From 6eb98527ba7fb82a5799b3d7299368d777c590bc Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Wed, 15 Jul 2015 13:59:23 +0200
Subject: [PATCH] library/roles/iptables/templates/iptables-rules.v4.j2: manage
 multiple IPs for the nagios server.
 library/roles/iptables/templates/iptables-rules.v6.j2: set the same policy
 used by the ipv4 rules.

---
 iptables/templates/iptables-rules.v4.j2 | 9 ++++++---
 iptables/templates/iptables-rules.v6.j2 | 7 +++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index 8a5507ed..9d970de4 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -12,7 +12,7 @@
 {% if iptables_managed_ssh is defined and iptables_managed_ssh %}
 {% if iptables_ssh_allowed_hosts is defined %}
 # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
-{% for ip in ssh_allowed_hosts %}
+{% for ip in iptables_ssh_allowed_hosts %}
 -A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
 {% endfor %}
 {% endif %}
@@ -134,9 +134,12 @@
 {% endif %}
 
 {% if nagios_monitoring_server_ip is defined %}
+{% for ip in nagios_monitoring_server_ip %}
 # Nagios NRPE
--A INPUT -m state --state NEW -s {{ nagios_monitoring_server_ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
--A INPUT -s {{ nagios_monitoring_server_ip }} -p udp -m udp --dport 123 -j ACCEPT
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
+# Check ntp from the nagios server
+-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
+{% endfor %}
 {% endif %}
 
 {% if munin_server is defined and configure_munin is defined and configure_munin %}
diff --git a/iptables/templates/iptables-rules.v6.j2 b/iptables/templates/iptables-rules.v6.j2
index d998b087..3d66444b 100644
--- a/iptables/templates/iptables-rules.v6.j2
+++ b/iptables/templates/iptables-rules.v6.j2
@@ -2,4 +2,11 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
+{% if iptables_default_policy == 'REJECT' %}
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+{% else %}
+-A INPUT -j {{ iptables_default_policy }}
+-A FORWARD -j {{ iptables_default_policy }}
+{% endif %}
 COMMIT