From aa1ad48c466e8b99c07651c15d87af823e0c41ed Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Fri, 23 Oct 2015 16:01:53 +0200
Subject: [PATCH] library/roles/iptables: Support for blacklists of
 ip/networks. Optionally with associated protocol, source port and destination
 port.

---
 iptables/defaults/main.yml              |  1 +
 iptables/templates/iptables-rules.v4.j2 | 14 ++++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/iptables/defaults/main.yml b/iptables/defaults/main.yml
index 2ab7d81..fc4a82b 100644
--- a/iptables/defaults/main.yml
+++ b/iptables/defaults/main.yml
@@ -40,6 +40,7 @@
 
 #iptables_default_policy: REJECT
 iptables_default_policy: ACCEPT
+iptables_banned_default_policy: DROP
 ganglia_enabled: False
 nagios_enabled: False
 iptables_open_all_to_isti_nets: False
diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index 270556d..4b242fe 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -9,6 +9,20 @@
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 #
+# We manage the banned IP/networks list before anything else
+{% if iptables_banlist is defined %}
+{% for obj in iptables_banlist %}
+{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
+-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
+{% elif obj.proto is defined and obj.destport is defined %}
+-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
+{% elif obj.proto is defined %}
+-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
+{% else %}
+-A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
+{% endif %}
+{% endfor %}
+{% endif %}
 {% if iptables_managed_ssh is defined and iptables_managed_ssh %}
 {% if iptables_ssh_allowed_hosts is defined %}
 # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses