Skip to content

Commit

Permalink
add instance-a rules
Browse files Browse the repository at this point in the history
  • Loading branch information
@yusufharip
yusufharip committed Dec 24, 2019
1 parent 4dcf25e commit c0b5f2e
Show file tree
Hide file tree
Showing 8 changed files with 113 additions and 2 deletions.
1 change: 0 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,6 @@ My droplets configuration like image above.
* In this case i'm create freestyle jobs project on jenkins which run some command and invoke ansible-playbook
2. Configure **instance-b**
* Register ssh-key jenkins@instance-a on DigitalOcean so this instance auto get ssh-key for deployment server
* Create instance-b with minimum specification 2GB of RAM
* Let the rest configuration executed in instance-a

## Result
Expand Down
Binary file modified images/topology.jpeg
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
5 changes: 5 additions & 0 deletions instance-a-firewall.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
- name: Instance-b Playbook for firewall configuration
hosts: instance_b_production
roles:
- instance-a-fw
2 changes: 2 additions & 0 deletions instance-a.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@
- name: Instance-a Playbook
hosts: instance_a
roles:
- docker
- docker-nginx
- jenkins


# 3 roles yang dijalankan pada playbook ini adalah docker, jenkins, docker-nginx
2 changes: 1 addition & 1 deletion instance-b-firewall.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
- name: Instance-b Playbook for firewall configuration
hosts: instance_b_production
roles:
- elastic-fw
- instance-b-fw
23 changes: 23 additions & 0 deletions roles/instance-a-fw/tasks/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
- name: ufw allow ssh
become: yes
ufw:
rule: allow
port: ssh
proto: tcp

- name: enable ufw
become: yes
ufw:
state: enabled

- name: Render configuration starter from template
become: yes
template:
src: before.rules.j2
dest: /etc/ufw/before.rules

- name: Reload configuration
become: yes
ufw:
state: reloaded
82 changes: 82 additions & 0 deletions roles/instance-a-fw/templates/before.rules.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
# ufw-before-input
# ufw-before-output
# ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
# -A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# deny icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT
root@in
0 roles/elastic-fw/tasks/main.yml → roles/instance-b-fw/tasks/main.yml
View file
File renamed without changes.

0 comments on commit c0b5f2e

Please sign in to comment.