Start firewalling rules

inventory.sample

@@ -17,6 +17,7 @@ localhost
 
 [server:vars]
 timezone="UTC"
+gateway="<GATEWAY_IP>"
 
 [workstation:vars]
 timezone="Europe/Paris"

tasks/firewall.yml

+---
+- hosts: "{{ host_list }}"
+  remote_user: root
+
+  tasks:
+    - name: FIREWALL | install packages
+      ansible.builtin.apt:
+        cache_valid_time: 3600
+        force_apt_get: yes
+        pkg:
+            - fail2ban
+            - ufw
+        state: present
+        update_cache: true
+
+    - name: UFW | reset before setting
+      community.general.ufw:
+        state: reset
+
+    - name: UFW | deny everything IN
+      community.general.ufw:
+        direction: incoming
+        policy: deny
+
+    - name: UFW | allow everything OUT
+      community.general.ufw:
+        direction: outgoing
+        policy: allow
+
+    - name: UFW | limit tcp port 22 IN
+      community.general.ufw:
+        direction: in
+        log: yes
+        port: '22'
+        proto: tcp
+        rule: limit
+
+    - name: UFW | allow tcp port 80 IN
+      when: inventory_hostname in groups.web
+      community.general.ufw:
+        direction: in
+        rule: allow
+        port: '80'
+        proto: tcp
+
+    - name: UFW | enable & set logging
+      community.general.ufw:
+        logging: full
+        state: enabled
+
+    - name: FAIL2BAN | ensure deamon is running
+      service:
+        name: fail2ban
+        state: started
+        enabled: true
+
+    - name: FAIL2BAN | set local config
+      template:
+        src: templates/jail.local.j2
+        dest: /etc/fail2ban/jail.local
+
+    - name: FAIL2BAN | restart service
+      service:
+        name: fail2ban
+        state: restarted

tasks/templates/jail.local.j2

+[DEFAULT]
+banaction = ufw
+bantime   = 3600
+maxretry  = 3
+ignoreip  = 127.0.0.1 {{gateway}} {% for host in groups['all'] %}{{hostvars[host]['ansible_host']|ansible.netcommon.ipaddr('public')}} {% endfor %}
+
+
+[ssh]
+enabled  = true
+filter = sshd
+logpath = /var/log/auth.log
+findtime = 300