e2dbda1bec
Our deployment tests don't need to send E-mail messages. More to the point, they may perform actions which would like to send E-mail messages. Make sure, at the network level, they'll be prevented from doing so. Also allow all connections to egress from the loopback interface, so that services like mailman can connect to the Exim MTA on localhost. Add new rolevars for egress rules to support this, and also fix up some missing related vars in the iptables role's documentation. Change-Id: If4acd2d3d543933ed1e00156cc83fe3a270612bd
90 lines
2.3 KiB
ReStructuredText
90 lines
2.3 KiB
ReStructuredText
Install and configure iptables
|
|
|
|
**Role Variables**
|
|
|
|
.. zuul:rolevar:: iptables_allowed_hosts
|
|
:default: []
|
|
|
|
A list of dictionaries, each item in the list is a rule to add for
|
|
a host/port combination. The format of the dictionary is:
|
|
|
|
.. zuul:rolevar:: hostname
|
|
|
|
The hostname to allow. It will automatically be resolved, and
|
|
the inventory IP address will be added to the firewall.
|
|
|
|
.. zuul:rolevar:: protocol
|
|
|
|
One of "tcp" or "udp".
|
|
|
|
.. zuul:rolevar:: port
|
|
|
|
The port number.
|
|
|
|
.. zuul:rolevar:: iptables_allowed_groups
|
|
:default: []
|
|
|
|
A list of dictionaries, each item in the list is a rule to add for
|
|
a host/port combination. The format of the dictionary is:
|
|
|
|
.. zuul:rolevar:: group
|
|
|
|
The ansible inventory group to add. Every host in the group will
|
|
be added to the firewall.
|
|
|
|
.. zuul:rolevar:: protocol
|
|
|
|
One of "tcp" or "udp".
|
|
|
|
.. zuul:rolevar:: port
|
|
|
|
The port number.
|
|
|
|
.. zuul:rolevar:: iptables_public_tcp_ports
|
|
:default: []
|
|
|
|
A list of public TCP ports to open.
|
|
|
|
.. zuul:rolevar:: iptables_public_udp_ports
|
|
:default: []
|
|
|
|
A list of public UDP ports to open.
|
|
|
|
.. zuul:rolevar:: iptables_rules
|
|
:default: []
|
|
|
|
A list of iptables ingress rules. Each item is a string
|
|
containing the iptables command line options for the rule. These
|
|
will be expanded to cover IPv4 and IPv6.
|
|
|
|
.. zuul:rolevar:: iptables_rules_v4
|
|
:default: []
|
|
|
|
A list of iptables v4 ingress rules. Each item is a string
|
|
containing the iptables command line options for the rule.
|
|
|
|
.. zuul:rolevar:: iptables_rules_v6
|
|
:default: []
|
|
|
|
A list of iptables v6 ingress rules. Each item is a string
|
|
containing the iptables command line options for the rule.
|
|
|
|
.. zuul:rolevar:: iptables_egress_rules
|
|
:default: []
|
|
|
|
A list of iptables egress rules. Each item is a string
|
|
containing the iptables command line options for the rule. These
|
|
will be expanded to cover IPv4 and IPv6.
|
|
|
|
.. zuul:rolevar:: iptables_egress_rules_v4
|
|
:default: []
|
|
|
|
A list of iptables v4 egress rules. Each item is a string
|
|
containing the iptables command line options for the rule.
|
|
|
|
.. zuul:rolevar:: iptables_egress_rules_v6
|
|
:default: []
|
|
|
|
A list of iptables v6 egress rules. Each item is a string
|
|
containing the iptables command line options for the rule.
|