From 31b8b7b71174780b6aaeac4899575c4b8cdeef04 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Tue, 19 Feb 2019 16:54:15 +0100
Subject: [PATCH] Put the prometheus rules at the end of the template, so that
 they not interfere with other rules.

---
 iptables/templates/iptables-rules.v4.j2 | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/iptables/templates/iptables-rules.v4.j2 b/iptables/templates/iptables-rules.v4.j2
index 436dcc05..93776d89 100644
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@@ -206,17 +206,6 @@
 -A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
 -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
 {% endif %}
-# Prometheus exporters
-{% if prometheus_enabled is defined and prometheus_enabled %}
-{% if prometheus_servers_ip is defined %}
-{% for ip in prometheus_servers_ip %}
--A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
-{% endfor %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
-{% else %}
--A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
-{% endif %}
-{% endif %}
 # Ganglia
 {% if ganglia_enabled is defined and ganglia_enabled %}
 {% if ganglia_gmond_cluster_port is defined %}
@@ -323,6 +312,17 @@
 {% endif %}
 # End of the custom rules
 {% endif %}
+# Prometheus exporters
+{% if prometheus_enabled is defined and prometheus_enabled %}
+{% if prometheus_servers_ip is defined %}
+{% for ip in prometheus_servers_ip %}
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
+{% endfor %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
+{% else %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
+{% endif %}
+{% endif %}
 {% if keepalived_enabled is defined and keepalived_enabled %}
 -A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
 -A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT