First commit for Spacewalk Ansible roles

roles/iptables/.travis.yml

@@ -0,0 +1,38 @@
+---
+language: python
+python: "2.7"
+
+env:
+  - SITE=test.yml
+
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -y curl
+
+install:
+  # Install Ansible.
+  - pip install ansible
+
+  # Add ansible.cfg to pick up roles path.
+  - "{ echo '[defaults]'; echo 'roles_path = ../'; } >> ansible.cfg"
+
+script:
+  # Check the role/playbook's syntax.
+  - "ansible-playbook -i tests/inventory tests/$SITE --syntax-check"
+
+  # Run the role/playbook with ansible-playbook.
+  - "ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo"
+
+  # Run the role/playbook again, checking to make sure it's idempotent.
+  - >
+    ansible-playbook -i tests/inventory tests/$SITE --connection=local --sudo
+    | grep -q 'changed=0.*failed=0'
+    && (echo 'Idempotence test: pass' && exit 0)
+    || (echo 'Idempotence test: fail' && exit 1)
+
+  # Check if TCP port 9123 is open.
+  - >
+    sudo iptables -L -n
+    | grep -q "ACCEPT.*dpt:9123"
+    && (echo 'Port 9123 is open - pass' && exit 0)
+    || (echo 'Port 9123 is not open - fail' && exit 1)

roles/iptables/README.md

@@ -0,0 +1,68 @@
+# Ansible Role: Firewall (iptables)
+
+[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall)
+
+Installs a simple iptables-based firewall for RHEL/CentOS or Debian/Ubunty systems.
+
+This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall.
+
+After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall.
+
+## Requirements
+
+None.
+
+## Role Variables
+
+Available variables are listed below, along with default values (see `vars/main.yml`):
+
+    firewall_allowed_tcp_ports:
+      - "22"
+      - "80"
+      ...
+    firewall_allowed_udp_ports: []
+
+A list of TCP or UDP ports (respectively) to open to incoming traffic.
+
+    firewall_forwarded_tcp_ports:
+      - { src: "22", dest: "2222" }
+      - { src: "80", dest: "8080" }
+    firewall_forwarded_udp_ports: []
+
+Forward `src` port to `dest` port, either TCP or UDP (respectively).
+
+    firewall_additional_rules: []
+
+Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`).
+
+## Dependencies
+
+None.
+
+## Example Playbook
+
+    - hosts: server
+      vars_files:
+        - vars/main.yml
+      roles:
+        - { role: geerlingguy.firewall }
+
+*Inside `vars/main.yml`*:
+
+    firewall_allowed_tcp_ports:
+      - "22"
+      - "25"
+      - "80"
+
+## TODO
+
+  - Make outgoing ports more configurable.
+  - Make other firewall features (like logging) configurable.
+
+## License
+
+MIT / BSD
+
+## Author Information
+
+This role was created in 2014 by [Jeff Geerling](http://jeffgeerling.com/), author of [Ansible for DevOps](http://ansiblefordevops.com/).

roles/iptables/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+firewall_allowed_tcp_ports:
+  - "22"
+  - "25"
+  - "80"
+  - "443"
+firewall_allowed_udp_ports: []
+firewall_forwarded_tcp_ports: []
+firewall_forwarded_udp_ports: []
+firewall_additional_rules: []

roles/iptables/handlers/main.yml

@@ -0,0 +1,4 @@
+---
+- name: restart firewall
+  command: service iptables save
+  command: service firewall restart

roles/iptables/meta/main.yml

@@ -0,0 +1,22 @@
+---
+dependencies: []
+
+galaxy_info:
+  author: geerlingguy
+  description: Simple iptables firewall for most Unix-like systems.
+  company: "Midwestern Mac, LLC"
+  license: "license (BSD, MIT)"
+  min_ansible_version: 1.4
+  platforms:
+  - name: EL
+    versions:
+    - all
+  - name: Debian
+    versions:
+    - all
+  - name: Ubuntu
+    versions:
+    - all
+  categories:
+    - networking
+    - system

