Merge pull request 'the iptables and firewalld roles have been merged into 'linux-firewall'.' (#224) from adellam/ansible-roles:master into master
This commit is contained in:
commit
4c31b4ec53
|
@ -6,9 +6,19 @@ dependencies:
|
|||
- role: '../../library/roles/sshd_config'
|
||||
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
|
||||
- { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
|
||||
- role: '../../library/centos/roles/firewalld'
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
|
||||
version: master
|
||||
name: linux-firewall
|
||||
state: latest
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
|
||||
version: master
|
||||
name: letsencrypt-acme-sh-client
|
||||
state: latest
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
|
||||
version: master
|
||||
name: zabbix-agent
|
||||
state: latest
|
||||
when: zabbix_agent_install is defined and zabbix_agent_install
|
||||
- role: '../../library/centos/roles/fail2ban'
|
||||
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
|
||||
- { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
|
||||
- { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
|
||||
- { role: '../../library/centos/roles/prometheus-node-exporter', when: prometheus_enabled }
|
||||
|
|
|
@ -4,9 +4,19 @@ dependencies:
|
|||
- role: '../../library/roles/rsyslog'
|
||||
- { role: '../../library/roles/cloud-init', when: ansible_product_name == "oVirt Node" }
|
||||
- role: '../../library/roles/tmpreaper'
|
||||
- role: '../../library/roles/iptables'
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-linux-firewall.git
|
||||
version: master
|
||||
name: linux-firewall
|
||||
state: latest
|
||||
- { role: '../../library/roles/data_disk', when: additional_disks is defined and additional_disks }
|
||||
- role: '../../library/roles/sshd_config'
|
||||
- { role: 'letsencrypt-acme-sh-client', when: letsencrypt_acme_sh_install is defined and letsencrypt_acme_sh_install }
|
||||
- { role: 'zabbix-agent', when: zabbix_agent_install is defined and zabbix_agent_install }
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-letsencrypt-acme-sh-client.git
|
||||
version: master
|
||||
name: letsencrypt-acme-sh-client
|
||||
state: latest
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-zabbix-agent.git
|
||||
version: master
|
||||
name: zabbix-agent
|
||||
state: latest
|
||||
when: zabbix_agent_install is defined and zabbix_agent_install
|
||||
- { role: '../../library/roles/prometheus-node-exporter', when: prometheus_enabled is defined and prometheus_enabled }
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
firewalld_enabled: True
|
||||
firewalld_default_zone: public
|
||||
firewalld_ssh_enabled_on_default_zone: True
|
||||
|
||||
firewalld_rules:
|
||||
# - { service: 'http', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||
# - { port: '9001', protocol: 'tcp', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||
# - { rich_rule: 'rule service name="ftp" audit limit value="1/m" accept', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||
|
||||
#firewalld_new_services:
|
||||
# - { name: 'mosh', zone: 'public', permanent: 'true', state: 'enabled' }
|
||||
|
||||
# We execute direct rules as they are written
|
||||
# firewalld_direct_rules:
|
||||
# - { action: '--add-rule', parameters: 'ipv4 filter FORWARD 0 -s 136.243.21.126 --in-interface br0 -d 0/0 -j ACCEPT' }
|
||||
|
||||
# firewalld_zones_interfaces:
|
||||
# - { interface: 'eth1', zone: 'internal' }
|
|
@ -1,16 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<service>
|
||||
<short>Mosh SSH service</short>
|
||||
<description>This allows mosh to send and receive datagram connections.</description>
|
||||
<port protocol="udp" port="60000"/>
|
||||
<port protocol="udp" port="60001"/>
|
||||
<port protocol="udp" port="60002"/>
|
||||
<port protocol="udp" port="60003"/>
|
||||
<port protocol="udp" port="60004"/>
|
||||
<port protocol="udp" port="60005"/>
|
||||
<port protocol="udp" port="60006"/>
|
||||
<port protocol="udp" port="60007"/>
|
||||
<port protocol="udp" port="60008"/>
|
||||
<port protocol="udp" port="60009"/>
|
||||
<port protocol="udp" port="60010"/>
|
||||
</service>
|
|
@ -1,7 +0,0 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<service>
|
||||
<short>ports needed by traceroute</short>
|
||||
<description>This allows the host to be reached by traceroute.</description>
|
||||
<port protocol="udp" port="33434"/>
|
||||
<port protocol="udp" port="33523"/>
|
||||
</service>
|
|
@ -1,16 +0,0 @@
|
|||
---
|
||||
- name: Enable and start firewalld
|
||||
service: name=firewalld state=started enabled=yes
|
||||
when: firewalld_enabled
|
||||
|
||||
- name: Reload firewall config
|
||||
command: firewall-cmd --reload
|
||||
notify: Restart fail2ban
|
||||
when: firewalld_enabled
|
||||
|
||||
- name: Restart fail2ban
|
||||
service: name=fail2ban state=restarted
|
||||
when:
|
||||
- fail2ban_enabled is defined and fail2ban_enabled
|
||||
- centos_install_epel
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- name: Ensure that the firewalld service is stopped and disabled if we do not want it
|
||||
service: name=firewalld state=stopped enabled=no
|
||||
when: not firewalld_enabled | bool
|
||||
tags: [ 'iptables', 'firewall', 'firewalld' ]
|
|
@ -1,91 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Ensure that the service is enabled and started
|
||||
service: name=firewalld state=started enabled=yes
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Open the ssh service to the world. We rely on fail2ban to stop unauthorized accesses
|
||||
firewalld: service=ssh zone={{ firewalld_default_zone }} permanent=True state=enabled immediate=True
|
||||
when: firewalld_ssh_enabled_on_default_zone | bool
|
||||
|
||||
- name: Set the firewalld default zone.
|
||||
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
|
||||
|
||||
- name: Add sources to the availability zones, if any
|
||||
firewalld: source={{ item.cidr }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ firewalld_src_rules | default([]) }}'
|
||||
|
||||
- name: Assign interfaces to firewalld zones if needed
|
||||
firewalld: zone={{ item.zone }} interface={{ item.interface }} permanent={{ item.permanent | default(True) }} state={{ item.state | default('enabled') }} immediate=True
|
||||
with_items: '{{ firewalld_zones_interfaces | default([]) }}'
|
||||
when:
|
||||
- firewalld_zones_interfaces is defined
|
||||
- item.interface is defined
|
||||
- item.zone is defined
|
||||
|
||||
- name: Manage services firewalld rules. Services names must be the known ones. Save the services that are meant to be permanent
|
||||
firewalld: service={{ item.service }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ firewalld_rules }}'
|
||||
when:
|
||||
- firewalld_rules is defined
|
||||
- item.service is defined
|
||||
|
||||
- name: Save the ports firewalld rules that need to be permanent
|
||||
firewalld: port={{ item.port }}/{{ item.protocol }} zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ firewalld_rules }}'
|
||||
when:
|
||||
- firewalld_rules is defined
|
||||
- item.port is defined
|
||||
- item.protocol is defined
|
||||
|
||||
- name: Save the rich_rules firewalld rules that need to be permanent
|
||||
firewalld: rich_rule='{{ item.rich_rule }}' zone={{ item.zone }} permanent={{ item.permanent | default(False) }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ firewalld_rules }}'
|
||||
when:
|
||||
- firewalld_rules is defined
|
||||
- item.rich_rule is defined
|
||||
notify: Reload firewall config
|
||||
|
||||
- name: Enable the firewall-cmd direct passthrough rules
|
||||
shell: touch /etc/firewalld/.{{ item.label }} ; firewall-cmd --direct --passthrough {{ item.action }}
|
||||
with_items: '{{ firewalld_direct_rules }}'
|
||||
args:
|
||||
creates: /etc/firewalld/.{{ item.label }}
|
||||
when:
|
||||
- firewalld_direct_rules is defined
|
||||
- item.action is defined
|
||||
|
||||
- name: Set the firewall-cmd direct passthrough rules as permanent ones
|
||||
command: firewall-cmd --direct --permanent --passthrough {{ item.action }}
|
||||
with_items: '{{ firewalld_direct_rules }}'
|
||||
when:
|
||||
- firewalld_direct_rules is defined
|
||||
- item.action is defined
|
||||
|
||||
- name: Add new not yet defined services, if any. They need an additional task to really install a meaningful service config file
|
||||
command: firewall-cmd --new-service={{ item.name }} --permanent
|
||||
args:
|
||||
creates: '/etc/firewalld/services/{{ item.name }}.xml'
|
||||
with_items: '{{ firewalld_new_services }}'
|
||||
when: firewalld_new_services is defined
|
||||
notify: Reload firewall config
|
||||
|
||||
- name: Install the custom firewall services
|
||||
copy: src={{ item.name }}.xml dest=/etc/firewalld/services/{{ item.name }}.xml
|
||||
with_items: '{{ firewalld_new_services }}'
|
||||
when: firewalld_new_services is defined
|
||||
notify: Reload firewall config
|
||||
|
||||
- name: Manage the custom services firewalld rules.
|
||||
firewalld: service={{ item.name }} zone={{ item.zone }} permanent={{ item.permanent }} state={{ item.state }} immediate=True
|
||||
with_items: '{{ firewalld_new_services }}'
|
||||
when:
|
||||
- firewalld_new_services is defined
|
||||
- item.name is defined
|
||||
notify: Reload firewall config
|
||||
|
||||
# Last one to not take ourselves out
|
||||
- name: Set the firewalld default zone.
|
||||
command: firewall-cmd --set-default-zone={{ firewalld_default_zone }}
|
||||
|
||||
tags: [ 'iptables', 'firewall', 'firewalld' ]
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- import_tasks: firewalld_rules.yml
|
||||
when: firewalld_enabled | bool
|
||||
|
||||
- import_tasks: disable_firewalld.yml
|
||||
when: not firewalld_enabled | bool
|
||||
|
|
@ -1,63 +0,0 @@
|
|||
---
|
||||
iptables_deb_pkgs:
|
||||
- iptables
|
||||
- iptables-persistent
|
||||
|
||||
#
|
||||
# Reference only. Check the iptables-rules.v4.j2 for the list of accepted variables
|
||||
#
|
||||
#pg_allowed_hosts:
|
||||
# - 146.48.123.17/32
|
||||
# - 146.48.122.110/32
|
||||
#
|
||||
#munin_server:
|
||||
# - 146.48.122.15
|
||||
# - 146.48.87.88
|
||||
#http_port: 80
|
||||
#http_allowed_hosts:
|
||||
# - 1.2.3.4/24
|
||||
#https_port: 443
|
||||
#https_allowed_hosts:
|
||||
# - 0.0.0.0/0
|
||||
#
|
||||
# Generic tcp and udp access. The 'policy' field is optional, if it is not present the policy is set to 'ACCEPT'
|
||||
# iptables:
|
||||
# tcp_rules: True
|
||||
# tcp:
|
||||
# - { port: '8080', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'ACCEPT' ] }
|
||||
# - { port: '80', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'REJECT' ] }
|
||||
# - { port: '80' }
|
||||
# udp_rules: True
|
||||
# udp:
|
||||
# - { port: '123', allowed_hosts: [ '{{ network.isti }}', '{{ network.nmis }}', '{{ network.eduroam }}', policy: 'DROP' ] }
|
||||
|
||||
# munin_server:
|
||||
# - 146.48.122.15
|
||||
# - 146.48.87.88
|
||||
|
||||
#nagios_monitoring_server_ip: 146.48.123.23
|
||||
#mongodb:
|
||||
# start_server: 'yes'
|
||||
# tcp_port: 27017
|
||||
# allowed_hosts:
|
||||
# - 146.48.123.100/32
|
||||
|
||||
#iptables_default_policy: REJECT
|
||||
iptables_default_policy: ACCEPT
|
||||
iptables_nat_enabled: False
|
||||
iptables_nat_specify_interfaces: True
|
||||
iptables_post_nat_enabled: False
|
||||
iptables_nat_interfaces:
|
||||
- '{{ ansible_default_ipv4.interface }}'
|
||||
iptables_input_default_policy: '{{ iptables_default_policy }}'
|
||||
iptables_forward_default_policy: '{{ iptables_default_policy }}'
|
||||
iptables_banned_default_policy: DROP
|
||||
iptables_https_managed_hosts_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
||||
iptables_generic_rules_default_policy: 'REJECT --reject-with icmp-host-prohibited'
|
||||
ganglia_enabled: False
|
||||
nagios_enabled: False
|
||||
iptables_open_all_to_isti_nets: False
|
||||
tomcat_cluster_enabled: False
|
||||
# Another variable needs to be defined before the db rules are set
|
||||
psql_firewall_enabled: True
|
||||
mysql_firewall_enabled: True
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
- name: Start the iptables service
|
||||
service: name=iptables-persistent state=restarted enabled=yes
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Start the netfilter service
|
||||
service: name=netfilter-persistent state=restarted enabled=yes
|
||||
when: is_debian8
|
||||
notify: Restart fail2ban
|
||||
|
||||
- name: Flush the iptables rules
|
||||
command: /etc/init.d/iptables-persistent flush
|
||||
ignore_errors: true
|
||||
|
||||
- name: Start the iptables service on Ubuntu < 12.04
|
||||
command: /etc/init.d/iptables-persistent start
|
||||
ignore_errors: true
|
||||
|
||||
- name: Stop the iptables service on Ubuntu < 12.04
|
||||
command: /etc/init.d/iptables-persistent stop
|
||||
ignore_errors: true
|
||||
|
||||
- name: Restart fail2ban after an iptables restart
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
when: has_fail2ban
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
dependencies:
|
||||
- { role: '../../library/roles/postfix-relay', when: postfix_relay_client is defined and postfix_relay_client }
|
||||
- { role: '../../library/roles/postfix-relay', when: postfix_relay_server is defined and postfix_relay_server }
|
|
@ -1,127 +0,0 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the needed iptables packages
|
||||
apt: pkg={{ iptables_deb_pkgs }} state=present cache_valid_time=1800
|
||||
|
||||
- name: Create the /etc/iptables directory when needed
|
||||
file: dest=/etc/iptables state=directory owner=root group=root mode=0755
|
||||
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
|
||||
|
||||
- name: Install the IPv4 rules with a different name. Needed by Ubuntu < 12.04
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/rules owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
when: is_ubuntu_between_10_04_and_11_04_and_is_debian_6
|
||||
notify: Start the iptables service on Ubuntu < 12.04
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On precise
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_precise
|
||||
register: install_iptables_rules_precise
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On trusty
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_trusty
|
||||
register: install_iptables_rules_trusty
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 7
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_debian7
|
||||
register: install_iptables_rules_deb7
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On debian 8
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when: is_debian8
|
||||
register: install_netfilter_rules
|
||||
|
||||
- name: Install the IPv4 and IPv6 iptables rules. The IPv6 ones are not used. On Ubuntu >= 16.04
|
||||
template: src=iptables-{{ item }}.j2 dest=/etc/iptables/{{ item }} owner=root group=root mode=0640
|
||||
with_items:
|
||||
- rules.v4
|
||||
- rules.v6
|
||||
when:
|
||||
- ansible_distribution == 'Ubuntu'
|
||||
- ansible_distribution_major_version >= '16'
|
||||
register: install_netfilter_rules
|
||||
|
||||
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu precise. This can have an impact on other tasks
|
||||
service: name=iptables-persistent state=restarted enabled=yes
|
||||
register: restart_related_p
|
||||
notify: Restart fail2ban after an iptables restart
|
||||
when: install_iptables_rules_precise is changed
|
||||
|
||||
- name: Start the iptables service immediately after the new rules have been installed, on Ubuntu Trusty. This can have an impact on other tasks
|
||||
service: name=iptables-persistent state=restarted enabled=yes
|
||||
register: restart_related_t
|
||||
notify: Restart fail2ban after an iptables restart
|
||||
when: install_iptables_rules_trusty is changed
|
||||
|
||||
- name: Start the iptables service immediately after the new rules have been installed, on Debian 7. This can have an impact on other tasks
|
||||
service: name=iptables-persistent state=restarted enabled=yes
|
||||
register: restart_related_d7
|
||||
notify: Restart fail2ban after an iptables restart
|
||||
when: install_iptables_rules_deb7 is changed
|
||||
|
||||
- name: Start the netfilter service immediately after the new rules have been installed. This can have an impact on other tasks
|
||||
service: name=netfilter-persistent state=restarted enabled=yes
|
||||
register: restart_related_x
|
||||
notify: Restart fail2ban after an iptables restart
|
||||
when: install_netfilter_rules is changed
|
||||
|
||||
- name: Check if the fail2ban service is present
|
||||
stat: path=/usr/bin/fail2ban-server
|
||||
register: fail2ban_installed
|
||||
|
||||
- name: Restart fail2ban after an iptables restart on Ubuntu Precise
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
when:
|
||||
- fail2ban_installed.stat.exists
|
||||
- restart_related_p is changed
|
||||
|
||||
- name: Restart fail2ban after an iptables restart on Ubunt Trusty
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
when:
|
||||
- fail2ban_installed.stat.exists
|
||||
- restart_related_t is changed
|
||||
|
||||
- name: Restart fail2ban after an iptables restart on debian 7
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
when:
|
||||
- fail2ban_installed.stat.exists
|
||||
- restart_related_d7 is changed
|
||||
|
||||
- name: Restart fail2ban after an iptables restart on Ubuntu Xenial
|
||||
service: name=fail2ban state=restarted enabled=yes
|
||||
when:
|
||||
- fail2ban_installed.stat.exists
|
||||
- restart_related_x is changed
|
||||
|
||||
- name: Check if the docker service is present
|
||||
stat: path=/usr/bin/dockerd
|
||||
register: dockerd_installed
|
||||
|
||||
- name: Restart docker after an iptables restart on Ubuntu Trusty
|
||||
service: name=docker state=restarted enabled=yes
|
||||
when:
|
||||
- dockerd_installed.stat.exists
|
||||
- restart_related_t is changed
|
||||
|
||||
- name: Restart docker after an iptables restart on Ubuntu Xenial
|
||||
service: name=docker state=restarted enabled=yes
|
||||
when:
|
||||
- dockerd_installed.stat.exists
|
||||
- restart_related_x is changed
|
||||
|
||||
tags: [ 'iptables', 'iptables_rules' ]
|
|
@ -1,398 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }} don't manually modify this file
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
{% if iptables_banlist is defined %}
|
||||
# We manage the banned IP/networks list before anything else
|
||||
{% for obj in iptables_banlist %}
|
||||
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
|
||||
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% elif obj.proto is defined and obj.destport is defined %}
|
||||
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% elif obj.proto is defined %}
|
||||
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% else %}
|
||||
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
# Return traffic and localhost
|
||||
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
#
|
||||
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
|
||||
{% if iptables_ssh_allowed_hosts is defined %}
|
||||
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
|
||||
{% for ip in iptables_ssh_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
{% endif %}
|
||||
{% if http_port is not defined %}
|
||||
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if http_port is defined %}
|
||||
# http
|
||||
{% if http_allowed_hosts is defined %}
|
||||
{% for ip in http_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if https_port is defined %}
|
||||
# https
|
||||
{% if https_allowed_hosts is defined %}
|
||||
{% for ip in https_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
{% if https_managed_hosts is defined %}
|
||||
{% for rule in https_managed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if psql_firewall_enabled %}
|
||||
{% if psql_db_port is defined %}
|
||||
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
||||
{% if psql_global_firewall is defined %}
|
||||
{% for cidr in psql_global_firewall %}
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
||||
{% else %}
|
||||
{% if psql_db_data is defined %}
|
||||
# postgresql clients
|
||||
{% for db in psql_db_data %}
|
||||
{% for ip in db.allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if mysql_firewall_enabled %}
|
||||
{% if mysql_db_port is defined %}
|
||||
{% if mysql_listen_on_ext_int %}
|
||||
# mysql clients
|
||||
{% for db in mysql_db_data %}
|
||||
{% for ip in db.allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if openldap_slapd_tcp_port is defined %}
|
||||
{% if openldap_allowed_clients is defined %}
|
||||
# LDAP
|
||||
{% for addr in openldap_allowed_clients %}
|
||||
{% if not openldap_slapd_ssl_only %}
|
||||
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
