From fe1fcade72813e18a19b62369d62ecb63ae9be24 Mon Sep 17 00:00:00 2001
From: Defunct <defunct@defunct.io>
Date: Thu, 13 Oct 2016 14:45:41 +0000
Subject: [PATCH 1/6] resolves #99

---
 algo | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/algo b/algo
index bf1ebe4..d1e5773 100755
--- a/algo
+++ b/algo
@@ -62,9 +62,9 @@ Enter your aws_access_key (http://docs.aws.amazon.com/AWSSimpleQueueService/late
 Enter your aws_secret_key (http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSGettingStartedGuide/AWSCredentials.html):
 : " -rs aws_secret_key
   
-  read -p "
+  read -e -p "
 Enter the local path to your SSH public key:
-: " -r ssh_public_key
+: " -i "~/.ssh/id_rsa.pub" -r ssh_public_key
 
   read -p "
 Name the vpn server:

From c43ccc38987161f1e1028f94c4432ddec22a9e4e Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Fri, 14 Oct 2016 18:50:24 +0300
Subject: [PATCH 2/6] iptables moved to the vpn role #61

---
 roles/security/handlers/main.yml              | 3 ---
 roles/security/tasks/main.yml                 | 8 --------
 roles/vpn/handlers/main.yml                   | 6 +++---
 roles/vpn/tasks/iptables.yml                  | 9 +++++++++
 roles/vpn/tasks/main.yml                      | 4 ++++
 roles/{security => vpn}/templates/rules.v4.j2 | 0
 roles/{security => vpn}/templates/rules.v6.j2 | 0
 7 files changed, 16 insertions(+), 14 deletions(-)
 create mode 100644 roles/vpn/tasks/iptables.yml
 rename roles/{security => vpn}/templates/rules.v4.j2 (100%)
 rename roles/{security => vpn}/templates/rules.v6.j2 (100%)

diff --git a/roles/security/handlers/main.yml b/roles/security/handlers/main.yml
index e79c49c..e6d614b 100644
--- a/roles/security/handlers/main.yml
+++ b/roles/security/handlers/main.yml
@@ -1,8 +1,5 @@
 - name: restart ssh
   service: name=ssh state=restarted
 
-- name: restart iptables
-  service: name=netfilter-persistent state=restarted
-
 - name: flush routing cache
   shell: echo 1 > /proc/sys/net/ipv4/route/flush
diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
index f951616..aed7576 100644
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@@ -88,14 +88,6 @@
 - name: Do not send ICMP redirects (we are not a router)
   sysctl: name=net.ipv4.conf.all.send_redirects value=0
 
-- name: Iptables configured
-  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
-  with_items:
-    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
-    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
-  notify:
-    - restart iptables
-
 - name: SSH config
   template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
   notify:
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
index 4ba5173..84e08b0 100644
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@@ -6,13 +6,13 @@
 
 - name: restart apparmor
   service: name=apparmor state=restarted
-  
-- name: save iptables
-  shell: service netfilter-persistent save
 
 - name: save iptables
   shell: service netfilter-persistent save
 
+- name: restart iptables
+  service: name=netfilter-persistent state=restarted
+
 - name: congrats
   debug:
     msg:
diff --git a/roles/vpn/tasks/iptables.yml b/roles/vpn/tasks/iptables.yml
new file mode 100644
index 0000000..aeed994
--- /dev/null
+++ b/roles/vpn/tasks/iptables.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Iptables configured
+  template: src="{{ item.src }}" dest="{{ item.dest }}" owner=root group=root mode=0640
+  with_items:
+    - { src: rules.v4.j2, dest: /etc/iptables/rules.v4 }
+    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
+  notify:
+    - restart iptables
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 690a44a..1009911 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -191,3 +191,7 @@
   fetch: src=/{{ easyrsa_dir }}/easyrsa3/pki/ca.crt dest=configs/{{ IP_subject_alt_name }}_ca.crt flat=yes
   notify:
     - congrats
+
+- include: iptables.yml
+  tags: iptables
+
diff --git a/roles/security/templates/rules.v4.j2 b/roles/vpn/templates/rules.v4.j2
similarity index 100%
rename from roles/security/templates/rules.v4.j2
rename to roles/vpn/templates/rules.v4.j2
diff --git a/roles/security/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2
similarity index 100%
rename from roles/security/templates/rules.v6.j2
rename to roles/vpn/templates/rules.v6.j2

