Skip to content

Draft: Configure Firewall (iptables) for DLE server

Vitaliy Kukharik requested to merge firewall into main

This MR introduces a Firewall configuration for the DLE server using iptables.

The configuration includes allowing a standard set of DLE TCP ports, as well as provisions for adding custom rules to manage access to specific ports and ranges.
It will enhance DLE server's security and provide more control over network traffic.

Notes:

  • By default, we block direct access to clone ports (6000-6100) and open ports to access clone ports (9000-9100) via an encrypted Envoy proxy connection.
  • Firewall enabled by default. To disable the firewall, specify the firewall_enabled_at_boot: false variable.

Requirements:

Use the ansible-role-firewall from geerlingguy (with fix for compatibility with docker)

Variables:

# Firewall
firewall_enabled_at_boot: true # or 'false' to not configure 'firewall' service (iptables)
firewall_allowed_tcp_ports:
  - "{{ ansible_ssh_port | default(22) }}" # ssh
  - "{{ dle_port }}" # DLE server
  - "{{ dle_ui_port }}" # DLE UI
  - "{{ netdata_port }}" # Netdata
  - "{{ proxy_dle_public_port }}" # Envoy proxy
  - "53" # DNS port
firewall_allowed_udp_ports:
  - "53" # DNS port
firewall_additional_rules:
  - "iptables -A INPUT -p tcp -i docker0 --dport 6000:6099 -j ACCEPT" # allow docker traffic to clone ports.
  - "iptables -A INPUT -p tcp -i lo --dport 6000:6099 -j ACCEPT" # allow local traffic to clone ports.
  - "iptables -A INPUT -p tcp --dport 6000:6099 -j DROP" # drop all other direct access to clone ports.
  - "iptables -A INPUT -p tcp --dport 9000:9099 -j ACCEPT" # allow any IP to access clone ports (9000-9099) via proxy.
#  - "iptables -A INPUT -p tcp --dport 9000:9099 -s 172.31.16.0/24 -j ACCEPT" # # allow only the private subnet 172.31.16.0/24 to access clone ports (9000-9099) via proxy.
#  - "iptables -A INPUT -p tcp --dport 9000:9099 -s 34.56.78.90 -j ACCEPT" # allow only the public IP 34.56.78.90 to access clone ports (9000-9099) via proxy.

firewall_enable_ipv6: false # disable configuration of ip6tables
firewall_flush_rules_and_chains: false # whether to flush all rules and chains whenever the firewall is restarted.
# Flush rules for INPUT chain only (if 'firewall_flush_rules_and_chains' is 'false')
firewall_flush_rules_input_nat: true
firewall_flush_rules_input_mangle: true
firewall_flush_rules_input_filter: true

Additionally

  • Update authorized-keys role (use the condition for the tasks block)
    • Previously, the task "Get system username" was performed even if the public key was not defined.
  • deploy-finish: Make sure handlers are flushed immediately
    • Execute handlers before the informational message. Improves readability.
Edited by Vitaliy Kukharik

Merge request reports