Skip to content
This repository has been archived by the owner on Nov 1, 2018. It is now read-only.

Commit

Permalink
#1 fix merge
Browse files Browse the repository at this point in the history
  • Loading branch information
michael-conway committed Feb 23, 2016
1 parent cf04601 commit 321ee0c
Showing 1 changed file with 43 additions and 43 deletions.
86 changes: 43 additions & 43 deletions ansible/roles/iptables/templates/iptables.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,94 +10,94 @@
-A INPUT -i lo -j ACCEPT

# all: SSH from DMZ and Trust
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_trust }} --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.trust }} --dport 22 -j ACCEPT

{% if inventory_hostname in groups['amqp-brokers'] %}
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport {{ amqp_broker.port }} -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport {{ amqp_broker.port }} -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['cas'] %}
# allow CAS/LDAP ports from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 443 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['condor'] %}
# condor ports from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 61440:65535 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net_dmz }} --dport 61440:65535 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 9618 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 61440:65535 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net.dmz }} --dport 61440:65535 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 9618 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['condor-submission'] %}
# condor-submission range from DMZ (until we pick a condor_shared_port)
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net_dmz }} -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net.dmz }} -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['dataverse'] %}
# Glassfish / DVN
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_campus }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_wifi }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_campus }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_wifi }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.campus }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.wifi }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.campus }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.wifi }} --dport 443 -j ACCEPT

# Glassfish Console
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 4848 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 4848 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['db'] %}
# postgres from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport {{ db_port }} -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport {{ db_port }} -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['docker-registry'] %}
# docker-registry ports from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport {{ docker.registry.port }} -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net_dmz }} --dport {{ docker.registry.port }} -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport {{ docker.registry.port }} -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net.dmz }} --dport {{ docker.registry.port }} -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['elk'] %}
# logstash from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport {{ elk.logstash.port }} -j ACCEPT
# kibana from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport {{ elk.kibana.port }} -j ACCEPT
# elasticsearch from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport {{ elk.elasticsearch.port }} -j ACCEPT
{% endif %}
#{% if inventory_hostname in groups['elk'] %}
## logstash from DMZ
#-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport {{ elk.logstash.port }} -j ACCEPT
## kibana from DMZ
#-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport {{ elk.kibana.port }} -j ACCEPT
## elasticsearch from DMZ
#-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport {{ elk.elasticsearch.port }} -j ACCEPT
#{% endif %}

{% if inventory_hostname in groups['irods'] %}
# irods from DMZ and Trust
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 1247 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net_dmz }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_trust }} --dport 1247 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_trust }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net_trust }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 1247 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net.dmz }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.trust }} --dport 1247 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.trust }} --dport 20000:20199 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s {{ net.trust }} --dport 20000:20199 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['rserve'] %}
# rserve from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 6311 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 6311 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['services'] %}
# service port range from DMZ
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 31300:31399 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 31300:31399 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['ui'] %}
# http and https, campus for now
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_campus }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_vpn }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_wifi }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_dmz }} --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_trust }} --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_campus }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_vpn }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net_wifi }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.campus }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.vpn }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.wifi }} --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.dmz }} --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.trust }} --dport 389 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.campus }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.vpn }} --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s {{ net.wifi }} --dport 443 -j ACCEPT
{% endif %}

-A INPUT -j REJECT --reject-with icmp-host-prohibited
Expand Down

0 comments on commit 321ee0c

Please sign in to comment.