Put the prometheus rules at the end of the template, so that they not interfere with other rules.

2019-02-19 16:54:15 +01:00 · 2019-02-19 16:54:15 +01:00 · 31b8b7b711
parent f824c4aa9a
commit 31b8b7b711
1 changed files with 11 additions and 11 deletions
--- a/iptables/templates/iptables-rules.v4.j2
+++ b/iptables/templates/iptables-rules.v4.j2
@ -206,17 +206,6 @@
 -A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
 -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
 {% endif %}
-# Prometheus exporters
-{% if prometheus_enabled is defined and prometheus_enabled %}
-{% if prometheus_servers_ip is defined %}
-{% for ip in prometheus_servers_ip %}
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
-{% endfor %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
-{% else %}
-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
-{% endif %}
-{% endif %}
 # Ganglia
 {% if ganglia_enabled is defined and ganglia_enabled %}
 {% if ganglia_gmond_cluster_port is defined %}
@ -323,6 +312,17 @@
 {% endif %}
 # End of the custom rules
 {% endif %}
+# Prometheus exporters
+{% if prometheus_enabled is defined and prometheus_enabled %}
+{% if prometheus_servers_ip is defined %}
+{% for ip in prometheus_servers_ip %}
+-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9300 -j ACCEPT
+{% endfor %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j REJECT --reject-with icmp-host-prohibited
+{% else %}
+-A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9300 -j ACCEPT
+{% endif %}
+{% endif %}
 {% if keepalived_enabled is defined and keepalived_enabled %}
 -A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
 -A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT