Drop SMB traffic ##61

roles/cloud-digitalocean/tasks/main.yml

@@ -34,6 +34,8 @@
     dns_enabled: "{{ dns_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+    cloud_provider: digitalocean
+    ipv6_support: yes
 
 - name: Wait for SSH to become available
   local_action: "wait_for port=22 host={{ do.droplet.ip_address }} timeout=320"

roles/cloud-ec2/tasks/main.yml

@@ -72,6 +72,8 @@
     dns_enabled: "{{ dns_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+    cloud_provider: ec2
+    ipv6_support: no
   with_items: "{{ ec2.instances }}"
 
 - name: Wait for SSH to become available

roles/cloud-gce/tasks/main.yml

@@ -23,6 +23,8 @@
     dns_enabled: "{{ dns_enabled }}"
     auditd_enabled: " {{ auditd_enabled }}"
     easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
+    cloud_provider: gce
+    ipv6_support: no
 
 - name: Firewall configured
   local_action:

roles/dns_adblocking/tasks/main.yml

@@ -50,7 +50,7 @@
     to_destination: fcaa::1:53
     ip_version: ipv6
   notify:
-  - save iptables
+    - save iptables
 
 - name: Dnsmasq enabled and started
   service: name=dnsmasq state=started enabled=yes

roles/security/handlers/main.yml

@@ -1,5 +1,8 @@
 - name: restart rsyslog
   service: name=rsyslog state=restarted
-
+  
+- name: save iptables
+  command: service netfilter-persistent save
+  
 - name: flush routing cache
   shell: echo 1 > /proc/sys/net/ipv4/route/flush

roles/security/tasks/main.yml

@@ -98,3 +98,20 @@
 
 - name: Do not send ICMP redirects (we are not a router)
   sysctl: name=net.ipv4.conf.all.send_redirects value=0
+
+- name: Drop SMB traffic
+  iptables:
+    table: filter
+    chain: FORWARD
+    protocol: tcp
+    source: 0.0.0.0/0
+    destination: 0.0.0.0/0
+    destination_port: "{{ item }}"
+    jump: DROP
+    action: insert
+  with_items:
+    - 137
+    - 139
+    - 445
+  notify:
+  - save iptables