{% if not openldap_slapd_ssl_only %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if mongodb_allowed_hosts is defined %}
|
||||
# mongodb clients
|
||||
{% for ip in mongodb_allowed_hosts %}
|
||||
{% if mongodb_tcp_port is defined %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% if mongodb_tcp_port is defined %}
|
||||
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
|
||||
{% else %}
|
||||
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if docker_swarm is defined and docker_swarm %}
|
||||
{% for cidr in docker_swarm_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
|
||||
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
|
||||
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
||||
# Someone still uses ftp
|
||||
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
|
||||
{% for ip in vsftpd_iptables_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
|
||||
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m helper --helper ftp -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
#
|
||||
# TODO: add the rules that block traffic from now on
|
||||
#
|
||||
{% if nagios_enabled is defined %}
|
||||
{% if nagios_enabled %}
|
||||
{% if nagios_monitoring_server_ip is defined %}
|
||||
# Nagios NRPE
|
||||
{% for ip in nagios_monitoring_server_ip %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
|
||||
# Check ntp from the nagios server
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if zabbix_agent_install is defined and zabbix_agent_install %}
|
||||
{% if zabbix_agent_passive_checks_status == "enabled" %}
|
||||
# Zabbix servers that can send passive checks
|
||||
{% for ip in zabbix_monitoring_servers %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ zabbix_agent_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% if configure_munin is defined %}
|
||||
{% if configure_munin %}
|
||||
{% if munin_server %}
|
||||
# Munin
|
||||
{% for ip in munin_server %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if tomcat_cluster_enabled %}
|
||||
# tomcat cluster
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
|
||||
{% if tomcat_cluster_multicast_net is defined %}
|
||||
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
||||
# orientdb hazelcast multicast rules
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
# Ganglia
|
||||
{% if ganglia_enabled is defined and ganglia_enabled %}
|
||||
{% if ganglia_gmond_cluster_port is defined %}
|
||||
{% if ganglia_unicast_mode is defined %}
|
||||
{% if ganglia_unicast_mode %}
|
||||
{% for net in ganglia_unicast_networks %}
|
||||
-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
|
||||
{% else %}
|
||||
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
|
||||
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
# Postfix
|
||||
{% if postfix_relay_server is defined %}
|
||||
{% if postfix_relay_server %}
|
||||
#
|
||||
# These are only needed on the machines that act as relay servers
|
||||
#
|
||||
{% for cidr in postfix_relay_server_permitted_networks %}
|
||||
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ cidr }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||
{% else %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
|
||||
{% endif %}
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if postfix_relay_server is defined and not postfix_relay_server %}
|
||||
{% if postfix_relay_client is defined%}
|
||||
{% if postfix_relay_client %}
|
||||
#
|
||||
# When we are not a relay server but we want send email using our relay
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if iptables is defined %}
|
||||
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
||||
# TCP rules
|
||||
{% for tcp_rule in iptables.tcp %}
|
||||
{% if tcp_rule.allowed_hosts is defined %}
|
||||
{% for ip in tcp_rule.allowed_hosts %}
|
||||
{% if ip is string %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||
{% else %}
|
||||
{% for ip_really in ip %}
|
||||
