From b0530060d406f85cc488f4ad2a4ba3f0810451d7 Mon Sep 17 00:00:00 2001
From: "Daniel A. Maierhofer" <git@damadmai.at>
Date: Fri, 13 Jul 2018 21:34:14 +0200
Subject: [PATCH] Add iptables for fetlab

---
 host_vars/fetlab                |  3 +++
 templates/iptables_fetlab_v4.j2 | 14 ++++++++++++++
 templates/iptables_fetlab_v6.j2 | 12 ++++++++++++
 3 files changed, 29 insertions(+)
 create mode 100644 templates/iptables_fetlab_v4.j2
 create mode 100644 templates/iptables_fetlab_v6.j2

diff --git a/host_vars/fetlab b/host_vars/fetlab
index 487f49e..c914b8a 100644
--- a/host_vars/fetlab
+++ b/host_vars/fetlab
@@ -2,6 +2,9 @@
 inventory_hostname: fetlab.fet.htu.tuwien.ac.at
 inventory_hostname_short: fetlab
 
+common_iptables_v4: "iptables_fetlab_v4.j2"
+common_iptables_v6: "iptables_fetlab_v6.j2"
+
 common_resolvconf_nameservers: ["128.130.4.3", "128.131.4.3"]
 common_openssh_keys_root:
   - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzkK6ENya4mKcoG9iuMaodMpifeCgZK56zVF1zxyZhLtUyBx//qsLCXEdBNiGJY57Yp4l0PJKk9B4hpCFKuz6H622l84SOHzXhmFQUXWe/L6x4kRfQJvhBCNMi9brfR0n6AwX59RNRsbUeUjb7RuhCrzpbW0iWYjv/H9rjeyfY5Ne9dUUeBQDcsM1O7XfZJWwA5nxEGjbDB7l4/K43DoqaqzHOEOoETmHGfugO7A5QwhRmblu90pLD4+DOPv/4LGBRNpS8FyRzYrEJm7yUyF7nDzR+0xlLCapU4pKhmIFfSv4afsuBFvLb6Rgln5wUt2KIPh/qnqSP9jZGovYOadC0yb70dec7nnfwXTmqwzdwXtBlo3UzbPwt0iJG9fhYCw83Bkt/GpOsIW2fcxZhJ8CUeBw3Ox71lkeozb49oRMeHzUpYckrFt1FGxUWuHHykCrOXcxso0MRfKjl9RPUc+O5oQDG1KAoTd9doB3jygVr68wYVc/4kTTsXUlMIBMOUiek8XygQ7sV6Et6FpzvLvdf/iL1FMXAluRgUWJvKqe4IBPyWu2KyDF+2ZDMse3WhQYlYgNRqGCwfxOJGWtkvVO0L4YGJrLXKhY4yw2H+pQOHaugfGO8IYPV/vbPi+dB9OV89Zonu2iVjjDFFXI0xE7WSXCV3RQyed26Bq9BBO9DDQ== damadmai@fet.at"
diff --git a/templates/iptables_fetlab_v4.j2 b/templates/iptables_fetlab_v4.j2
new file mode 100644
index 0000000..b7efa99
--- /dev/null
+++ b/templates/iptables_fetlab_v4.j2
@@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+COMMIT
diff --git a/templates/iptables_fetlab_v6.j2 b/templates/iptables_fetlab_v6.j2
new file mode 100644
index 0000000..d2927b5
--- /dev/null
+++ b/templates/iptables_fetlab_v6.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp --syn -j DROP
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+COMMIT