From a4f0508a076b1a3846f9dd6b74da07b37ecded02 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 12 Nov 2020 19:01:24 +0100
Subject: [PATCH] Move the tcp/udp/any rules up

---
 templates/iptables-rules.v4.j2 | 114 +++++++++++++++++----------------
 1 file changed, 59 insertions(+), 55 deletions(-)

diff --git a/templates/iptables-rules.v4.j2 b/templates/iptables-rules.v4.j2
index 16e92f0..cead908 100644
--- a/templates/iptables-rules.v4.j2
+++ b/templates/iptables-rules.v4.j2
@@ -71,7 +71,65 @@
 {% endif %}
 {% endif %}
 {% endif %}
+
+{% if iptables is defined %}
+{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
+# TCP rules
+{% for tcp_rule in iptables.tcp %}
+{% if tcp_rule.allowed_hosts is defined %}
+{% for ip in tcp_rule.allowed_hosts %}
+{% if ip is string %}
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
+{% else %}
+{% for ip_really in ip  %}
+-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% else %}
+-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if iptables.udp_rules is defined and iptables.udp_rules %}
+# UDP rules
+{% for udp_rule in iptables.udp %}
+{% if udp_rule.allowed_hosts is defined %}
+{% for ip in udp_rule.allowed_hosts %}
+{% if ip is string %}
+-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
+{% else %}
+{% for ip_really in ip  %}
+-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% else %}
+-A INPUT -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if iptables.any_rules is defined and iptables.any_rules %}
+# ANY rules
+{% for any_rule in iptables.any %}
+{% for ip in any_rule.allowed_hosts %}
+-A INPUT -s {{ ip }} -j ACCEPT
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
+# ANY rules
+{% for rule in iptables.any %}
+{% for ip in rule.allowed_hosts %}
+-A INPUT {{ rule.iptables_rule | default('') }} -s {{ ip }} -j {{ rule.policy | default('ACCEPT') }}
+{% endfor %}
+{% endfor %}
+{% endif %}
+# End of the custom rules
+{% endif %}
+
 {% if psql_firewall_enabled %}
+# PostgreSQL
 {% if psql_db_port is defined %}
 {% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
 {% if psql_global_firewall is defined %}
@@ -248,61 +306,7 @@
 -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
 -A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
 {% endif %}
-{% if iptables is defined %}
-{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
-# TCP rules
-{% for tcp_rule in iptables.tcp %}
-{% if tcp_rule.allowed_hosts is defined %}
-{% for ip in tcp_rule.allowed_hosts %}
-{% if ip is string %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% else %}
-{% for ip_really in ip  %}
--A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% else %}
--A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if iptables.udp_rules is defined and iptables.udp_rules %}
-# UDP rules
-{% for udp_rule in iptables.udp %}
-{% if udp_rule.allowed_hosts is defined %}
-{% for ip in udp_rule.allowed_hosts %}
-{% if ip is string %}
--A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
-{% else %}
-{% for ip_really in ip  %}
--A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endif %}
-{% endfor %}
-{% else %}
--A INPUT -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
-{% endif %}
-{% endfor %}
-{% endif %}
-{% if iptables.any_rules is defined and iptables.any_rules %}
-# ANY rules
-{% for any_rule in iptables.any %}
-{% for ip in any_rule.allowed_hosts %}
--A INPUT -s {{ ip }} -j ACCEPT
-{% endfor %}
-{% endfor %}
-{% endif %}
-{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
-# ANY rules
-{% for rule in iptables.any %}
-{% for ip in rule.allowed_hosts %}
--A INPUT {{ rule.iptables_rule | default('') }} -s {{ ip }} -j {{ rule.policy | default('ACCEPT') }}
-{% endfor %}
-{% endfor %}
-{% endif %}
-# End of the custom rules
-{% endif %}
+#
 # Prometheus exporters
 {% if prometheus_enabled is defined and prometheus_enabled %}
 {% if prometheus_servers_ip is defined %}