ansible-roles/iptables/templates/iptables-rules.v4.j2

#
# don't manually modify this file
#
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
{% for ip in ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
{% endfor %}
{% endif %}
{% else %}
# ssh is always open. We use denyhosts to prevent unauthorized accesses
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
{% endif %}
{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
# Permit all traffic from our networks
-A INPUT -s {{ network.isti }} -j ACCEPT
-A INPUT -s {{ network.nmis }} -j ACCEPT
-A INPUT -s {{ network.eduroam }} -j ACCEPT
{% endif %}
{% if http_port is defined %}
# http
{% if http_allowed_hosts is defined %}
{% for ip in http_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT
{% endif %}
{% endif %}

{% if https_port is defined %}
# https
{% if https_allowed_hosts is defined %}
{% for ip in https_allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT
{% endif %}
{% endif %}

{% if psql_db_port is defined %}
{% if psql_listen_on_ext_int %}
# postgresql clients
{% for db in psql_db_data %}
{% for ip in db.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
{% endfor %}
{% endfor %}
{% endif %}
-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP
{% endif %}

{% if mongodb_allowed_hosts is defined %}
# mongodb clients
{% for ip in mongodb_allowed_hosts %}
{% if mongodb_tcp_port is defined %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT
{% else %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT
{% endif %}
{% endfor %}
{% if mongodb_tcp_port is defined %}
-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP
{% else %}
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
{% endif %}
{% endif %}

{% if dnet_ports is defined %}
# dnet services
{% for tcp_port in dnet_ports %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if dnet_jmx_ports is defined %}
# dnet jmx ports. Open to the isti networks only
{% for tcp_port in dnet_jmx_ports %}
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
# Someone still uses ftp
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
{% for ip in vsftpd_iptables_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT
-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT
{% endfor %}
-A INPUT -m helper --helper ftp -j ACCEPT
{% endif %}
{% endif %}

{% if nagios_monitoring_server_ip is defined %}
# Nagios NRPE
-A INPUT -m state --state NEW -s {{ nagios_monitoring_server_ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -s {{ nagios_monitoring_server_ip }} -p udp -m udp --dport 123 -j ACCEPT
{% endif %}

{% if munin_server is defined and configure_munin is defined and configure_munin %}
{% for ip in munin_server %}
# Munin
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT
{% endfor %}
{% endif %}

{% if ganglia_gmond_cluster_port is defined %}
# Ganglia
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
{% else %}
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
{% endif %}
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }}  -j ACCEPT
{% endif %}

{% if postfix_relay_server is defined and postfix_relay_server %}
#
# These are only needed on the machines that act as relay servers
#
-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
{% if postfix_use_relay_host is defined and postfix_use_relay_host %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
{% else %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}
{% if postfix_relay_server is defined and not postfix_relay_server %}
#
# When we are not a relay server but we want send email using our relay
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP
{% endif %}

{% if iptables is defined %}
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
{% for tcp_rule in iptables.tcp %}
{% if tcp_rule.allowed_hosts is defined %}
{% for ip in tcp_rule.allowed_hosts %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT
{% endif %}
{% endfor %}
{% endif %}

{% if iptables.udp_rules is defined and iptables.udp_rules %}
{% for udp_rule in iptables.udp %}
{% if udp_rule.allowed_hosts is defined %}
{% for ip in udp_rule.allowed_hosts %}
-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }}  -j ACCEPT
{% endfor %}
{% else %}
-A INPUT -p udp -m udp --dport {{ udp_rule.port }}  -j ACCEPT
{% endif %}
{% endfor %}
{% endif %}
{% endif %}
#
#
-A INPUT -s 125.24.0.0/14 -j DROP
{% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
{% endif %}

COMMIT
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`#`
			`# don't manually modify this file`
			`#`
			`*filter`
			`:INPUT ACCEPT [0:0]`
			`:FORWARD ACCEPT [0:0]`
			`:OUTPUT ACCEPT [0:0]`
			`-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`
			`-A INPUT -p icmp -j ACCEPT`
			`-A INPUT -i lo -j ACCEPT`
			`#`
			`{% if iptables_managed_ssh is defined and iptables_managed_ssh %}`
			`{% if iptables_ssh_allowed_hosts is defined %}`
			`# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses`
			`{% for ip in ssh_allowed_hosts %}`
			`-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT`
			`{% endfor %}`
			`{% endif %}`
			`{% else %}`
			`# ssh is always open. We use denyhosts to prevent unauthorized accesses`
			`-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT`
			`{% endif %}`
library: small fixes. d4science-gcube/roles/mediawiki_setup/templates/nginx-mediawiki.j2: First attempt at a nginx ssl config. 2015-06-14 23:39:13 +02:00			`{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}`
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`# Permit all traffic from our networks`
			`-A INPUT -s {{ network.isti }} -j ACCEPT`
			`-A INPUT -s {{ network.nmis }} -j ACCEPT`
			`-A INPUT -s {{ network.eduroam }} -j ACCEPT`
			`{% endif %}`
			`{% if http_port is defined %}`
			`# http`
			`{% if http_allowed_hosts is defined %}`
			`{% for ip in http_allowed_hosts %}`
			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT`
			`{% endfor %}`
			`{% else %}`
			`-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT`
			`{% endif %}`
			`{% endif %}`

			`{% if https_port is defined %}`
			`# https`
			`{% if https_allowed_hosts is defined %}`
			`{% for ip in https_allowed_hosts %}`
			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT`
			`{% endfor %}`
			`{% else %}`
			`-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT`
			`{% endif %}`
			`{% endif %}`

