forked from ISTI-ansible-roles/ansible-roles
More generic custom rules.
This commit is contained in:
parent
f64f5ca21c
commit
d2bcb78d80
|
@ -5,17 +5,17 @@
|
|||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
# We manage the banned IP/networks list before anything else
|
||||
{% if iptables_banlist is defined %}
|
||||
# We manage the banned IP/networks list before anything else
|
||||
{% for obj in iptables_banlist %}
|
||||
{% if obj.proto is defined and obj.destport is defined and obj.sourceport is defined %}
|
||||
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
|
||||
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --sport {{ obj.sourceport }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% elif obj.proto is defined and obj.destport is defined %}
|
||||
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -j {{ iptables_banned_default_policy }}
|
||||
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} --dport {{ obj.destport }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% elif obj.proto is defined %}
|
||||
-A INPUT -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
|
||||
-A {{ obj.chain | default('INPUT') }} -m {{ obj.proto }} -p {{ obj.proto }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% else %}
|
||||
-A INPUT -s {{ obj.source }} -j {{ iptables_banned_default_policy }}
|
||||
-A {{ obj.chain | default('INPUT') }} -s {{ obj.source }} -d {{ obj.target | default('0.0.0.0/0') }} -j {{ obj.policy | default(iptables_banned_default_policy) }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
@ -74,11 +74,7 @@
|
|||
{% if psql_firewall_enabled %}
|
||||
{% if psql_db_port is defined %}
|
||||
{% if psql_listen_on_ext_int is defined and psql_listen_on_ext_int %}
|
||||
{% if psql_global_firewall is defined %}
|
||||
{% for ip in psql_global_firewall %}
|
||||
-A INPUT -m state --state NEW -s {{ ip }} -p tcp -m tcp --dport {{ psql_db_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% elif psql_db_data is defined %}
|
||||
{% if psql_db_data is defined %}
|
||||
# postgresql clients
|
||||
{% for db in psql_db_data %}
|
||||
{% for ip in db.allowed_hosts %}
|
||||
|
@ -201,7 +197,28 @@
|
|||
{% if orientdb_hazelcast_multicast_enabled is defined and orientdb_hazelcast_multicast_enabled %}
|
||||
# orientdb hazelcast multicast rules
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ orientdb_hazelcast_multicast_group }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
|
||||
-A INPUT -m state --state NEW -s {{orientdb_hazelcast_multicast_group}} -p tcp -m tcp --dport {{ orientdb_hazelcast_multicast_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
# Ganglia
|
||||
{% if ganglia_enabled is defined and ganglia_enabled %}
|
||||
{% if ganglia_gmond_cluster_port is defined %}
|
||||
{% if ganglia_unicast_mode is defined %}
|
||||
{% if ganglia_unicast_mode %}
|
||||
{% for net in ganglia_unicast_networks %}
|
||||
-A INPUT -p udp -m udp -s {{ net }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{% if ganglia_gmond_use_jmxtrans is not defined or not ganglia_gmond_use_jmxtrans %}
|
||||
-A INPUT -m pkttype --pkt-type multicast -d {{ ganglia_gmond_mcast_addr }} -j ACCEPT
|
||||
{% else %}
|
||||
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT
|
||||
-A INPUT -p udp -m udp -d {{ ganglia_gmond_mcast_addr }} --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
-A INPUT -m state --state NEW -s {{ ganglia_gmetad_host }} -p tcp -m tcp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
-A INPUT -s {{ ganglia_gmetad_host }} -p udp -m udp --dport {{ ganglia_gmond_cluster_port }} -j ACCEPT
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
# Postfix
|
||||
{% if postfix_relay_server is defined %}
|
||||
|
@ -225,7 +242,6 @@
|
|||
{% if postfix_relay_client is defined%}
|
||||
{% if postfix_relay_client %}
|
||||
#
|
||||
{% if not postfix_relay_client_do_not_stop_submission %}
|
||||
# When we are not a relay server but we want send email using our relay
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
|
||||
-A OUTPUT -p tcp -m multiport --dports 25,587,465 -m owner --gid-owner postfix -d {{ postfix_relay_host }} -j ACCEPT
|
||||
|
@ -234,7 +250,6 @@
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% if iptables is defined %}
|
||||
{% if iptables.tcp_rules is defined and iptables.tcp_rules %}
|
||||
# TCP rules
|
||||
|
@ -317,16 +332,13 @@
|
|||
{% else %}
|
||||
-A INPUT -j {{ iptables_input_default_policy }}
|
||||
{% endif %}
|
||||
{% if not iptables_nat_enabled %}
|
||||
{% if iptables_forward_default_policy == 'REJECT' %}
|
||||
{% if iptables_nat_enabled or iptables_post_nat_enabled %}
|
||||
-A FORWARD -j ACCEPT
|
||||
{% elif iptables_forward_default_policy == 'REJECT' %}
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}
|
||||
-A FORWARD -j {{ iptables_forward_default_policy }}
|
||||
{% endif %}
|
||||
{% else %}
|
||||
# NAT is enabled, we need to accept traffic that is forwarded
|
||||
-A FORWARD -j ACCEPT
|
||||
{% endif %}
|
||||
COMMIT
|
||||
{% if iptables_nat_enabled %}
|
||||
# This should be obsoleted
|
||||
|
|
Loading…
Reference in New Issue