Making IIAB's firewall (iptables) understandable to newbie implementers

[holta]

IF YOU NEED TO CHANGE ports_externally_visible DO THAT IN:

  /etc/iiab/local_vars.yml

This firewall variable must be an integer {0...5} as follows:

  0 = none
  1 = ssh only
  2 = ssh + http-or-https (for Admin Console's box.lan/admin too)
  3 = ssh + http-or-https + common IIAB services  <--  THIS IS THE DEFAULT
  4 = ssh + http-or-https + common IIAB services + Samba
  5 = all but databases

Then enable it with iptables by running: cd /opt/iiab/iiab; ./iiab-network

(above pasted in from this PR's iiab/roles/network/templates/gateway/iiab-gen-iptables)

Or further customize your iptables firewall by editing:
/opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables
And then run: cd /opt/iiab/iiab; ./iiab-network

(above pasted in from this PR's local_vars files & default_vars.yml)

To be documented in https://github.com/iiab/iiab/wiki/IIAB-Networking and http://FAQ.IIAB.IO

FYI Ansible variables services_externally_visible and gui_wan are intentionally deprecated, in order to make possible this big improvement in usability for new IIAB implementers.

Builds on #1664, PR #1665

[holta]

Tested on Raspbian, Ubuntu 16.04, Ubuntu 18.04

[holta]

@jvonau is it Ok to eliminate the "$network_mode" as "Appliance" clause, from the conditions on Lines 80 & 123 ?

(It would appear that testing for "$wan" == "none" is sufficient.)

[tim-moody]

There is no Admin Console port. It uses the web server, so this should be http and/or https.

[tim-moody]

If I edit /opt/iiab/iiab/roles/network/templates/gateway/iiab-gen-iptables I will not be able to do another pull without stashing and will easily lose my changes.

In my view a better strategy would be to create /etc/iiab/iiab-gen-iptables.d where hand code rules can be placed and then merged by iiab-gen-iptables, possibly enabling with allow_custom_firewall_rules flag.

[holta]

There is no Admin Console port. It uses the web server, so this should be http and/or https.

FWIW iiab-gen-iptables continues to use Admin Console port gui_port as set here:

https://github.com/iiab/iiab/blob/master/roles/0-init/tasks/main.yml#L87-L95

For now I'm trying not to change (Jerry's?) original framework much. This PR is really just about providing an easily understandable "firewall security knob/dial" for people who do not have the ability to navigate iptables details.

PS A separate PR establishing guidelines for advanced iptables users might make sense, as you say.

[tim-moody]

the variable gui_port does not appear in iiab-admin-console; it was introduced by Jerry. it is set to 80 or 443 in iiab. the user should be aware that if they expose 'gui_port' they are exposing the whole web server, that would include awstats for instance and anything that has an alias, like kiwix, etc. so calling it Admin Console is quite misleading.

[holta]

@jvonau @georgejhunt @tim-moody @m-anish is mDNS needed on the WAN side too?
https://github.com/holta/iiab/blob/firewall-usability/roles/network/templates/gateway/iiab-gen-iptables#L131-L132
(I'm not the one to ask unfortunately!)

[holta]

@jvonau @georgejhunt @jvonau @m-anish firewall (iptables) is experimentally revised adding our usual WAN-side rules to better protect Appliances: roles/network/templates/gateway/iiab-gen-iptables#L122-L190

PR #1677 seems ready to merge now (but LMK if issues remain?)