From 14849324132e7d8cc0eb2c72beaaa7eb6793fbd7 Mon Sep 17 00:00:00 2001
From: darkwizard242 <am900820@gmail.com>
Date: Tue, 21 Sep 2021 18:22:46 -0400
Subject: [PATCH 1/5] add notifiers to persist v4 and v6 rules when firewall
 used is iptables on the system

---
 tasks/section_03.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tasks/section_03.yml b/tasks/section_03.yml
index 5126c890..9e73a0b1 100644
--- a/tasks/section_03.yml
+++ b/tasks/section_03.yml
@@ -878,6 +878,8 @@
         jump: "{{ ubuntu_2004_cis_section3_rule_3_5_3_2_1_params_iptablesloopbackchain_inputlocal_jump }}"
         source: "{{ ubuntu_2004_cis_section3_rule_3_5_3_2_1_params_iptablesloopbackchain_inputlocal_interface }}"
 
+  notify:
+    - persist iptables v4 rules
   when:
     - ubuntu_2004_cis_firewall == "iptables"
     - ubuntu_2004_cis_section3_rule_3_5_3_2_1
@@ -907,6 +909,8 @@
         protocol: "{{ item }}"
       with_items: "{{ ubuntu_2004_cis_section3_rule_3_5_3_2_2_params_output_connections_protocols }}"
 
+  notify:
+    - persist iptables v4 rules
   when:
     - ubuntu_2004_cis_firewall == "iptables"
     - ubuntu_2004_cis_section3_rule_3_5_3_2_2
@@ -937,6 +941,8 @@
         protocol: "{{ item }}"
       with_items: "{{ ubuntu_2004_cis_section3_rule_3_5_3_2_4_params_output_connections_protocols }}"
 
+  notify:
+    - persist iptables v4 rules
   when:
     - ubuntu_2004_cis_firewall == "iptables"
     - ubuntu_2004_cis_section3_rule_3_5_3_2_4
@@ -967,6 +973,8 @@
         policy: "{{ ubuntu_2004_cis_section3_rule_3_5_3_2_3_params_iptableschain_forward_policy }}"
       when: ubuntu_2004_cis_section3_rule_iptables_ipv4_default_deny_forward
 
+  notify:
+    - persist iptables v4 rules
   when:
     - ubuntu_2004_cis_firewall == "iptables"
     - ubuntu_2004_cis_section3_rule_3_5_3_2_3
@@ -1000,6 +1008,8 @@
         source: "{{ ubuntu_2004_cis_section3_rule_3_5_3_3_1_params_iptablesloopbackchain_inputlocal_interface }}"
         ip_version: "{{ ubuntu_2004_cis_section3_rule_3_5_3_3_1_params_iptablesloopbackchain_inputlocal_ipversion }}"
 
+  notify:
+    - persist iptables v6 rules
   when:
     - ubuntu_2004_cis_require_ipv6
     - ubuntu_2004_cis_firewall == "iptables"
@@ -1032,6 +1042,8 @@
         protocol: "{{ item }}"
       with_items: "{{ ubuntu_2004_cis_section3_rule_3_5_3_3_2_params_output_connections_protocols }}"
 
+  notify:
+    - persist iptables v6 rules
   when:
     - ubuntu_2004_cis_require_ipv6
     - ubuntu_2004_cis_firewall == "iptables"
@@ -1066,6 +1078,8 @@
         ip_version: "{{ ubuntu_2004_cis_section3_rule_3_5_3_3_3_params_iptableschain_forward_ipversion }}"
       when: ubuntu_2004_cis_section3_rule_iptables_ipv6_default_deny_forward
 
+  notify:
+    - persist iptables v6 rules
   when:
     - ubuntu_2004_cis_require_ipv6
     - ubuntu_2004_cis_firewall == "iptables"
@@ -1099,6 +1113,8 @@
         protocol: "{{ item }}"
       with_items: "{{ ubuntu_2004_cis_section3_rule_3_5_3_3_4_params_output_connections_protocols }}"
 
+  notify:
+    - persist iptables v6 rules
   when:
     - ubuntu_2004_cis_require_ipv6
     - ubuntu_2004_cis_firewall == "iptables"

From 091e8e6606be11ce1c94b439ef1e8b7946f6db13 Mon Sep 17 00:00:00 2001
From: darkwizard242 <am900820@gmail.com>
Date: Tue, 21 Sep 2021 18:23:06 -0400
Subject: [PATCH 2/5] add handlers for iptables v4 and v6 rules persistence

---
 handlers/main.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/handlers/main.yml b/handlers/main.yml
index eb744d51..bf99aaf7 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -76,3 +76,13 @@
     name: sshd
     enabled: yes
     state: restarted
+
+- name: persist iptables v4 rules
+  shell: iptables-save > /etc/iptables/rules.v4
+  args:
+    executable: /bin/bash
+
+- name: persist iptables v6 rules
+  shell: iptables-save > /etc/iptables/rules.v6
+  args:
+    executable: /bin/bash

From 9d7c2c5a5dedb82379e5337f352e2b0d0a181fc9 Mon Sep 17 00:00:00 2001
From: darkwizard242 <am900820@gmail.com>
Date: Wed, 22 Sep 2021 12:21:17 -0400
Subject: [PATCH 3/5] fix persist iptables v6 rules

---
 handlers/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index bf99aaf7..288f6ca9 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -83,6 +83,6 @@
     executable: /bin/bash
 
 - name: persist iptables v6 rules
-  shell: iptables-save > /etc/iptables/rules.v6
+  shell: ip6tables-save > /etc/iptables/rules.v6
   args:
     executable: /bin/bash

