From c96a81a33ce068feb52f178a68a30d2c61fa8cd8 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 25 Sep 2019 03:17:42 +0200
Subject: [PATCH] Generate rules for the docker swarm ports.

---
 .../iptables/templates/iptables-rules.v4.j2   | 38 +++++++++----------
 1 file changed, 18 insertions(+), 20 deletions(-)

diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
index b115b60..09a618b 100644
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@@ -36,12 +36,6 @@
 # ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 {% endif %}
-{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
-# Permit all traffic from our networks
--A INPUT -s {{ network.isti }} -j ACCEPT
--A INPUT -s {{ network.nmis }} -j ACCEPT
--A INPUT -s {{ network.eduroam }} -j ACCEPT
-{% endif %}
 {% if http_port is not defined %}
 {% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
@@ -140,21 +134,20 @@
 -A INPUT -p tcp -m tcp --dport 27017 -j DROP
 {% endif %}
 {% endif %}
-{% if dnet_ports is defined %}
-# dnet services
-{% for tcp_port in dnet_ports %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
+
+{% if docker_swarm is defined and docker_swarm %}
+{% for cidr in docker_swarm_allowed_hosts %}
+-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
+-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
+-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
+-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
 {% endfor %}
+-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
 {% endif %}
-{% if dnet_jmx_ports is defined %}
-# dnet jmx ports. Open to the isti networks only
-{% for tcp_port in dnet_jmx_ports %}
--A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT
--A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
--A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-{% endif %}
+
 {% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
 # Someone still uses ftp
 {% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
@@ -324,8 +317,14 @@
 {% endif %}
 {% endif %}
 {% if keepalived_enabled is defined and keepalived_enabled %}
+# Keepalived rules. Protocol vrrp, 112
+{% if not keepalived_use_unicast %}
 -A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
 -A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
+{% else %}
+{% endif %}
+-A INPUT -p vrrp -j ACCEPT
+-A OUTPUT -p vrrp -j ACCEPT
 {% endif %}
 #
 {% if iptables_input_default_policy == 'REJECT' %}
@@ -374,4 +373,3 @@ COMMIT
 {% endfor %}
 COMMIT
 {% endif %}
-