library/roles/iptables/templates/iptables-rules.v4.j2: move the blacklist rules before anything else.

This commit is contained in:
Andrea Dell'Amico 2015-10-23 19:45:07 +02:00
parent 62193883ee
commit 7a4e60ff33
1 changed files with 6 additions and 4 deletions

View File

@ -5,10 +5,7 @@
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
# We manage the banned IP/networks list before anything else # We manage the banned IP/networks list before anything else
{% if iptables_banlist is defined %} {% if iptables_banlist is defined %}
{% for obj in iptables_banlist %} {% for obj in iptables_banlist %}
@ -23,6 +20,11 @@
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %} {% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %} {% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses # ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses