# # {{ ansible_managed }} don't manually modify this file # *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # We manage the banned IP/networks list before anything else {% if iptables_banlist is defined %} {% for obj in iptables_banlist %} {% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %} -A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }} {% elif obj.proto is defined and obj.destport is defined %} -A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }} {% elif obj.proto is defined %} -A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }} {% else %} -A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }} {% endif %} {% endfor %} {% endif %} # Return traffic and localhost -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT # {% if iptables_managed_ssh is defined and iptables_managed_ssh %} {% if iptables_ssh_allowed_hosts is defined %} # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses {% for ip in iptables_ssh_allowed_hosts %} -A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% else %} # ssh is always open. We use denyhosts or fail2ban to prevent unauthorized accesses -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT {% endif %} {% if http_port is not defined %} {% if letsencrypt_acme_install is defined and letsencrypt_acme_install %} -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT {% endif %} {% endif %} {% if http_port is defined %} # http {% if http_allowed_hosts is defined %} {% for ip in http_allowed_hosts %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ http_port }} -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ http_port }} -j REJECT --reject-with icmp-host-prohibited {% else %} -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ http_port }} -j ACCEPT {% endif %} {% endif %} {% if https_port is defined %} # https {% if https_allowed_hosts is defined %} {% for ip in https_allowed_hosts %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ https_port }} -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j REJECT --reject-with icmp-host-prohibited {% else %} {% if https_managed_hosts is defined %} {% for rule in https_managed_hosts %} -A INPUT -m state --state NEW -s {{ rule.source_ip }} -p tcp -m tcp --dport {{ https_port }} -j {{ rule.policy }} {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ https_port }} -j {{ iptables_https_managed_hosts_default_policy }} {% else %} -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ https_port }} -j ACCEPT {% endif %} {% endif %} {% endif %} {% if psql_firewall_enabled %} {% if psql_db_port is defined %} {% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %} {% if psql_global_firewall is defined %} {% for ip in psql_global_firewall %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT {% endfor %} {% elif psql_db_data is defined %} # postgresql clients {% for db in psql_db_data %} {% for ip in db.allowed_hosts %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT {% endfor %} {% endfor %} {% endif %} {% endif %} -A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT -A INPUT -p tcp -m tcp --dport {{ psql_db_port }} -j DROP {% endif %} {% endif %} {% if mysql_firewall_enabled %} {% if mysql_db_port is defined %} {% if mysql_listen_on_ext_int %} # mysql clients {% for db in mysql_db_data %} {% for ip in db.allowed_hosts %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT {% endfor %} {% endfor %} {% endif %} -A INPUT -m state --state NEW -s {{ ansible_default_ipv4.address }} -p tcp -m tcp --dport {{ mysql_db_port }} -j ACCEPT -A INPUT -p tcp -m tcp --dport {{ mysql_db_port }} -j DROP {% endif %} {% endif %} {% if openldap_slapd_tcp_port is defined %} {% if openldap_allowed_clients is defined %} # LDAP {% for addr in openldap_allowed_clients %} {% if not openldap_slapd_ssl_only %} -A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT {% endif %} -A INPUT -m state --state NEW -s {{ addr }} -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j REJECT --reject-with icmp-host-prohibited -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j REJECT --reject-with icmp-host-prohibited {% else %} {% if not openldap_slapd_ssl_only %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_tcp_port }} -j ACCEPT {% endif %} -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ openldap_slapd_ssl_port }} -j ACCEPT {% endif %} {% endif %} {% if mongodb_allowed_hosts is defined %} # mongodb clients {% for ip in mongodb_allowed_hosts %} {% if mongodb_tcp_port is defined %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j ACCEPT {% else %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 27017 -j ACCEPT {% endif %} {% endfor %} {% if mongodb_tcp_port is defined %} -A INPUT -p tcp -m tcp --dport {{ mongodb_tcp_port }} -j DROP {% else %} -A INPUT -p tcp -m tcp --dport 27017 -j DROP {% endif %} {% endif %} {% if docker_swarm is defined and docker_swarm %} {% for cidr in docker_swarm_allowed_hosts %} -A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 2377 -j ACCEPT -A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport 7946 -j ACCEPT -A INPUT -m state --state NEW -s {{ cidr }} -p tcp -m tcp --dport {{ docker_api_port }} -j ACCEPT -A INPUT -s {{ cidr }} -p udp -m udp --dport 7946 -j ACCEPT {% endfor %} -A INPUT -p tcp -m tcp --dport 2377 -j REJECT --reject-with icmp-host-prohibited -A INPUT -p tcp -m tcp --dport 7946 -j REJECT --reject-with icmp-host-prohibited -A INPUT -p tcp -m tcp --dport {{ docker_api_port }} -j REJECT --reject-with icmp-host-prohibited -A INPUT -p udp -m udp --dport 7946 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% if vsftpd_iptables_rules is defined and vsftpd_iptables_rules %} # Someone still uses ftp {% if vsftpd_iptables_allowed_hosts is defined and vsftpd_iptables_allowed_hosts %} {% for ip in vsftpd_iptables_allowed_hosts %} -A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport ftp -j ACCEPT -A INPUT -m state --state NEW,RELATED -m tcp -p tcp -s {{ ip }} --dport {{ vsftpd_pasv_min_port }}:{{ vsftpd_pasv_max_port }} -j ACCEPT {% endfor %} -A INPUT -m helper --helper ftp -j ACCEPT {% endif %} {% endif %} # # TODO: add the rules that block traffic from now on # {% if nagios_enabled is defined %} {% if nagios_enabled %} {% if nagios_monitoring_server_ip is defined %} # Nagios NRPE {% for ip in nagios_monitoring_server_ip %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT # Check ntp from the nagios server -A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport 5666 -j REJECT --reject-with icmp-host-prohibited -A INPUT -p udp -m udp --dport 123 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% endif %} {% endif %} {% if configure_munin is defined %} {% if configure_munin %} {% if munin_server %} # Munin {% for ip in munin_server %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 4949 -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport 4949 -j REJECT --reject-with icmp-host-prohibited {% endif %} {% endif %} {% endif %} {% if tomcat_cluster_enabled %} # tomcat cluster -A INPUT -m pkttype --pkt-type multicast -d {{ tomcat_cluster_multicast_addr }} -j ACCEPT -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ tomcat_cluster_multicast_port }} -j ACCEPT {% if tomcat_cluster_multicast_net is defined %} -A INPUT -d {{ tomcat_cluster_multicast_net }} -j ACCEPT {% endif %} {% endif %} {% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %} # orientdb hazelcast multicast rules -A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT -A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT {% endif %} # Postfix {% if postfix_relay_server is defined %} {% if postfix_relay_server %} # # These are only needed on the machines that act as relay servers # -A INPUT -p tcp -m multiport --dports 25,587,465 -s {{ network.nmis }} -j ACCEPT -A INPUT -p tcp -m multiport --dports 25,587,465 -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT {% if postfix_use_relay_host is defined and postfix_use_relay_host %} -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT {% else %} -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -j ACCEPT {% endif %} -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid -A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP {% endif %} {% endif %} {% if postfix_relay_server is defined and not postfix_relay_server %} {% if postfix_relay_client is defined%} {% if postfix_relay_client %} # {% if not postfix_relay_client_do_not_stop_submission %} # When we are not a relay server but we want send email using our relay -A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT -A OUTPUT -p tcp -m multiport --dports 25,587,465 -m state --state NEW -j LOG --log-prefix "LOCAL_DROPPED_SPAM " --log-uid -A OUTPUT -p tcp -m multiport --dports 25,587,465 -j DROP {% endif %} {% endif %} {% endif %} {% endif %} {% if iptables is defined %} {% if iptables.tcp_rules is defined and iptables.tcp_rules %} # TCP rules {% for tcp_rule in iptables.tcp %} {% if tcp_rule.allowed_hosts is defined %} {% for ip in tcp_rule.allowed_hosts %} {% if ip is string %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} {% else %} {% for ip_really in ip %} -A INPUT -m state --state NEW -s {{ ip_really }} -p tcp -m tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} {% endfor %} {% endif %} {% endfor %} {% else %} -A INPUT -m state --state NEW -m tcp -p tcp --dport {{ tcp_rule.port }} -j {{ tcp_rule.policy | default('ACCEPT') }} {% endif %} {% endfor %} {% endif %} {% if iptables.udp_rules is defined and iptables.udp_rules %} # UDP rules {% for udp_rule in iptables.udp %} {% if udp_rule.allowed_hosts is defined %} {% for ip in udp_rule.allowed_hosts %} {% if ip is string %} -A INPUT -s {{ ip }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} {% else %} {% for ip_really in ip %} -A INPUT -s {{ ip_really }} -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} {% endfor %} {% endif %} {% endfor %} {% else %} -A INPUT -p udp -m udp --dport {{ udp_rule.port }} -j {{ udp_rule.policy | default('ACCEPT') }} {% endif %} {% endfor %} {% endif %} {% if iptables.any_rules is defined and iptables.any_rules %} # ANY rules {% for any_rule in iptables.any %} {% for ip in any_rule.allowed_hosts %} -A INPUT -s {{ ip }} -j ACCEPT {% endfor %} {% endfor %} {% endif %} {% if iptables.managed_any_rules is defined and iptables.managed_any_rules %} # ANY rules {% for any_rule in iptables.any %} {% for rule in any_rule.allowed_hosts %} -A INPUT -s {{ rule.ip }} -j {{ rule.policy | default('ACCEPT') }} {% endfor %} {% endfor %} {% endif %} # End of the custom rules {% endif %} # Prometheus exporters {% if prometheus_enabled is defined and prometheus_enabled %} {% if prometheus_servers_ip is defined %} {% for ip in prometheus_servers_ip %} -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 9100:9110 -j ACCEPT {% endfor %} -A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j REJECT --reject-with icmp-host-prohibited {% else %} -A INPUT -m state --state NEW -p tcp -m tcp --dport 9100:9110 -j ACCEPT {% endif %} {% endif %} {% if keepalived_enabled is defined and keepalived_enabled %} # Keepalived rules. Protocol vrrp, 112 {% if not keepalived_use_unicast %} -A INPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT -A OUTPUT -p vrrp -d {{ keepalived_mcast_addr }} -j ACCEPT {% else %} {% endif %} -A INPUT -p vrrp -j ACCEPT -A OUTPUT -p vrrp -j ACCEPT {% endif %} # {% if iptables_input_default_policy == 'REJECT' %} -A INPUT -j REJECT --reject-with icmp-host-prohibited {% else %} -A INPUT -j {{ iptables_input_default_policy }} {% endif %} {% if not iptables_nat_enabled %} {% if iptables_forward_default_policy == 'REJECT' %} -A FORWARD -j REJECT --reject-with icmp-host-prohibited {% else %} -A FORWARD -j {{ iptables_forward_default_policy }} {% endif %} {% else %} # NAT is enabled, we need to accept traffic that is forwarded -A FORWARD -j ACCEPT {% endif %} COMMIT {% if iptables_nat_enabled %} # This should be obsoleted # NAT rules *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% if iptables_nat_specify_interfaces %} {% for int in iptables_nat_interfaces %} -A POSTROUTING -o {{ int }} -j MASQUERADE {% endfor %} {% else %} -A POSTROUTING -j MASQUERADE {% endif %} COMMIT {% endif %} {% if iptables_post_nat_enabled %} # NAT rules *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% for rule in iptables_nat_rules %} -A POSTROUTING {{ rule.options }} -j {{ rule.action | default('MASQUERADE') }} {% endfor %} COMMIT {% endif %}