From d8478e1741b01dfe0288e26a0945fcc0f0b81da4 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <gunph1ld@users.noreply.github.com>
Date: Fri, 14 Oct 2016 19:57:11 +0400
Subject: [PATCH 3/6] Update README.md

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 5cb7148..80edf40 100644
--- a/README.md
+++ b/README.md
@@ -60,6 +60,9 @@ Ansible scripts are organized into roles. The roles used by Algo are described i
 
 ## Usage
 
+### Warning
+If you run Algo on your existing server, the iptables rules will be overwritten. If you don't want to overwite the rules, just skip the `iptables` tag. (You can find some information about tags [here](https://github.com/trailofbits/algo/blob/master/ADVANCED.md))
+
 ### Requirements
 
 * ansible >= 2.1

From bf5d5e53acc1f9eadf8b330f0b1f1e0fb1e7107a Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Fri, 14 Oct 2016 19:05:39 +0300
Subject: [PATCH 4/6] ip6tables fixes

---
 roles/vpn/templates/rules.v6.j2 | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/roles/vpn/templates/rules.v6.j2 b/roles/vpn/templates/rules.v6.j2
index e491fec..71342a0 100644
--- a/roles/vpn/templates/rules.v6.j2
+++ b/roles/vpn/templates/rules.v6.j2
@@ -17,6 +17,10 @@ COMMIT
 -A INPUT -p icmpv6 --icmpv6-type echo-request -m hashlimit --hashlimit-upto 5/s --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-name icmp-echo-drop -j DROP
 -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
 -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
+-A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
 # TODO:
 # The IP of the resolver should be bound to a DUMMY interface.
 # DUMMY interfaces are the proper way to install IPs without assigning them any

From 787929deb7f118815f74047e45a89b84740661b0 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Fri, 14 Oct 2016 19:26:30 +0300
Subject: [PATCH 5/6] fix

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5cb7148..e147253 100644
--- a/README.md
+++ b/README.md
@@ -76,7 +76,7 @@ Ansible scripts are organized into roles. The roles used by Algo are described i
 ### Roles and Tags
 **Cloud roles:**  
 - role: cloud-digitalocean, tags: digitalocean
-- role: cloud-ec2, tags: ec2  
+- role: cloud-ec2, tags: ec2
 - role: cloud-gce, tags: gce  
 
 **Server roles:**  

From fcf29534bac957c5bba2ee04f835b27f8b8f1704 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Fri, 14 Oct 2016 19:58:55 +0300
Subject: [PATCH 6/6] the proxixy filter rules disabled #93

---
 roles/proxy/tasks/main.yml              | 5 ++++-
 roles/proxy/templates/default.filter.j2 | 0
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 roles/proxy/templates/default.filter.j2

diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 81dbcab..fc3af8b 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -5,7 +5,10 @@
   apt: name=privoxy state=latest
 
 - name: Privoxy configured
-  template: src=privoxy_config.j2 dest=/etc/privoxy/config
+  template: src="{{ item.src }}" dest="{{ item.dest }}"
+  with_items:
+    - { src: privoxy_config.j2, dest: /etc/privoxy/config }
+    - { src: default.filter.j2, dest: /etc/privoxy/default.filter }
   notify:
     - restart privoxy
 
diff --git a/roles/proxy/templates/default.filter.j2 b/roles/proxy/templates/default.filter.j2
new file mode 100644
index 0000000..e69de29