From f7bd63dec2b5837b4443fd0379cd847b36d84089 Mon Sep 17 00:00:00 2001
From: darkwizard242 <am900820@gmail.com>
Date: Wed, 22 Sep 2021 16:19:14 -0400
Subject: [PATCH 4/5] extended task to enforce drop of ipv6 connections when
 ipv6 is set to be disabled and firewall is iptables

---
 defaults/main/section_03.yml                  | 10 ++++++++++
 tasks/section_03.yml                          | 19 +++++++++++++++++++
 .../section_03/iptables_drop_rules.v6.j2      |  7 +++++++
 3 files changed, 36 insertions(+)
 create mode 100644 templates/section_03/iptables_drop_rules.v6.j2

diff --git a/defaults/main/section_03.yml b/defaults/main/section_03.yml
index d6e397c1..39dff716 100644
--- a/defaults/main/section_03.yml
+++ b/defaults/main/section_03.yml
@@ -526,3 +526,13 @@ ubuntu_2004_cis_section3_rule_3_5_3_3_4_params_output_connections_ipversion: ipv
 ubuntu_2004_cis_section3_rule_3_5_3_3_4_params_output_connections_protocols:
   - tcp
   - udp
+
+
+# Variables for Section 3 | IPtables | Extended Task 1
+ubuntu_2004_cis_section3_iptables_ext_1: true
+
+ubuntu_2004_cis_section3_iptables_ext_1_params_source: section_03/iptables_drop_rules.v6.j2
+ubuntu_2004_cis_section3_iptables_ext_1_params_dest: /etc/iptables/rules.v6
+ubuntu_2004_cis_section3_iptables_ext_1_params_owner: root
+ubuntu_2004_cis_section3_iptables_ext_1_params_group: root
+ubuntu_2004_cis_section3_iptables_ext_1_params_mode: '0644'
diff --git a/tasks/section_03.yml b/tasks/section_03.yml
index 9e73a0b1..ac1e052d 100644
--- a/tasks/section_03.yml
+++ b/tasks/section_03.yml
@@ -1124,3 +1124,22 @@
     - section3
     - rule_3_5_3_3_4
     - level_1
+
+
+## Following is a custom task to ensure that IPv6 DROP rules are present when IPv6 is not required i.e 'ubuntu_2004_cis_require_ipv6: false' and firewall is iptables i.e. 'ubuntu_2004_cis_firewall: iptables'
+## REFERENCE: https://github.com/darkwizard242/cis_ubuntu_2004/issues/9#issuecomment-925172069
+- name: "Ensure ipv6 DROP rules are present when firewall is 'iptables' and 'ipv6' is disabled"
+  template:
+    src: "{{ ubuntu_2004_cis_section3_iptables_ext_1_params_source }}"
+    dest: "{{ ubuntu_2004_cis_section3_iptables_ext_1_params_dest }}"
+    owner: "{{ ubuntu_2004_cis_section3_iptables_ext_1_params_owner }}"
+    group: "{{ ubuntu_2004_cis_section3_iptables_ext_1_params_group }}"
+    mode: "{{ ubuntu_2004_cis_section3_iptables_ext_1_params_mode }}"
+  when:
+    - not ubuntu_2004_cis_require_ipv6
+    - ubuntu_2004_cis_firewall == "iptables"
+    - ubuntu_2004_cis_section3_iptables_ext_1
+    - ubuntu_2004_cis_section3
+  tags:
+    - section3
+    - level_1
diff --git a/templates/section_03/iptables_drop_rules.v6.j2 b/templates/section_03/iptables_drop_rules.v6.j2
new file mode 100644
index 00000000..be4cdcb5
--- /dev/null
+++ b/templates/section_03/iptables_drop_rules.v6.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+COMMIT

From 2f7f34efae31c5073f51dabff631f12147c69ab6 Mon Sep 17 00:00:00 2001
From: darkwizard242 <am900820@gmail.com>
Date: Sun, 26 Sep 2021 12:34:20 -0400
Subject: [PATCH 5/5] update to version table in docs

---
 README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index ff3a2a84..2b0f09c4 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ The below table specifies the versions of role available on [Ansible Galaxy](htt
 CIS Ubuntu 20.04 Benchmark Version | Ansible Galaxy Version | Repository Tag Version
 ---------------------------------- | ---------------------- | ----------------------
 1.0.0                              | 1.0.0, 1.0.1, 1.0.2    | 1.0.0, 1.0.1, 1.0.2
-1.1.0                              | 2.0.0, 2.0.1           | 2.0.0, 2.0.1
+1.1.0                              | 2.0.0, 2.0.1, 2.1.0    | 2.0.0, 2.0.1, 2.1.0
 
 ## 1\. Installation/Download Instructions:
 
@@ -30,10 +30,10 @@ This role is available on Ansible Galaxy. There are a few methods you can utiliz
   ansible-galaxy install darkwizard242.cis_ubuntu_2004
   ```
 
-- Installing/Downloading specific available tag version (using 2.0.0 as an example):
+- Installing/Downloading specific available tag version (using 2.1.0 as an example):
 
   ```shell
-  ansible-galaxy install darkwizard242.cis_ubuntu_2004,2.0.0
+  ansible-galaxy install darkwizard242.cis_ubuntu_2004,2.1.0
   ```
 
 - Installing/Downloading specific available branch version from repository (using `master` branch as an example, `master` will always be compliant to latest available version of **CIS Ubuntu 20.04 Benchmark**):
@@ -68,7 +68,7 @@ Add to an existing **requirements.yml** file along with your other roles or crea
 
   ```yaml
   - name: darkwizard242.cis_ubuntu_2004
-    version: 2.0.0
+    version: 2.1.0
   ```
 
 - Specific branch from repository.