Add the possibility to log the traffic that does not have a match
This commit is contained in:
parent
a4f0508a07
commit
3d6e4250d8
|
|
@ -2,6 +2,7 @@
|
|||
iptables_persistent_enabled: True
|
||||
#iptables_default_policy: REJECT
|
||||
iptables_default_policy: ACCEPT
|
||||
iptables_log_untracked_traffic: False
|
||||
iptables_nat_enabled: False
|
||||
iptables_nat_specify_interfaces: True
|
||||
iptables_post_nat_enabled: False
|
||||
|
|
|
|||
|
|
@ -261,12 +261,12 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if tomcat_cluster_enabled %}
|
||||
{% if hybernate_cluster_enabled %}
|
||||
# tomcat cluster
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
|
||||
{% if tomcat_cluster_multicast_net is defined %}
|
||||
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ hybernate__multicast_addr }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ hybernate_multicast_port }} -j ACCEPT
|
||||
{% if hybernate_multicast_net is defined %}
|
||||
-A INPUT -d {{ hybernate_multicast_net }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
||||
|
|
@ -330,6 +330,9 @@
|
|||
{% endif %}
|
||||
#
|
||||
# INPUT POLICY
|
||||
{% if iptables_log_untracked_traffic %}
|
||||
-A INPUT -j LOG --log-prefix "INPUT_UNTRACKED " --log-uid
|
||||
{% endif %}
|
||||
{% if iptables_input_default_policy == 'REJECT' %}
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
|
|
@ -343,6 +346,9 @@
|
|||
-A FORWARD {{ rule.options }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables_log_untracked_traffic %}
|
||||
-A FORWARD -j LOG --log-prefix "FORWARDING_UNTRACKED " --log-uid
|
||||
{% endif %}
|
||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
|
|
@ -377,5 +383,8 @@ COMMIT
|
|||
{% for rule in iptables_nat_rules %}
|
||||
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
|
||||
{% endfor %}
|
||||
{% if iptables_log_untracked_traffic %}
|
||||
-A POSTROUTING -j LOG --log-prefix "POSTROUTING_UNTRACKED " --log-uid
|
||||
{% endif %}
|
||||
COMMIT
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue