library/roles/iptables: Support for blacklists of ip/networks. Optionally with associated protocol, source port and destination port.

iptables/defaults/main.yml

@@ -40,6 +40,7 @@
 
 #iptables_default_policy: REJECT
 iptables_default_policy: ACCEPT
+iptables_banned_default_policy: DROP
 ganglia_enabled: False
 nagios_enabled: False
 iptables_open_all_to_isti_nets: False

iptables/templates/iptables-rules.v4.j2

@@ -9,6 +9,20 @@
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 #
+# We manage the banned IP/networks list before anything else
+{% if iptables_banlist is defined %}
+{% for obj in iptables_banlist %}
+{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
+-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
+{% elif obj.proto is defined and obj.destport is defined %}
+-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
+{% elif obj.proto is defined %}
+-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
+{% else %}
+-A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
+{% endif %}
+{% endfor %}
+{% endif %}
 {% if iptables_managed_ssh is defined and iptables_managed_ssh %}
 {% if iptables_ssh_allowed_hosts is defined %}
 # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses