54 lines
1.4 KiB
Django/Jinja
54 lines
1.4 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
|
|
domain (ip) {
|
|
table filter {
|
|
chain INPUT {
|
|
policy DROP;
|
|
|
|
# connection tracking.
|
|
mod state state INVALID DROP;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
|
|
# allow local packet.
|
|
interface lo ACCEPT;
|
|
|
|
# respond to ping.
|
|
proto icmp ACCEPT;
|
|
|
|
# allow SSH connections.
|
|
proto tcp dport ssh ACCEPT;
|
|
|
|
{% if group == "galera" %}
|
|
|
|
# Allow Galera servers to access each other for syncing.
|
|
interface {{ segment.mgmt.interface }}
|
|
proto (tcp udp) dport (3306 4567 4568 4444)
|
|
saddr ({{ ip.galera[segment.mgmt.network] | map(attribute='address') | join(' ') }})
|
|
ACCEPT;
|
|
{% endif %}
|
|
{% if firewall is defined %}
|
|
{% for rule in firewall %}
|
|
|
|
# {{ rule.description }}
|
|
interface {{ segment[rule.segment].interface }}
|
|
proto {{ rule.proto }} dport {{ rule.port }}
|
|
saddr {{ rule.source }}
|
|
ACCEPT;
|
|
{% endfor %}
|
|
{% endif %}
|
|
|
|
# Log blocked messages.
|
|
NFLOG nflog-group 1 nflog-prefix 'DROP: ';
|
|
}
|
|
chain OUTPUT {
|
|
policy ACCEPT;
|
|
mod state state (ESTABLISHED RELATED) ACCEPT;
|
|
}
|
|
chain FORWARD {
|
|
policy DROP;
|
|
}
|
|
}
|
|
}
|
|
|
|
@include ferm.d/;
|