ISTI-ansible-roles
/
ansible-roles
4
0
Fork 3
Code Issues Pull Requests Releases Wiki Activity

Generate rules for the docker swarm ports.

This commit is contained in:
Andrea Dell'Amico 2019-09-25 03:17:42 +02:00
parent cdb49768b0
commit c96a81a33c
1 changed files with 18 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
library/roles/iptables/templates/iptables-rules.v4.j2
View File

@ -36,12 +36,6 @@
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
# Permit all traffic from our networks
-A INPUT -s {{ network.isti }} -j ACCEPT
-A INPUT -s {{ network.nmis }} -j ACCEPT
-A INPUT -s {{ network.eduroam }} -j ACCEPT
{% endif %}
{% if http_port is not defined %}
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
@ -140,21 +134,20 @@
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
{% endif %}
{% endif %}
{% if dnet_ports is defined %}
# dnet services
{% for tcp_port in dnet_ports %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
{% if docker_swarm is defined and docker_swarm %}
{% for cidr in docker_swarm_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% if dnet_jmx_ports is defined %}
# dnet jmx ports. Open to the isti networks only
{% for tcp_port in dnet_jmx_ports %}
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
# Someone still uses ftp
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
@ -324,8 +317,14 @@
{% endif %}
{% endif %}
{% if keepalived_enabled is defined and keepalived_enabled %}
# Keepalived rules. Protocol vrrp, 112
{% if not keepalived_use_unicast %}
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
{% else %}
{% endif %}
-A INPUT -p vrrp -j ACCEPT
-A OUTPUT -p vrrp -j ACCEPT
{% endif %}
#
{% if iptables_input_default_policy == 'REJECT' %}
@ -374,4 +373,3 @@ COMMIT
{% endfor %}
COMMIT
{% endif %}