From d2bcb78d80c785f11865e8e5592df61a854592b2 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Mon, 16 Mar 2020 14:18:32 +0100 Subject: [PATCH] More generic custom rules. --- .../iptables/templates/iptables-rules.v4.j2 | 50 ++++++++++++------- 1 file changed, 31 insertions(+), 19 deletions(-) diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2 index 875a87d..fff1fb2 100644 --- a/library/roles/iptables/templates/iptables-rules.v4.j2 +++ b/library/roles/iptables/templates/iptables-rules.v4.j2 @@ -5,17 +5,17 @@ :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -# We manage the banned IP/networks list before anything else {% if iptables_banlist is defined %} +# We manage the banned IP/networks list before anything else {% for obj in iptables_banlist %} {% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %} --A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }} +-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} {% elif obj.proto is defined and obj.destport is defined %} --A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }} +-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} {% elif obj.proto is defined %} --A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }} +-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} {% else %} --A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }} +-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }} {% endif %} {% endfor %} {% endif %} @@ -74,11 +74,7 @@ {% if psql_firewall_enabled %} {% if psql_db_port is defined %} {% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %} -{% if psql_global_firewall is defined %} -{% for ip in psql_global_firewall %} --A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT -{% endfor %} -{% elif psql_db_data is defined %} +{% if psql_db_data is defined %} # postgresql clients {% for db in psql_db_data %} {% for ip in db.allowed_hosts %} @@ -201,7 +197,28 @@ {% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %} # orientdb hazelcast multicast rules -A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT --A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT +-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT +{% endif %} +# Ganglia +{% if ganglia_enabled is defined and ganglia_enabled %} +{% if ganglia_gmond_cluster_port is defined %} +{% if ganglia_unicast_mode is defined %} +{% if ganglia_unicast_mode %} +{% for net in ganglia_unicast_networks %} +-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT +{% endfor %} +{% else %} +{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %} +-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT +{% else %} +-A INPUT -m pkttype --pkt-type multicast -j ACCEPT +-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT +{% endif %} +{% endif %} +{% endif %} +-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT +-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT +{% endif %} {% endif %} # Postfix {% if postfix_relay_server is defined %} @@ -225,7 +242,6 @@ {% if postfix_relay_client is defined%} {% if postfix_relay_client %} # -{% if not postfix_relay_client_do_not_stop_submission %} # When we are not a relay server but we want send email using our relay -A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT @@ -234,7 +250,6 @@ {% endif %} {% endif %} {% endif %} -{% endif %} {% if iptables is defined %} {% if iptables.tcp_rules is defined and iptables.tcp_rules %} # TCP rules @@ -317,16 +332,13 @@ {% else %} -A INPUT -j {{ iptables_input_default_policy }} {% endif %} -{% if not iptables_nat_enabled %} -{% if iptables_forward_default_policy == 'REJECT' %} +{% if iptables_nat_enabled or iptables_post_nat_enabled %} +-A FORWARD -j ACCEPT +{% elif iptables_forward_default_policy == 'REJECT' %} -A FORWARD -j REJECT --reject-with icmp-host-prohibited {% else %} -A FORWARD -j {{ iptables_forward_default_policy }} {% endif %} -{% else %} -# NAT is enabled, we need to accept traffic that is forwarded --A FORWARD -j ACCEPT -{% endif %} COMMIT {% if iptables_nat_enabled %} # This should be obsoleted