ansible-roles/library/roles/iptables/templates/iptables-rules.v4.j2

#
# {{ ansible_managed }} don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# We manage the banned IP/networks list before anything else
{% if iptables_banlist is defined %}
{% for obj in iptables_banlist %}
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
{% elif obj.proto is defined and obj.destport is defined %}
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
{% elif obj.proto is defined %}
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
{% else %}
-A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
{% endif %}
{% endfor %}
{% endif %}
# Return traffic and localhost
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
{% for ip in iptables_ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% else %}
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if http_port is not defined %}
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
{% endif %}
{% endif %}
{% if http_port is defined %}
# http
{% if http_allowed_hosts is defined %}
{% for ip in http_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
{% endif %}
{% endif %}

{% if https_port is defined %}
# https
{% if https_allowed_hosts is defined %}
{% for ip in https_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
{% if https_managed_hosts is defined %}
{% for rule in https_managed_hosts %}
-A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }}
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
{% endif %}
{% endif %}
{% endif %}
{% if psql_firewall_enabled %}
{% if psql_db_port is defined %}
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
{% if psql_global_firewall is defined %}
{% for ip in psql_global_firewall %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
{% elif psql_db_data is defined %}
# postgresql clients
{% for db in psql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% endif %}
{% endif %}
{% if mysql_firewall_enabled %}
{% if mysql_db_port is defined %}
{% if mysql_listen_on_ext_int %}
# mysql clients
{% for db in mysql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
-A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT
-A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP
{% endif %}
{% endif %}
{% if openldap_slapd_tcp_port is defined %}
{% if openldap_allowed_clients is defined %}
# LDAP
{% for addr in openldap_allowed_clients %}
{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited
{% else %}
{% if not openldap_slapd_ssl_only %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT
{% endif %}
{% endif %}
{% if mongodb_allowed_hosts is defined %}
# mongodb clients
{% for ip in mongodb_allowed_hosts %}
{% if mongodb_tcp_port is defined %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
{% else %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
{% endif %}
{% endfor %}
{% if mongodb_tcp_port is defined %}
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
{% else %}
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
{% endif %}
{% endif %}

{% if docker_swarm is defined and docker_swarm %}
{% for cidr in docker_swarm_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
{% endfor %}
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
{% endif %}

{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
# Someone still uses ftp
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
{% for ip in vsftpd_iptables_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
{% endfor %}
-A INPUT -m helper --helper ftp -j ACCEPT
{% endif %}
{% endif %}
#
# TODO: add the rules that block traffic from now on
#
{% if nagios_enabled is defined %}
{% if nagios_enabled %}
{% if nagios_monitoring_server_ip is defined %}
# Nagios NRPE
{% for ip in nagios_monitoring_server_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
# Check ntp from the nagios server
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% endif %}
{% if configure_munin is defined %}
{% if configure_munin %}
{% if munin_server %}
# Munin
{% for ip in munin_server %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% endif %}
{% endif %}
{% if tomcat_cluster_enabled %}
# tomcat cluster
-A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT
{% if tomcat_cluster_multicast_net is defined %}
-A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT
{% endif %}
{% endif %}
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
# orientdb hazelcast multicast rules
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
{% endif %}
# Postfix
{% if postfix_relay_server is defined %}
{% if postfix_relay_server %}
#
# These are only needed on the machines that act as relay servers
#
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
-A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% endif %}
{% if postfix_relay_server is defined and not postfix_relay_server %}
{% if postfix_relay_client is defined%}
{% if postfix_relay_client %}
#
{% if not postfix_relay_client_do_not_stop_submission %}
# When we are not a relay server but we want send email using our relay
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% endif %}
{% endif %}
{% endif %}
{% if iptables is defined %}
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
# TCP rules
{% for tcp_rule in iptables.tcp %}
{% if tcp_rule.allowed_hosts is defined %}
{% for ip in tcp_rule.allowed_hosts %}
{% if ip is string %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% else %}
{% for ip_really in ip  %}
-A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }}
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.udp_rules is defined and iptables.udp_rules %}
# UDP rules
{% for udp_rule in iptables.udp %}
{% if udp_rule.allowed_hosts is defined %}
{% for ip in udp_rule.allowed_hosts %}
{% if ip is string %}
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
{% else %}
{% for ip_really in ip  %}
-A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
{% endfor %}
{% endif %}
{% endfor %}
{% else %}
-A INPUT -p udp -m udp --dport {{ udp_rule.port }}  -j {{ udp_rule.policy | default('ACCEPT') }}
{% endif %}
{% endfor %}
{% endif %}
{% if iptables.any_rules is defined and iptables.any_rules %}
# ANY rules
{% for any_rule in iptables.any %}
{% for ip in any_rule.allowed_hosts %}
-A INPUT -s {{ ip }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
{% if iptables.managed_any_rules is defined and iptables.managed_any_rules %}
# ANY rules
{% for any_rule in iptables.any %}
{% for rule in any_rule.allowed_hosts %}
-A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }}
{% endfor %}
{% endfor %}
{% endif %}
# End of the custom rules
{% endif %}
# Prometheus exporters
{% if prometheus_enabled is defined and prometheus_enabled %}
{% if prometheus_servers_ip is defined %}
{% for ip in prometheus_servers_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT
{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT
{% endif %}
{% endif %}
{% if keepalived_enabled is defined and keepalived_enabled %}
# Keepalived rules. Protocol vrrp, 112
{% if not keepalived_use_unicast %}
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
{% else %}
{% endif %}
-A INPUT -p vrrp -j ACCEPT
-A OUTPUT -p vrrp -j ACCEPT
{% endif %}
#
{% if iptables_input_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_input_default_policy }}
{% endif %}
{% if not iptables_nat_enabled %}
{% if iptables_forward_default_policy == 'REJECT' %}
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A FORWARD -j {{ iptables_forward_default_policy }}
{% endif %}
{% else %}
# NAT is enabled, we need to accept traffic that is forwarded
-A FORWARD -j ACCEPT
{% endif %}
COMMIT
{% if iptables_nat_enabled %}
# This should be obsoleted
# NAT rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if iptables_nat_specify_interfaces %}
{% for int in iptables_nat_interfaces %}
-A POSTROUTING -o {{ int }} -j MASQUERADE
{% endfor %}
{% else %}
-A POSTROUTING  -j MASQUERADE
{% endif %}
COMMIT
{% endif %}

{% if iptables_post_nat_enabled %}
# NAT rules
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% for rule in iptables_nat_rules %}
-A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }}
{% endfor %}
COMMIT
{% endif %}