Tunnel internal NTP traffic through IPSec.

More precisely, between our NTP-master (stratum 1) host and the other machines (all stratum 2). Providing authentification and integrity for internal NTP traffic ensures a consistent time within our internal infrastructure.
author: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 16:40:50 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-05-22 17:53:58 +0200
commit: b331c2f99c1217c6f4208159c64ca6a5b0053bc7 (patch)
tree: 19d0cb75c9dbee89064d510b3bb617bf0356b30a /roles/common
parent: 3fafa03aeb3640a86d9cd8c639d085df6a8d085d (diff)
2 files changed, 3 insertions, 8 deletions
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 6bd2533..8450f00 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -1,44 +1,39 @@
 # {{ ansible_managed }}
 # Do NOT edit this file directly!
 #
 # direction              protocol     destination port            source port
 # (in|out|inout)[46]?    (tcp|udp|..) (port|port:port|port,port)  (port|port:port|port,port)
 
 {% if groups.all | length > 1 %}
 inout4  udp     500      500                            # ISAKMP
 {% if groups.NATed | length > 0 %}
 inout4  udp     4500     4500                           # IPSec NAT Traversal
 {% endif %}
 {% endif %}
 
 out     tcp     80,443                                  # HTTP/HTTPS
 out     tcp     9418                                    # GIT
 out     udp     53                                      # DNS
 out     udp     67                                      # DHCP
 out     tcp     22                                      # SSH
-{% if 'NTP-master' in group_names %}
-in      udp     123                                     # NTP
-out     udp     123                                     # NTP
-{% else %}
 out     udp     123      123                            # NTP
-{% endif %}
 
 in      tcp     {{ ansible_port|default('22') }}        # SSH
 {% if 'LDAP-provider' in group_names %}
 in      tcp     636                                     # LDAPS
 {% elif 'MX' in group_names or  'lists' in group_names %}
 out     tcp     636                                     # LDAPS
 {% endif %}
 {% if 'MX' in group_names %}
 in      tcp     25                                      # SMTP
 {% if 'MDA' not in group_names %}
 out     tcp     {{ postfix_instance.IMAP.port }}
 {% endif %}
 {% if 'lists' not in group_names %}
 out     tcp     {{ postfix_instance.lists.port }}
 {% endif %}
 {% endif %}
 {% if 'out' in group_names %}
 {% if groups.all | difference([inventory_hostname]) %}
 in      tcp     {{ postfix_instance.out.port }}
 {% endif %}
diff --git a/roles/common/templates/etc/ntp.conf.j2 b/roles/common/templates/etc/ntp.conf.j2
index d46ba18..5957276 100644
--- a/roles/common/templates/etc/ntp.conf.j2
+++ b/roles/common/templates/etc/ntp.conf.j2
@@ -7,43 +7,43 @@ driftfile /var/lib/ntp/ntp.drift
 #statsdir /var/log/ntpstats/
 
 statistics loopstats peerstats clockstats
 filegen loopstats file loopstats type day enable
 filegen peerstats file peerstats type day enable
 filegen clockstats file clockstats type day enable
 
 
 # You do need to talk to an NTP server or two (or three).
 {% if 'NTP-master' in group_names %}
 # Use Stratum One Time Servers:
 # http://support.ntp.org/bin/view/Servers/StratumOneTimeServers
 server ntp1.sp.se         iburst
 server ntp2.sp.se         iburst
 server ntp2.gbg.netnod.se iburst
 server ntp1.sth.netnod.se iburst
 server ntp2.sth.netnod.se iburst
 {% else %}
 # Sychronize to our (stratum 2) NTP server, to ensure our network has a
 # consistent time.
-# TODO: use to pubkey authentication to unsure an attacker doesn't
-# impersonate our NTP server and gives us incorrect time.
-server ntp.fripost.org   iburst
+{% for host in groups['NTP-master'] | sort %}
+server {{ ipsec[ hostvars[host].inventory_hostname_short ] }} prefer iburst
+{% endfor %}
 server 0.se.pool.ntp.org iburst
 server 1.se.pool.ntp.org iburst
 {% endif %}
 
 
 # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
 # details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
 # might also be helpful.
 #
 # Note that "restrict" applies to both servers and clients, so a configuration
 # that might be intended to block requests from certain clients could also end
 # up blocking replies from your own upstream servers.
 
 # By default, exchange time with everybody, but don't allow configuration.
 restrict -4 default limited kod nomodify notrap nopeer noquery
 restrict -6 default limited kod nomodify notrap nopeer noquery
 
 # Local users may interrogate the ntp server more closely.
 restrict 127.0.0.1
 restrict ::1
author	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 16:40:50 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-05-22 17:53:58 +0200
commit	b331c2f99c1217c6f4208159c64ca6a5b0053bc7 (patch)
tree	19d0cb75c9dbee89064d510b3bb617bf0356b30a /roles/common
parent	3fafa03aeb3640a86d9cd8c639d085df6a8d085d (diff)