Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
S
slapos.package
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Arnaud Véron
slapos.package
Commits
4d114f9a
Commit
4d114f9a
authored
3 years ago
by
Levin Zimmermann
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
playbook: Improve olimex board security
Add restrictive firewall settings to avoid any security risk.
parent
e31f5d9d
No related merge requests found
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
95 additions
and
0 deletions
+95
-0
playbook/roles/olimex-board/tasks/main.yml
playbook/roles/olimex-board/tasks/main.yml
+17
-0
playbook/roles/olimex-board/templates/iptables.j2
playbook/roles/olimex-board/templates/iptables.j2
+36
-0
playbook/wendelin-olimex-iot-gateway.yml
playbook/wendelin-olimex-iot-gateway.yml
+30
-0
playbook/wendelin-olimex-sensor.yml
playbook/wendelin-olimex-sensor.yml
+12
-0
No files found.
playbook/roles/olimex-board/tasks/main.yml
0 → 100644
View file @
4d114f9a
-
name
:
Install iptables
apt
:
name
:
iptables
state
:
present
-
name
:
Set firewall config file path
set_fact
:
setup_olimex_firewall_path
:
/usr/bin/setup-olimex-firewall
-
name
:
Add script to boot firewall
template
:
src
:
iptables.j2
dest
:
"
{{
setup_olimex_firewall_path
}}"
mode
:
755
-
name
:
Include setup-olimex-firewall at reboot on cron
cron
:
name="Setup firewall on reboot" special_time=reboot job="sleep 30 && {{ setup_olimex_firewall_path }}"
This diff is collapsed.
Click to expand it.
playbook/roles/olimex-board/templates/iptables.j2
0 → 100644
View file @
4d114f9a
#!/bin/bash
# We want to close all ports except for those which are used by
# re6stnet and SSH (to be able to keep a connection to the board).
echo
"Update firewall. Close all ports except SSH ports."
# Remove all existing rules
iptables
-F
# Allow SSH access
iptables
-A
INPUT
-p
tcp
--dport
22
-j
ACCEPT
iptables
-A
OUTPUT
-p
tcp
--sport
22
-j
ACCEPT
# Set default drop policy
iptables
-P
INPUT DROP
iptables
-P
OUTPUT DROP
iptables
-P
FORWARD DROP
ip6tables
-P
INPUT DROP
ip6tables
-P
OUTPUT DROP
ip6tables
-P
FORWARD DROP
# For additional rules (for instance Wendelin/Fluentd, ...)
{{
iptables_rules
}}
# Open Re6stnet ports (if bash file exists)
RE6STNET_IP6TABLES_CHECK
=
"/usr/bin/re6stnet-ip6tables-check"
if
[
-f
$RE6STNET_IP6TABLES_CHECK
]
;
then
bash
$RE6STNET_IP6TABLES_CHECK
else
echo
"No Re6stnet ip6tables check file could be found!"
echo
"No dedicated re6stnet ports could be opened."
fi
This diff is collapsed.
Click to expand it.
playbook/wendelin-olimex-iot-gateway.yml
View file @
4d114f9a
...
...
@@ -6,3 +6,33 @@
-
name
:
a play that runs entirely on the ansible host
hosts
:
127.0.0.1
connection
:
local
vars
:
-
iptables_rules
:
|
# We send data to Wendelin via HTTP or HTTPS
# Only accept packets on the INPUT chain that are ESTABLISHED or RELATED to a current connection
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# #### Output exceptions #### #
# Accept DNS
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# Accept HTTP
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Accept HTTPS
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
# To receive data from Sensor
LISTEN_SENSOR_PORT=24224
ip6tables -A INPUT -p tcp --dport $LISTEN_SENSOR_PORT -j ACCEPT
ip6tables -A INPUT -p udp --dport $LISTEN_SENSOR_PORT -j ACCEPT
roles
:
-
role
:
olimex-board
This diff is collapsed.
Click to expand it.
playbook/wendelin-olimex-sensor.yml
View file @
4d114f9a
...
...
@@ -7,5 +7,17 @@
hosts
:
127.0.0.1
connection
:
local
vars
:
-
iptables_rules
:
|
# To send data to IoT-Gateway
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
LISTEN_SENSOR_PORT=24224
ip6tables -A OUTPUT -p tcp --dport $LISTEN_SENSOR_PORT -j ACCEPT
ip6tables -A OUTPUT -p udp --dport $LISTEN_SENSOR_PORT -j ACCEPT
roles
:
-
role
:
olimex-board
-
role
:
olimex-sensor
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment