diff --git a/inventory/group_vars/all/global.yml b/inventory/group_vars/all/global.yml new file mode 100644 index 0000000..b45acdd --- /dev/null +++ b/inventory/group_vars/all/global.yml @@ -0,0 +1,3 @@ +--- + +global_public_ip_address: 82.66.135.228 diff --git a/inventory/host_vars/ks3370405.yml b/inventory/host_vars/ks3370405.yml index 89a2642..12ef9a1 100644 --- a/inventory/host_vars/ks3370405.yml +++ b/inventory/host_vars/ks3370405.yml @@ -3,7 +3,7 @@ web_hostname: - host: mail-relay.mateu.be -allowed_smtp_ips: ["82.66.135.228", "80.67.179.200"] +allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}" global_smtp_relay_allowed_ips: "{{ allowed_smtp_ips }}" ufw_allowed_smtp_ips: "{{ allowed_smtp_ips }}" diff --git a/inventory/static.yml b/inventory/static.yml index 1faf0b1..fea06a9 100644 --- a/inventory/static.yml +++ b/inventory/static.yml @@ -25,6 +25,7 @@ physicalservers: hosts: frederica: serenor: + ks3370405: webservers: hosts: diff --git a/playbooks/global_smtprelay.yml b/playbooks/global_smtprelay.yml index 9a3af34..908e5af 100644 --- a/playbooks/global_smtprelay.yml +++ b/playbooks/global_smtprelay.yml @@ -3,5 +3,4 @@ - name: Install & configure the global SMTP relay hosts: ks3370405 roles: - - ufw - global_smtp_relay diff --git a/playbooks/site.yml b/playbooks/site.yml index 3f6693c..6829e2b 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -20,6 +20,8 @@ import_playbook: mail.yml - name: Run global_smtprelay playbook import_playbook: global_smtprelay.yml +- name: Run ufw plabook + import_playbook: ufw.yml - name: Run xmpp playbook import_playbook: xmpp.yml - name: Run webservers playbook diff --git a/playbooks/ufw.yml b/playbooks/ufw.yml new file mode 100644 index 0000000..e31b48b --- /dev/null +++ b/playbooks/ufw.yml @@ -0,0 +1,6 @@ +--- + +- name: Install & configure UFW + hosts: ks3370405 + roles: + - ufw diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2 index 850e1a0..b2bc3f7 100644 --- a/roles/firewall/templates/firewall.j2 +++ b/roles/firewall/templates/firewall.j2 @@ -350,6 +350,53 @@ config redirect option dest_port '64738' option target 'DNAT' +# Allow DNS traffic +config rule + option name 'Allow-INPUT-DNS' + option src 'wan' + list proto 'tcp' + list proto 'udp' + option dest 'dmz' + option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}' + option dest_port '53' + option target 'ACCEPT' + option family 'ipv6' + +config redirect + option name 'Allow-INPUT-DNS' + option src 'wan' + option src_dport '53' + list proto 'tcp' + list proto 'udp' + option dest 'dmz' + option dest_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}' + option dest_port '53' + option target 'DNAT' + +config rule + option name 'Allow-OUTPUT-DNS' + option src 'dmz' + option src_ip '{{ hostvars['dns1'].proxmox_net0.ip | ansible.utils.ipaddr('address') }}' + list proto 'tcp' + list proto 'udp' + option dest 'wan' + option dest_port '53' + option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv4.address }}' + option target 'ACCEPT' + option family 'ipv4' + +config rule + option name 'Allow-OUTPUT-DNS' + option src 'dmz' + option src_ip '{{ hostvars['dns1'].proxmox_net0.ip6 | ansible.utils.ipaddr('address') }}' + list proto 'tcp' + list proto 'udp' + option dest 'wan' + option dest_port '53' + option dest_ip '{{ hostvars['ks3370405'].ansible_default_ipv6.address }}' + option target 'ACCEPT' + option family 'ipv6' + # Allow mail traffic config rule option name 'Allow-OUTPUT-SMTP' diff --git a/roles/global_smtp_relay/templates/main.cf.j2 b/roles/global_smtp_relay/templates/main.cf.j2 index 594e819..64637d0 100644 --- a/roles/global_smtp_relay/templates/main.cf.j2 +++ b/roles/global_smtp_relay/templates/main.cf.j2 @@ -4,7 +4,7 @@ myhostname = mail-relay.mateu.be myorigin = $myhostname mydestination = $myhostname, localhost.$mydomain, localhost unknown_local_recipient_reject_code = 550 -mynetworks = 127.0.0.0/8, [::1]/128, 82.66.135.228, 80.67.179.200 +mynetworks = 127.0.0.0/8, [::1]/128, {{ global_smtp_relay_allowed_ips | join(', ') }} sendmail_path = /usr/bin/sendmail newaliases_path = /usr/bin/newaliases mailq_path = /usr/bin/mailq diff --git a/roles/ufw/tasks/main.yml b/roles/ufw/tasks/main.yml index a3bb8f2..fd8f6db 100644 --- a/roles/ufw/tasks/main.yml +++ b/roles/ufw/tasks/main.yml @@ -34,6 +34,11 @@ src: "{{ item }}" loop: "{{ ufw_allowed_smtp_ips }}" +- name: Allow incoming DNS + community.general.ufw: + rule: allow + port: domain + - name: Set logging community.general.ufw: logging: "on"