Merge pull request 'More generic custom rules.' (#159) from adellam/ansible-roles:master into master
This commit is contained in:
commit
977d27ec38
|
|
@ -5,17 +5,17 @@
|
||||||
:INPUT ACCEPT [0:0]
|
:INPUT ACCEPT [0:0]
|
||||||
:FORWARD ACCEPT [0:0]
|
:FORWARD ACCEPT [0:0]
|
||||||
:OUTPUT ACCEPT [0:0]
|
:OUTPUT ACCEPT [0:0]
|
||||||
# We manage the banned IP/networks list before anything else
|
|
||||||
{% if iptables_banlist is defined %}
|
{% if iptables_banlist is defined %}
|
||||||
|
# We manage the banned IP/networks list before anything else
|
||||||
{% for obj in iptables_banlist %}
|
{% for obj in iptables_banlist %}
|
||||||
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
|
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
|
||||||
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
|
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||||
{% elif obj.proto is defined and obj.destport is defined %}
|
{% elif obj.proto is defined and obj.destport is defined %}
|
||||||
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
|
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||||
{% elif obj.proto is defined %}
|
{% elif obj.proto is defined %}
|
||||||
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
|
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
|
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
@ -74,11 +74,7 @@
|
||||||
{% if psql_firewall_enabled %}
|
{% if psql_firewall_enabled %}
|
||||||
{% if psql_db_port is defined %}
|
{% if psql_db_port is defined %}
|
||||||
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
||||||
{% if psql_global_firewall is defined %}
|
{% if psql_db_data is defined %}
|
||||||
{% for ip in psql_global_firewall %}
|
|
||||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
|
||||||
{% endfor %}
|
|
||||||
{% elif psql_db_data is defined %}
|
|
||||||
# postgresql clients
|
# postgresql clients
|
||||||
{% for db in psql_db_data %}
|
{% for db in psql_db_data %}
|
||||||
{% for ip in db.allowed_hosts %}
|
{% for ip in db.allowed_hosts %}
|
||||||
|
|
@ -201,7 +197,28 @@
|
||||||
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
||||||
# orientdb hazelcast multicast rules
|
# orientdb hazelcast multicast rules
|
||||||
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
|
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
|
||||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
|
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
|
||||||
|
{% endif %}
|
||||||
|
# Ganglia
|
||||||
|
{% if ganglia_enabled is defined and ganglia_enabled %}
|
||||||
|
{% if ganglia_gmond_cluster_port is defined %}
|
||||||
|
{% if ganglia_unicast_mode is defined %}
|
||||||
|
{% if ganglia_unicast_mode %}
|
||||||
|
{% for net in ganglia_unicast_networks %}
|
||||||
|
-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||||
|
{% endfor %}
|
||||||
|
{% else %}
|
||||||
|
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
|
||||||
|
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
|
||||||
|
{% else %}
|
||||||
|
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
|
||||||
|
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||||
|
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||||
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
# Postfix
|
# Postfix
|
||||||
{% if postfix_relay_server is defined %}
|
{% if postfix_relay_server is defined %}
|
||||||
|
|
@ -225,7 +242,6 @@
|
||||||
{% if postfix_relay_client is defined%}
|
{% if postfix_relay_client is defined%}
|
||||||
{% if postfix_relay_client %}
|
{% if postfix_relay_client %}
|
||||||
#
|
#
|
||||||
{% if not postfix_relay_client_do_not_stop_submission %}
|
|
||||||
# When we are not a relay server but we want send email using our relay
|
# When we are not a relay server but we want send email using our relay
|
||||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||||
|
|
@ -234,7 +250,6 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
|
||||||
{% if iptables is defined %}
|
{% if iptables is defined %}
|
||||||
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
||||||
# TCP rules
|
# TCP rules
|
||||||
|
|
@ -317,16 +332,13 @@
|
||||||
{% else %}
|
{% else %}
|
||||||
-A INPUT -j {{ iptables_input_default_policy }}
|
-A INPUT -j {{ iptables_input_default_policy }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if not iptables_nat_enabled %}
|
{% if iptables_nat_enabled or iptables_post_nat_enabled %}
|
||||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
-A FORWARD -j ACCEPT
|
||||||
|
{% elif iptables_forward_default_policy == 'REJECT' %}
|
||||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||||
{% else %}
|
{% else %}
|
||||||
-A FORWARD -j {{ iptables_forward_default_policy }}
|
-A FORWARD -j {{ iptables_forward_default_policy }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% else %}
|
|
||||||
# NAT is enabled, we need to accept traffic that is forwarded
|
|
||||||
-A FORWARD -j ACCEPT
|
|
||||||
{% endif %}
|
|
||||||
COMMIT
|
COMMIT
|
||||||
{% if iptables_nat_enabled %}
|
{% if iptables_nat_enabled %}
|
||||||
# This should be obsoleted
|
# This should be obsoleted
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue