From d2bcb78d80c785f11865e8e5592df61a854592b2 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Mon, 16 Mar 2020 14:18:32 +0100
Subject: [PATCH] More generic custom rules.

---
 .../iptables/templates/iptables-rules.v4.j2   | 50 ++++++++++++-------
 1 file changed, 31 insertions(+), 19 deletions(-)

diff --git a/library/roles/iptables/templates/iptables-rules.v4.j2 b/library/roles/iptables/templates/iptables-rules.v4.j2
index 875a87d0..fff1fb29 100644
--- a/library/roles/iptables/templates/iptables-rules.v4.j2
+++ b/library/roles/iptables/templates/iptables-rules.v4.j2
@@ -5,17 +5,17 @@
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
-# We manage the banned IP/networks list before anything else
 {% if iptables_banlist is defined %}
+# We manage the banned IP/networks list before anything else
 {% for obj in iptables_banlist %}
 {% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
--A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
+-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
 {% elif obj.proto is defined and obj.destport is defined %}
--A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
+-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
 {% elif obj.proto is defined %}
--A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
+-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
 {% else %}
--A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
+-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
 {% endif %}
 {% endfor %}
 {% endif %}
@@ -74,11 +74,7 @@
 {% if psql_firewall_enabled %}
 {% if psql_db_port is defined %}
 {% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
-{% if psql_global_firewall is defined %}
-{% for ip in psql_global_firewall %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-{% endfor %}
-{% elif psql_db_data is defined %}
+{% if psql_db_data is defined %}
 # postgresql clients
 {% for db in psql_db_data %}
 {% for ip in db.allowed_hosts %}
@@ -201,7 +197,28 @@
 {% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
 # orientdb hazelcast multicast rules
 -A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
--A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
+-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
+{% endif %}
+# Ganglia
+{% if ganglia_enabled is defined and ganglia_enabled %}
+{% if ganglia_gmond_cluster_port is defined %}
+{% if ganglia_unicast_mode is defined %}
+{% if ganglia_unicast_mode %}
+{% for net in ganglia_unicast_networks %}
+-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
+{% endfor %}
+{% else %}
+{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
+-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
+{% else %}
+-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
+-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
+{% endif %}
+{% endif %}
+{% endif %}
+-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
+-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }}  -j ACCEPT
+{% endif %}
 {% endif %}
 # Postfix
 {% if postfix_relay_server is defined %}
@@ -225,7 +242,6 @@
 {% if postfix_relay_client is defined%}
 {% if postfix_relay_client %}
 #
-{% if not postfix_relay_client_do_not_stop_submission %}
 # When we are not a relay server but we want send email using our relay
 -A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
 -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
@@ -234,7 +250,6 @@
 {% endif %}
 {% endif %}
 {% endif %}
-{% endif %}
 {% if iptables is defined %}
 {% if iptables.tcp_rules is defined and iptables.tcp_rules %}
 # TCP rules
@@ -317,16 +332,13 @@
 {% else %}
 -A INPUT -j {{ iptables_input_default_policy }}
 {% endif %}
-{% if not iptables_nat_enabled %}
-{% if iptables_forward_default_policy == 'REJECT' %}
+{% if iptables_nat_enabled or iptables_post_nat_enabled %}
+-A FORWARD -j ACCEPT
+{% elif iptables_forward_default_policy == 'REJECT' %}
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 {% else %}
 -A FORWARD -j {{ iptables_forward_default_policy }}
 {% endif %}
-{% else %}
-# NAT is enabled, we need to accept traffic that is forwarded
--A FORWARD -j ACCEPT
-{% endif %}
 COMMIT
 {% if iptables_nat_enabled %}
 # This should be obsoleted