playbook: Improve olimex board security

Add restrictive firewall settings to avoid any security risk.

playbook: Improve olimex board security
Add restrictive firewall settings to avoid any security risk.
4d114f9a · Levin Zimmermann · e31f5d9d · 4d114f9a · 4d114f9a · 4d114f9a
Commit 4d114f9a authored Dec 23, 2021 by Levin Zimmermann
4 changed files
--- a/playbook/roles/olimex-board/tasks/main.yml
+++ b/playbook/roles/olimex-board/tasks/main.yml
+- name: Install iptables
+  apt:
+    name: iptables
+    state: present
+
+- name: Set firewall config file path
+  set_fact:
+    setup_olimex_firewall_path: /usr/bin/setup-olimex-firewall
+
+- name: Add script to boot firewall
+  template:
+    src: iptables.j2
+    dest: "{{ setup_olimex_firewall_path }}"
+    mode: 755
+
+- name: Include setup-olimex-firewall at reboot on cron
+  cron: name="Setup firewall on reboot" special_time=reboot job="sleep 30 && {{ setup_olimex_firewall_path }}"
--- a/playbook/roles/olimex-board/templates/iptables.j2
+++ b/playbook/roles/olimex-board/templates/iptables.j2
+#!/bin/bash
+
+# We want to close all ports except for those which are used by
+# re6stnet and SSH (to be able to keep a connection to the board).
+
+echo "Update firewall. Close all ports except SSH ports."
+
+# Remove all existing rules
+iptables -F
+
+# Allow SSH access
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# Set default drop policy
+iptables -P INPUT DROP
+iptables -P OUTPUT DROP
+iptables -P FORWARD DROP
+
+ip6tables -P INPUT DROP
+ip6tables -P OUTPUT DROP
+ip6tables -P FORWARD DROP
+
+# For additional rules (for instance Wendelin/Fluentd, ...)
+
+{{ iptables_rules }}
+
+# Open Re6stnet ports (if bash file exists)
+RE6STNET_IP6TABLES_CHECK="/usr/bin/re6stnet-ip6tables-check"
+
+if [ -f $RE6STNET_IP6TABLES_CHECK ]; then
+    bash $RE6STNET_IP6TABLES_CHECK
+else
+  echo "No Re6stnet ip6tables check file could be found!"
+  echo "No dedicated re6stnet ports could be opened."
+fi
--- a/playbook/wendelin-olimex-iot-gateway.yml
+++ b/playbook/wendelin-olimex-iot-gateway.yml
@@ -6,3 +6,33 @@
 - name: a play that runs entirely on the ansible host
  hosts: 127.0.0.1
  connection: local
+
+  vars:
+    - iptables_rules: |
+        # We send data to Wendelin via HTTP or HTTPS
+
+        # Only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
+        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+        # #### Output exceptions  #### #
+
+        # Accept DNS
+        iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
+        iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+        # Accept HTTP
+        iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
+
+        # Accept HTTPS
+        iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
+        iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
+
+        # To receive data from Sensor
+        
+        LISTEN_SENSOR_PORT=24224
+
+        ip6tables -A INPUT -p tcp --dport $LISTEN_SENSOR_PORT -j ACCEPT
+        ip6tables -A INPUT -p udp --dport $LISTEN_SENSOR_PORT -j ACCEPT
+
+  roles:
+    - role: olimex-board
--- a/playbook/wendelin-olimex-sensor.yml
+++ b/playbook/wendelin-olimex-sensor.yml
@@ -7,5 +7,17 @@
  hosts: 127.0.0.1
  connection: local

+  vars:
+    - iptables_rules: |
+        # To send data to IoT-Gateway
+          
+        iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+          
+        LISTEN_SENSOR_PORT=24224
+
+        ip6tables -A OUTPUT -p tcp --dport $LISTEN_SENSOR_PORT -j ACCEPT
+        ip6tables -A OUTPUT -p udp --dport $LISTEN_SENSOR_PORT -j ACCEPT
+
  roles:
+    - role: olimex-board
    - role: olimex-sensor