			`{% if psql_db_port is defined %}`
			`{% if psql_listen_on_ext_int %}`
			`# postgresql clients`
			`{% for db in psql_db_data %}`
			`{% for ip in db.allowed_hosts %}`
			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT`
			`{% endfor %}`
			`{% endfor %}`
			`{% endif %}`
			`-A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP`
			`{% endif %}`

			`{% if mongodb_allowed_hosts is defined %}`
			`# mongodb clients`
			`{% for ip in mongodb_allowed_hosts %}`
d4science-ghn-cluster: We now manage the iptables firewall on the mongodb cluster. library/roles: separate task that sets the hostname library/vars/isti-global.yml: add the d4science partners networks as a common variable. 2015-06-11 16:29:58 +02:00			`{% if mongodb_tcp_port is defined %}`
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT`
d4science-ghn-cluster: We now manage the iptables firewall on the mongodb cluster. library/roles: separate task that sets the hostname library/vars/isti-global.yml: add the d4science partners networks as a common variable. 2015-06-11 16:29:58 +02:00			`{% else %}`
			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT`
			`{% endif %}`
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`{% endfor %}`
d4science-ghn-cluster: We now manage the iptables firewall on the mongodb cluster. library/roles: separate task that sets the hostname library/vars/isti-global.yml: add the d4science partners networks as a common variable. 2015-06-11 16:29:58 +02:00			`{% if mongodb_tcp_port is defined %}`
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`-A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP`
d4science-ghn-cluster: We now manage the iptables firewall on the mongodb cluster. library/roles: separate task that sets the hostname library/vars/isti-global.yml: add the d4science partners networks as a common variable. 2015-06-11 16:29:58 +02:00			`{% else %}`
			`-A INPUT -p tcp -m tcp --dport 27017 -j DROP`
			`{% endif %}`
Major refactoring. Moved all the library roles under 'library/roles' and changed all the occurrances inside all the playbooks. 2015-05-28 11:32:57 +02:00			`{% endif %}`

			`{% if dnet_ports is defined %}`
			`# dnet services`
			`{% for tcp_port in dnet_ports %}`
			`-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT`
			`{% endfor %}`
			`{% endif %}`

			`{% if dnet_jmx_ports is defined %}`
			`# dnet jmx ports. Open to the isti networks only`
			`{% for tcp_port in dnet_jmx_ports %}`
			`-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT`
			`-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT`
			`-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT`
			`{% endfor %}`
			`{% endif %}`

			`{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}`
			`# Someone still uses ftp`
			`{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}`
			`{% for ip in vsftpd_iptables_allowed_hosts %}`
			`-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT`
			`-A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT`
			`{% endfor %}`
			`-A INPUT -m helper --helper ftp -j ACCEPT`
			`{% endif %}`
			`{% endif %}`

			`{% if nagios_monitoring_server_ip is defined %}`
			`# Nagios NRPE`
			`-A INPUT -m state --state NEW -s {{ nagios_monitoring_server_ip }} -p tcp -m tcp --dport 5666 -j ACCEPT`
			`-A INPUT -s {{ nagios_monitoring_server_ip }} -p udp -m udp --dport 123 -j ACCEPT`
			`{% endif %}`

			`{% if munin_server is defined and configure_munin is defined and configure_munin %}`
			`{% for ip in munin_server %}`
			`# Munin`
			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT`
			`{% endfor %}`
			`{% endif %}`

			`{% if ganglia_gmond_cluster_port is defined %}`
			`# Ganglia`
			`{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}`
			`-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT`
			`{% else %}`
			`-A INPUT -m pkttype --pkt-type multicast -j ACCEPT`
			`-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT`
			`{% endif %}`
			`-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT`
			`-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT`
			`{% endif %}`

			`{% if postfix_relay_server is defined and postfix_relay_server %}`
			`#`
			`# These are only needed on the machines that act as relay servers`
			`#`
			`-A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT`
			`{% if postfix_use_relay_host is defined and postfix_use_relay_host %}`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT`
			`{% else %}`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT`
			`{% endif %}`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP`
			`{% endif %}`
			`{% if postfix_relay_server is defined and not postfix_relay_server %}`
			`#`
			`# When we are not a relay server but we want send email using our relay`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid`
			`-A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP`
			`{% endif %}`

			`{% if iptables is defined %}`
			`{% if iptables.tcp_rules is defined and iptables.tcp_rules %}`
			`{% for tcp_rule in iptables.tcp %}`
			`{% if tcp_rule.allowed_hosts is defined %}`
			`{% for ip in tcp_rule.allowed_hosts %}`
			`-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j ACCEPT`
			`{% endfor %}`
			`{% else %}`
			`-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j ACCEPT`
			`{% endif %}`
			`{% endfor %}`
			`{% endif %}`

			`{% if iptables.udp_rules is defined and iptables.udp_rules %}`
			`{% for udp_rule in iptables.udp %}`
			`{% if udp_rule.allowed_hosts is defined %}`
			`{% for ip in udp_rule.allowed_hosts %}`
			`-A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT`
			`{% endfor %}`
			`{% else %}`
			`-A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j ACCEPT`
			`{% endif %}`
			`{% endfor %}`
			`{% endif %}`
			`{% endif %}`
			`#`
			`#`
			`-A INPUT -s 125.24.0.0/14 -j DROP`
			`{% if iptables_default_policy == 'REJECT' %}`
			`-A INPUT -j REJECT --reject-with icmp-host-prohibited`
			`-A FORWARD -j REJECT --reject-with icmp-host-prohibited`
			`{% else %}`
			`-A INPUT -j {{ iptables_default_policy }}`
			`-A FORWARD -j {{ iptables_default_policy }}`
			`{% endif %}`

			`COMMIT`