Separate ipv4 and ipv6 default policies.

2022-08-03 12:32:41 +02:00 · 2022-08-03 12:32:41 +02:00 · eedcaed32b
parent 6a807aea89
commit eedcaed32b
2 changed files with 5 additions and 5 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,7 +1,8 @@
 ---
 iptables_persistent_enabled: True
-#iptables_default_policy: REJECT
+# Options: ACCEPT, REJECT, DROP
 iptables_default_policy: ACCEPT
+iptables6_default_policy: '{{ iptables_default_policy }}'
 iptables_log_untracked_traffic: False
 iptables_nat_enabled: False
 iptables_nat_specify_interfaces: True
@ -13,7 +14,6 @@ iptables_forward_default_policy: '{{ iptables_default_policy }}'
 iptables_banned_default_policy: DROP
 iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
 iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
-ganglia_enabled: False
 nagios_enabled: False
 iptables_open_all_to_isti_nets: False
 jgroups_cluster_enabled: False
--- a/templates/iptables-rules.v6.j2
+++ b/templates/iptables-rules.v6.j2
@ -5,11 +5,11 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
-{% if iptables_default_policy == 'REJECT' %}
+{% if iptables6_default_policy == 'REJECT' %}
 -A INPUT -j REJECT --reject-with icmp6-addr-unreachable
 -A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
 {% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
+-A INPUT -j {{ iptables6_default_policy }}
+-A FORWARD -j {{ iptables6_default_policy }}
 {% endif %}
 COMMIT