forked from ISTI-ansible-roles/ansible-roles
Generate rules for the docker swarm ports.
This commit is contained in:
parent
cdb49768b0
commit
c96a81a33c
|
@ -36,12 +36,6 @@
|
|||
# ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
{% endif %}
|
||||
{% if iptables_open_all_to_isti_nets is defined and iptables_open_all_to_isti_nets %}
|
||||
# Permit all traffic from our networks
|
||||
-A INPUT -s {{ network.isti }} -j ACCEPT
|
||||
-A INPUT -s {{ network.nmis }} -j ACCEPT
|
||||
-A INPUT -s {{ network.eduroam }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% if http_port is not defined %}
|
||||
{% if letsencrypt_acme_install is defined and letsencrypt_acme_install %}
|
||||
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
|
||||
|
@ -140,21 +134,20 @@
|
|||
-A INPUT -p tcp -m tcp --dport 27017 -j DROP
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if dnet_ports is defined %}
|
||||
# dnet services
|
||||
{% for tcp_port in dnet_ports %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j ACCEPT
|
||||
|
||||
{% if docker_swarm is defined and docker_swarm %}
|
||||
{% for cidr in docker_swarm_allowed_hosts %}
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT
|
||||
-A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
{% if dnet_jmx_ports is defined %}
|
||||
# dnet jmx ports. Open to the isti networks only
|
||||
{% for tcp_port in dnet_jmx_ports %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.isti }} --dport {{ tcp_port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.nmis }} --dport {{ tcp_port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp -s {{ network.eduroam }} --dport {{ tcp_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tcp_port }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% endif %}
|
||||
|
||||
{% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %}
|
||||
# Someone still uses ftp
|
||||
{% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %}
|
||||
|
@ -324,8 +317,14 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% if keepalived_enabled is defined and keepalived_enabled %}
|
||||
# Keepalived rules. Protocol vrrp, 112
|
||||
{% if not keepalived_use_unicast %}
|
||||
-A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
|
||||
-A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT
|
||||
{% else %}
|
||||
{% endif %}
|
||||
-A INPUT -p vrrp -j ACCEPT
|
||||
-A OUTPUT -p vrrp -j ACCEPT
|
||||
{% endif %}
|
||||
#
|
||||
{% if iptables_input_default_policy == 'REJECT' %}
|
||||
|
@ -374,4 +373,3 @@ COMMIT
|
|||
{% endfor %}
|
||||
COMMIT
|
||||
{% endif %}
|
||||
|
||||
|
|
Loading…
Reference in New Issue