tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

library/roles/iptables/templates/iptables-rules.v4.j2: move the blacklist rules before anything else.

This commit is contained in:
Andrea Dell'Amico 2015-10-23 19:45:07 +02:00
parent 62193883ee
commit 7a4e60ff33
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
iptables/templates/iptables-rules.v4.j2
View File

@ -5,10 +5,7 @@
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
# We manage the banned IP/networks list before anything else
{% if iptables_banlist is defined %}
{% for obj in iptables_banlist %}
@ -23,6 +20,11 @@
{% endif %}
{% endfor %}
{% endif %}
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#
{% if iptables_managed_ssh is defined and iptables_managed_ssh %}
{% if iptables_ssh_allowed_hosts is defined %}
# ssh is not open to all, even if we use denyhosts to prevent unauthorized accesses