library/roles/iptables/templates/iptables-rules.v4.j2: manage multiple IPs for the nagios server.

library/roles/iptables/templates/iptables-rules.v6.j2: set the same policy used by the ipv4 rules.
This commit is contained in:
Andrea Dell'Amico 2015-07-15 13:59:23 +02:00
parent 03a9c656be
commit 6eb98527ba
2 changed files with 13 additions and 3 deletions

View File

@ -12,7 +12,7 @@
{% if iptables_managed_ssh is defined and iptables_managed_ssh %} {% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %} {% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses
{% for ip in ssh_allowed_hosts %} {% for ip in iptables_ssh_allowed_hosts %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp -s {{ ip }} --dport 22 -j ACCEPT
{% endfor %} {% endfor %}
{% endif %} {% endif %}
@ -134,9 +134,12 @@
{% endif %} {% endif %}
{% if nagios_monitoring_server_ip is defined %} {% if nagios_monitoring_server_ip is defined %}
{% for ip in nagios_monitoring_server_ip %}
# Nagios NRPE # Nagios NRPE
-A INPUT -m state --state NEW -s {{ nagios_monitoring_server_ip }} -p tcp -m tcp --dport 5666 -j ACCEPT -A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport 5666 -j ACCEPT
-A INPUT -s {{ nagios_monitoring_server_ip }} -p udp -m udp --dport 123 -j ACCEPT # Check ntp from the nagios server
-A INPUT -s {{ ip }} -p udp -m udp --dport 123 -j ACCEPT
{% endfor %}
{% endif %} {% endif %}
{% if munin_server is defined and configure_munin is defined and configure_munin %} {% if munin_server is defined and configure_munin is defined and configure_munin %}

View File

@ -2,4 +2,11 @@
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
{% if iptables_default_policy == 'REJECT' %}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
{% else %}
-A INPUT -j {{ iptables_default_policy }}
-A FORWARD -j {{ iptables_default_policy }}
{% endif %}
COMMIT COMMIT