Add the possibility to log the traffic that does not have a match
This commit is contained in:
parent
a4f0508a07
commit
3d6e4250d8
|
|
@ -2,6 +2,7 @@
|
||||||
iptables_persistent_enabled: True
|
iptables_persistent_enabled: True
|
||||||
#iptables_default_policy: REJECT
|
#iptables_default_policy: REJECT
|
||||||
iptables_default_policy: ACCEPT
|
iptables_default_policy: ACCEPT
|
||||||
|
iptables_log_untracked_traffic: False
|
||||||
iptables_nat_enabled: False
|
iptables_nat_enabled: False
|
||||||
iptables_nat_specify_interfaces: True
|
iptables_nat_specify_interfaces: True
|
||||||
iptables_post_nat_enabled: False
|
iptables_post_nat_enabled: False
|
||||||
|
|
|
||||||
|
|
@ -261,12 +261,12 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if tomcat_cluster_enabled %}
|
{% if hybernate_cluster_enabled %}
|
||||||
# tomcat cluster
|
# tomcat cluster
|
||||||
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
|
-A INPUT -m pkttype --pkt-type multicast -d {{ hybernate__multicast_addr }} -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ hybernate_multicast_port }} -j ACCEPT
|
||||||
{% if tomcat_cluster_multicast_net is defined %}
|
{% if hybernate_multicast_net is defined %}
|
||||||
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
|
-A INPUT -d {{ hybernate_multicast_net }} -j ACCEPT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
||||||
|
|
@ -330,6 +330,9 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
#
|
#
|
||||||
# INPUT POLICY
|
# INPUT POLICY
|
||||||
|
{% if iptables_log_untracked_traffic %}
|
||||||
|
-A INPUT -j LOG --log-prefix "INPUT_UNTRACKED " --log-uid
|
||||||
|
{% endif %}
|
||||||
{% if iptables_input_default_policy == 'REJECT' %}
|
{% if iptables_input_default_policy == 'REJECT' %}
|
||||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
@ -343,6 +346,9 @@
|
||||||
-A FORWARD {{ rule.options }} -j ACCEPT
|
-A FORWARD {{ rule.options }} -j ACCEPT
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% if iptables_log_untracked_traffic %}
|
||||||
|
-A FORWARD -j LOG --log-prefix "FORWARDING_UNTRACKED " --log-uid
|
||||||
|
{% endif %}
|
||||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
{% if iptables_forward_default_policy == 'REJECT' %}
|
||||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
@ -377,5 +383,8 @@ COMMIT
|
||||||
{% for rule in iptables_nat_rules %}
|
{% for rule in iptables_nat_rules %}
|
||||||
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
|
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% if iptables_log_untracked_traffic %}
|
||||||
|
-A POSTROUTING -j LOG --log-prefix "POSTROUTING_UNTRACKED " --log-uid
|
||||||
|
{% endif %}
|
||||||
COMMIT
|
COMMIT
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue