ISTI-ansible-roles
/
ansible-role-linux-firewall
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add the possibility to log the traffic that does not have a match

This commit is contained in:
Andrea Dell'Amico 2020-11-30 16:09:21 +01:00
parent a4f0508a07
commit 3d6e4250d8
2 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
defaults/main.yml
View File

@ -2,6 +2,7 @@
iptables_persistent_enabled: True
#iptables_default_policy: REJECT
iptables_default_policy: ACCEPT
iptables_log_untracked_traffic: False
iptables_nat_enabled: False
iptables_nat_specify_interfaces: True
iptables_post_nat_enabled: False

19
templates/iptables-rules.v4.j2
View File

@ -261,12 +261,12 @@
{% endif %}
{% endif %}
{% endif %}
{% if tomcat_cluster_enabled %}
{% if hybernate_cluster_enabled %}
# tomcat cluster
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
{% if tomcat_cluster_multicast_net is defined %}
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
-A INPUT -m pkttype --pkt-type multicast -d {{ hybernate__multicast_addr }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ hybernate_multicast_port }} -j ACCEPT
{% if hybernate_multicast_net is defined %}
-A INPUT -d {{ hybernate_multicast_net }} -j ACCEPT
{% endif %}
{% endif %}
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
@ -330,6 +330,9 @@
{% endif %}
#
# INPUT POLICY
{% if iptables_log_untracked_traffic %}
-A INPUT -j LOG --log-prefix "INPUT_UNTRACKED " --log-uid
{% endif %}
{% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
{% else %}
@ -343,6 +346,9 @@
-A FORWARD {{ rule.options }} -j ACCEPT
{% endfor %}
{% endif %}
{% if iptables_log_untracked_traffic %}
-A FORWARD -j LOG --log-prefix "FORWARDING_UNTRACKED " --log-uid
{% endif %}
{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
@ -377,5 +383,8 @@ COMMIT
{% for rule in iptables_nat_rules %}
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
{% endfor %}
{% if iptables_log_untracked_traffic %}
-A POSTROUTING -j LOG --log-prefix "POSTROUTING_UNTRACKED " --log-uid
{% endif %}
COMMIT
{% endif %}