roles/iptables/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: Ensure iptables is installed (RedHat).
+  yum: pkg=iptables state=installed
+  when: ansible_os_family == 'RedHat'
+
+- name: Ensure iptables is installed (Debian).
+  apt: pkg=iptables state=installed
+  when: ansible_os_family == 'Debian'
+
+- name: Flush iptables the first time playbook runs.
+  command: iptables -F creates=/etc/init.d/firewall
+
+- name: Copy firewall script into place.
+  template: src=firewall.bash.j2 dest=/etc/firewall.bash owner=root group=root mode=0744
+  notify: restart firewall
+
+- name: Copy firewall init script into place.
+  template: src=firewall.j2 dest=/etc/init.d/firewall owner=root group=root mode=0755
+
+- name: Ensure the firewall is enabled and will start on boot.
+  service: name=firewall state=started enabled=yes

roles/iptables/templates/firewall.bash.j2

@@ -0,0 +1,79 @@
+#!/bin/bash
+# iptables firewall for common LAMP servers.
+#
+# This file should be located at /etc/firewall.bash, and is meant to work with
+# Jeff Geerling's firewall init script.
+#
+# Common port reference:
+#   22: SSH
+#   25: SMTP
+#   80: HTTP
+#   123: DNS
+#   443: HTTPS
+#   2222: SSH alternate
+#   4949: Munin
+#   6082: Varnish admin
+#   8080: HTTP alternate (often used with Tomcat)
+#   8983: Tomcat HTTP
+#   8443: Tomcat HTTPS
+#   9000: SonarQube
+#
+# @author Jeff Geerling
+
+# No spoofing.
+if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
+then
+for filter in /proc/sys/net/ipv4/conf/*/rp_filter
+do
+echo 1 > $filter
+done
+fi
+
+# Remove all rules and chains.
+iptables -F
+iptables -X
+
+# Accept traffic from loopback interface (localhost).
+iptables -A INPUT -i lo -j ACCEPT
+
+# Forwarded ports.
+{# Add a rule for each forwarded port #}
+{% for forwarded_port in firewall_forwarded_tcp_ports %}
+iptables -t nat -I PREROUTING -p tcp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
+{% endfor %}
+{% for forwarded_port in firewall_forwarded_udp_ports %}
+iptables -t nat -I PREROUTING -p udp --dport {{ forwarded_port.src }} -j REDIRECT --to-port {{ forwarded_port.dest }}
+{% endfor %}
+
+# Open ports.
+{# Add a rule for each open port #}
+{% for port in firewall_allowed_tcp_ports %}
+iptables -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% for port in firewall_allowed_udp_ports %}
+iptables -A INPUT -p tcp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# Accept icmp ping requests.
+iptables -A INPUT -p icmp -j ACCEPT
+
+# Allow NTP traffic for time synchronization.
+iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
+iptables -A INPUT -p udp --sport 123 -j ACCEPT
+
+# Additional custom rules.
+{% for rule in firewall_additional_rules %}
+{{ rule }}
+{% endfor %}
+
+# Allow established connections:
+iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Log EVERYTHING (ONLY for Debug).
+# iptables -A INPUT -j LOG
+
+# Log other incoming requests (all of which are dropped) at 15/minute max.
+iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
+
+# Drop all other traffic.
+iptables -A INPUT -j DROP

roles/iptables/templates/firewall.j2

@@ -0,0 +1,41 @@
+#! /bin/sh
+# /etc/init.d/firewall
+#
+# Firewall init script, to be used with /etc/firewall.bash by Jeff Geerling.
+#
+# @author Jeff Geerling
+
+### BEGIN INIT INFO
+# Provides:          firewall
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start firewall at boot time.
+# Description:       Enable the firewall.
+### END INIT INFO
+
+# Carry out specific functions when asked to by the system
+case "$1" in
+  start)
+    echo "Starting firewall."
+    /etc/firewall.bash
+    ;;
+  stop)
+    echo "Stopping firewall."
+    iptables -F
+    ;;
+  restart)
+    echo "Restarting firewall."
+    /etc/firewall.bash
+    ;;
+  status)
+    echo -e "`iptables -L -n`"
+    ;;
+  *)
+    echo "Usage: /etc/init.d/firewall {start|stop|status|restart}"
+    exit 1
+    ;;
+esac
+
+exit 0

roles/iptables/tests/inventory

@@ -0,0 +1 @@
+localhost

roles/iptables/tests/test.yml

@@ -0,0 +1,8 @@
+---
+- hosts: localhost
+  remote_user: root
+  vars:
+    - firewall_allowed_tcp_ports:
+      - "9123"
+  roles:
+    - ansible-role-firewall