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables.udp_rules is defined and iptables.udp_rules %}
|
||||
# UDP rules
|
||||
{% for udp_rule in iptables.udp %}
|
||||
{% if udp_rule.allowed_hosts is defined %}
|
||||
{% for ip in udp_rule.allowed_hosts %}
|
||||
{% if ip is string %}
|
||||
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||
{% else %}
|
||||
{% for ip_really in ip %}
|
||||
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables.any_rules is defined and iptables.any_rules %}
|
||||
# ANY rules
|
||||
{% for any_rule in iptables.any %}
|
||||
{% for ip in any_rule.allowed_hosts %}
|
||||
-A INPUT -s {{ ip }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
|
||||
# ANY rules
|
||||
{% for any_rule in iptables.any %}
|
||||
{% for rule in any_rule.allowed_hosts %}
|
||||
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
# End of the custom rules
|
||||
{% endif %}
|
||||
# Prometheus exporters
|
||||
{% if prometheus_enabled is defined and prometheus_enabled %}
|
||||
{% if prometheus_servers_ip is defined %}
|
||||
{% for ip in prometheus_servers_ip %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if keepalived_enabled is defined and keepalived_enabled %}
|
||||
# Keepalived rules. Protocol vrrp, 112
|
||||
{% if not keepalived_use_unicast %}
|
||||
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
|
||||
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
|
||||
{% else %}
|
||||
{% endif %}
|
||||
-A INPUT -p vrrp -j ACCEPT
|
||||
-A OUTPUT -p vrrp -j ACCEPT
|
||||
{% endif %}
|
||||
#
|
||||
# INPUT POLICY
|
||||
{% if iptables_input_default_policy == 'REJECT' %}
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A INPUT -j {{ iptables_input_default_policy }}
|
||||
{% endif %}
|
||||
#
|
||||
# FORWARD rules and POLICY
|
||||
{% if iptables_post_nat_enabled %}
|
||||
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
{% for rule in iptables_nat_rules %}
|
||||
-A FORWARD {{ rule.options }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A FORWARD -j {{ iptables_forward_default_policy }}
|
||||
{% endif %}
|
||||
COMMIT
|
||||
{% if iptables_nat_enabled %}
|
||||
# This should be obsoleted
|
||||
# NAT rules
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
{% if iptables_nat_specify_interfaces %}
|
||||
{% for int in iptables_nat_interfaces %}
|
||||
-A POSTROUTING -o {{ int }} -j MASQUERADE
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
-A POSTROUTING -j MASQUERADE
|
||||
{% endif %}
|
||||
COMMIT
|
||||
{% endif %}
|
||||
|
||||
{% if iptables_post_nat_enabled %}
|
||||
# NAT rules
|
||||
*nat
|
||||
:PREROUTING ACCEPT [0:0]
|
||||
:INPUT ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:POSTROUTING ACCEPT [0:0]
|
||||
{% for rule in iptables_nat_rules %}
|
||||
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
|
||||
{% endfor %}
|
||||
COMMIT
|
||||
{% endif %}
|
|
@ -1,15 +0,0 @@
|
|||
#
|
||||
# {{ ansible_managed }} don't manually modify this file
|
||||
#
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
{% if iptables_default_policy == 'REJECT' %}
|
||||
-A INPUT -j REJECT --reject-with icmp6-addr-unreachable
|
||||
-A FORWARD -j REJECT --reject-with icmp6-addr-unreachable
|
||||
{% else %}
|
||||
-A INPUT -j {{ iptables_default_policy }}
|
||||
-A FORWARD -j {{ iptables_default_policy }}
|
||||
{% endif %}
|
||||
COMMIT
|
|
@ -2,7 +2,10 @@
|
|||
dependencies:
|
||||
- role: '../../library/roles/deb-apt-setup'
|
||||
- { role: '../../library/roles/ubuntu-python-setup', when: ansible_distribution_release == "trusty" }
|
||||
- role: 'basic-system-setup'
|
||||
- src: git+https://gitea-s2i2s.isti.cnr.it/ISTI-ansible-roles/ansible-role-basic-system-setup.git
|
||||
version: master
|
||||
name: basic-system-setup
|
||||
state: latest
|
||||
- role: '../../library/roles/motd'
|
||||
- role: '../../library/roles/ntp'
|
||||
- role: '../../library/roles/linux-kernel-sysctl'
|
||||
|
|
Loading…
Reference in New Issue