From cfc38e3df1c1cb4fc405438a911a656a8395527e Mon Sep 17 00:00:00 2001 From: Evgeniy Ivanov Date: Sat, 20 Aug 2016 15:19:46 +0300 Subject: [PATCH] Drop SMB traffic ##61 --- roles/cloud-digitalocean/tasks/main.yml | 2 ++ roles/cloud-ec2/tasks/main.yml | 2 ++ roles/cloud-gce/tasks/main.yml | 2 ++ roles/dns_adblocking/tasks/main.yml | 2 +- roles/security/handlers/main.yml | 5 ++++- roles/security/tasks/main.yml | 17 +++++++++++++++++ 6 files changed, 28 insertions(+), 2 deletions(-) diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index 576fd61..7bdee8b 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -34,6 +34,8 @@ dns_enabled: "{{ dns_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: digitalocean + ipv6_support: yes - name: Wait for SSH to become available local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320" diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index 3c067cc..dd65753 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -72,6 +72,8 @@ dns_enabled: "{{ dns_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: ec2 + ipv6_support: no with_items: "{{ ec2.instances }}" - name: Wait for SSH to become available diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 72b1abf..4ab0ee2 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -23,6 +23,8 @@ dns_enabled: "{{ dns_enabled }}" auditd_enabled: " {{ auditd_enabled }}" easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}" + cloud_provider: gce + ipv6_support: no - name: Firewall configured local_action: diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index fcc5589..8ff6ed9 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -50,7 +50,7 @@ to_destination: fcaa::1:53 ip_version: ipv6 notify: - - save iptables + - save iptables - name: Dnsmasq enabled and started service: name=dnsmasq state=started enabled=yes diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml index da5c092..2b8e5ad 100644 --- a/roles/security/handlers/main.yml +++ b/roles/security/handlers/main.yml @@ -1,5 +1,8 @@ - name: restart rsyslog service: name=rsyslog state=restarted - + +- name: save iptables + command: service netfilter-persistent save + - name: flush routing cache shell: echo 1 > /proc/sys/net/ipv4/route/flush diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 071f6ff..c9ce055 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -98,3 +98,20 @@ - name: Do not send ICMP redirects (we are not a router) sysctl: name=net.ipv4.conf.all.send_redirects value=0 + +- name: Drop SMB traffic + iptables: + table: filter + chain: FORWARD + protocol: tcp + source: 0.0.0.0/0 + destination: 0.0.0.0/0 + destination_port: "{{ item }}" + jump: DROP + action: insert + with_items: + - 137 + - 139 + - 445 + notify: + - save iptables