diff --git a/playbook/roles/olimex-board/tasks/main.yml b/playbook/roles/olimex-board/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..18f8bf03942c991b5dabd6d77c5a6479b22b8f15 --- /dev/null +++ b/playbook/roles/olimex-board/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Install iptables + apt: + name: iptables + state: present + +- name: Set firewall config file path + set_fact: + setup_olimex_firewall_path: /usr/bin/setup-olimex-firewall + +- name: Add script to boot firewall + template: + src: iptables.j2 + dest: "{{ setup_olimex_firewall_path }}" + mode: 755 + +- name: Include setup-olimex-firewall at reboot on cron + cron: name="Setup firewall on reboot" special_time=reboot job="sleep 30 && {{ setup_olimex_firewall_path }}" diff --git a/playbook/roles/olimex-board/templates/iptables.j2 b/playbook/roles/olimex-board/templates/iptables.j2 new file mode 100644 index 0000000000000000000000000000000000000000..4a4afc89a7288ec641621c8197a7e71da41230e9 --- /dev/null +++ b/playbook/roles/olimex-board/templates/iptables.j2 @@ -0,0 +1,36 @@ +#!/bin/bash + +# We want to close all ports except for those which are used by +# re6stnet and SSH (to be able to keep a connection to the board). + +echo "Update firewall. Close all ports except SSH ports." + +# Remove all existing rules +iptables -F + +# Allow SSH access +iptables -A INPUT -p tcp --dport 22 -j ACCEPT +iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + +# Set default drop policy +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD DROP + +ip6tables -P INPUT DROP +ip6tables -P OUTPUT DROP +ip6tables -P FORWARD DROP + +# For additional rules (for instance Wendelin/Fluentd, ...) + +{{ iptables_rules }} + +# Open Re6stnet ports (if bash file exists) +RE6STNET_IP6TABLES_CHECK="/usr/bin/re6stnet-ip6tables-check" + +if [ -f $RE6STNET_IP6TABLES_CHECK ]; then + bash $RE6STNET_IP6TABLES_CHECK +else + echo "No Re6stnet ip6tables check file could be found!" + echo "No dedicated re6stnet ports could be opened." +fi diff --git a/playbook/wendelin-olimex-iot-gateway.yml b/playbook/wendelin-olimex-iot-gateway.yml index b1eec8f2915db9974d2640d9d7623db595204b51..897f882c9f3e5594bf93cbd8db20132a86942f42 100644 --- a/playbook/wendelin-olimex-iot-gateway.yml +++ b/playbook/wendelin-olimex-iot-gateway.yml @@ -6,3 +6,33 @@ - name: a play that runs entirely on the ansible host hosts: 127.0.0.1 connection: local + + vars: + - iptables_rules: | + # We send data to Wendelin via HTTP or HTTPS + + # Only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + # #### Output exceptions #### # + + # Accept DNS + iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT + iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + + # Accept HTTP + iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT + + # Accept HTTPS + iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT + iptables -A OUTPUT -p udp --dport 443 -j ACCEPT + + # To receive data from Sensor + + LISTEN_SENSOR_PORT=24224 + + ip6tables -A INPUT -p tcp --dport $LISTEN_SENSOR_PORT -j ACCEPT + ip6tables -A INPUT -p udp --dport $LISTEN_SENSOR_PORT -j ACCEPT + + roles: + - role: olimex-board diff --git a/playbook/wendelin-olimex-sensor.yml b/playbook/wendelin-olimex-sensor.yml index 4369262d16207df9565b5479c2c763a9931419c9..1ea7bf7d5542ba33deae4fbbd5463557e3b244d0 100644 --- a/playbook/wendelin-olimex-sensor.yml +++ b/playbook/wendelin-olimex-sensor.yml @@ -7,5 +7,17 @@ hosts: 127.0.0.1 connection: local + vars: + - iptables_rules: | + # To send data to IoT-Gateway + + iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT + + LISTEN_SENSOR_PORT=24224 + + ip6tables -A OUTPUT -p tcp --dport $LISTEN_SENSOR_PORT -j ACCEPT + ip6tables -A OUTPUT -p udp --dport $LISTEN_SENSOR_PORT -j ACCEPT + roles: + - role: olimex-board - role: olimex-sensor