34 lines
959 B
Django/Jinja
34 lines
959 B
Django/Jinja
# This file is generated by Ansible
|
|
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
|
|
#
|
|
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -p icmpv6 -j ACCEPT
|
|
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Public TCP ports
|
|
{% for port in iptables_public_tcp_ports %}
|
|
-A INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
|
|
{% endfor %}
|
|
|
|
# Public UDP ports
|
|
{% for port in iptables_public_udp_ports %}
|
|
-A INPUT -m state -m udp -p udp --dport {{ port }} -j ACCEPT
|
|
{% endfor %}
|
|
|
|
# Host specific rules
|
|
{% for host in iptables_allowed_hosts %}
|
|
{% for addr in host.hostname | dns_aaaa %}
|
|
-A INPUT {% if host['protocol'] == 'tcp' %}-m state --state NEW {% endif %}-m {{ host['protocol'] }} -p {{ host['protocol'] }} -s {{ addr | ipv6 }} --dport {{ host['port'] }} -j ACCEPT
|
|
{% endfor %}
|
|
{% endfor %}
|
|
|
|
|
|
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
|
|
COMMIT
|