ping).

table filter {
    chain INPUT {
        policy DROP;
        interface lo ACCEPT;
        # Make sure not to allow flooding via ICMP ping packages by sending them
        # to flood chain before state module kicks in.
        proto icmp icmp-type echo-request jump flood;
        mod state state (ESTABLISHED RELATED) ACCEPT;
        # For TCP packages we perform floods checks after state module took care
        # of established and related connections.
        proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
        # Accept some common incoming connections.
        proto icmp icmp-type echo-request ACCEPT;
        proto tcp dport 22 ACCEPT;
    }

    # The flood chain is used for controlling the rate of the incoming connections.
    chain flood {
        # Rate-limit the ping requests.
        proto icmp icmp-type echo-request {
            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                hashlimit-mode srcip hashlimit-name icmp RETURN;
            DROP;
        }
        # Rate-limit the TCP connections.
        proto tcp tcp-flags (FIN SYN RST ACK) SYN {
            mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                hashlimit-mode srcip hashlimit-name icmp RETURN;
            LOG;
            DROP;
        }
    }

}