library/roles/iptables: Manage NAT and different defaults for INPUT and FORWARD chains.
This commit is contained in:
parent
e2a75c2e8e
commit
1dbe0c9209
|
@ -40,6 +40,12 @@
|
|||
|
||||
#iptables_default_policy: REJECT
|
||||
iptables_default_policy: ACCEPT
|
||||
iptables_nat_enabled: False
|
||||
iptables_nat_specify_interfaces: True
|
||||
iptables_nat_interfaces:
|
||||
- eth0
|
||||
iptables_input_default_policy: '{{ iptables_default_policy }}'
|
||||
iptables_forward_default_policy: '{{ iptables_default_policy }}'
|
||||
iptables_banned_default_policy: DROP
|
||||
ganglia_enabled: False
|
||||
nagios_enabled: False
|
||||
|
|
|
@ -1,11 +1,10 @@
|
|||
#
|
||||
# don't manually modify this file
|
||||
# {{ ansible_managed }} don't manually modify this file
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
|
||||
# We manage the banned IP/networks list before anything else
|
||||
{% if iptables_banlist is defined %}
|
||||
{% for obj in iptables_banlist %}
|
||||
|
@ -20,7 +19,7 @@
|
|||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# Return traffic and localhost
|
||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
|
@ -52,7 +51,6 @@
|
|||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if https_port is defined %}
|
||||
# https
|
||||
{% if https_allowed_hosts is defined %}
|
||||
|
@ -63,7 +61,6 @@
|
|||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if psql_db_port is defined %}
|
||||
{% if psql_listen_on_ext_int %}
|
||||
# postgresql clients
|
||||
|
@ -76,7 +73,6 @@
|
|||
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if mysql_db_port is defined %}
|
||||
{% if mysql_listen_on_ext_int %}
|
||||
# mysql clients
|
||||
|
@ -89,9 +85,9 @@
|
|||
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
|
||||
{% if openldap_slapd_tcp_port is defined %}
|
||||
{% if openldap_allowed_clients is defined %}
|
||||
# LDAP
|
||||
{% for addr in openldap_allowed_clients %}
|
||||
{% if not openldap_slapd_ssl_only %}
|
||||
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
||||
|
@ -105,7 +101,6 @@
|
|||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if mongodb_allowed_hosts is defined %}
|
||||
# mongodb clients
|
||||
{% for ip in mongodb_allowed_hosts %}
|
||||
|
@ -121,14 +116,12 @@
|
|||
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if dnet_ports is defined %}
|
||||
# dnet services
|
||||
{% for tcp_port in dnet_ports %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if dnet_jmx_ports is defined %}
|
||||
# dnet jmx ports. Open to the isti networks only
|
||||
{% for tcp_port in dnet_jmx_ports %}
|
||||
|
@ -137,7 +130,6 @@
|
|||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
||||
# Someone still uses ftp
|
||||
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
|
||||
|
@ -148,12 +140,11 @@
|
|||
-A INPUT -m helper --helper ftp -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if nagios_enabled is defined %}
|
||||
{% if nagios_enabled %}
|
||||
{% if nagios_monitoring_server_ip is defined %}
|
||||
{% for ip in nagios_monitoring_server_ip %}
|
||||
# Nagios NRPE
|
||||
{% for ip in nagios_monitoring_server_ip %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
|
||||
# Check ntp from the nagios server
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
|
||||
|
@ -161,25 +152,21 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if configure_munin is defined %}
|
||||
{% if configure_munin %}
|
||||
{% if munin_server %}
|
||||
{% for ip in munin_server %}
|
||||
# Munin
|
||||
{% for ip in munin_server %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if tomcat_cluster_enabled %}
|
||||
# tomcat cluster
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
|
||||
{% if ganglia_enabled is defined %}
|
||||
{% if ganglia_enabled %}
|
||||
{% if ganglia_gmond_cluster_port is defined %}
|
||||
|
@ -195,7 +182,6 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if postfix_relay_server is defined %}
|
||||
{% if postfix_relay_server %}
|
||||
#
|
||||
|
@ -224,9 +210,9 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if iptables is defined %}
|
||||
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
||||
# TCP rules
|
||||
{% for tcp_rule in iptables.tcp %}
|
||||
{% if tcp_rule.allowed_hosts is defined %}
|
||||
{% for ip in tcp_rule.allowed_hosts %}
|
||||
|
@ -237,8 +223,8 @@
|
|||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if iptables.udp_rules is defined and iptables.udp_rules %}
|
||||
# UDP rules
|
||||
{% for udp_rule in iptables.udp %}
|
||||
{% if udp_rule.allowed_hosts is defined %}
|
||||
{% for ip in udp_rule.allowed_hosts %}
|
||||
|
@ -251,14 +237,29 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
#
|
||||
#
|
||||
-A INPUT -s 125.24.0.0/14 -j DROP
|
||||
{% if iptables_default_policy == 'REJECT' %}
|
||||
{% if iptables_input_default_policy == 'REJECT' %}
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -j {{ iptables_input_default_policy }}
|
||||
{% endif %}
|
||||
{% if not iptables_nat_enabled %}
|
||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -j {{ iptables_default_policy }}
|
||||
-A FORWARD -j {{ iptables_default_policy }}
|
||||
-A FORWARD -j {{ iptables_forward_default_policy }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# NAT is enabled, we need to accept traffic that is forwarded
|
||||
-A FORWARD -j ACCEPT
|
||||
# NAT rules
|
||||
*nat
|
||||
{% if iptables_nat_specify_interfaces %}
|
||||
{% for int in iptables_nat_interface %}
|
||||
-A POSTROUTING -o {{ int }} -j MASQUERADE
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A POSTROUTING -j MASQUERADE
|
||||
{% endif %}
|
||||
|
||||
COMMIT
|
||||
|
|
|
@ -1,3 +1,6 @@
|
|||
#
|
||||
# {{ ansible_managed }} don't manually modify this file
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
|
|
Loading…
Reference in New Issue