Skip to content
Extraits de code Groupes Projets
Sélectionner une révision Git
  • 0e5d83a32ea54b6f8e5d5c3635dac496ae5ac993
  • master par défaut protégée
  • v1.4.0
  • v1.3.1
  • v1.3.0
  • v1.2.6
  • v1.2.5
  • v1.2.4
  • v1.2.3
  • v1.2.2
  • v1.2.1
  • v1.2.0
  • v1.1.0
  • v1.0.2
  • v1.0.1
  • v1.0.0
16 résultats

iptables.conf.j2

Blame
    • Blame
    • iptables.conf.j2 4,52 Kio 
    *filter
# Interdire toute connexion entrante et sortante
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
{% if inventory_hostname in groups.docker_elk | default([]) %}
:DOCKER-USER - [0:0]
{% endif %}
:LOGGING - [0:0]
{% if inventory_hostname in groups.docker_elk | default([]) %}
## DOCKER-USER chain
# Autoriser les logs entrants des serveurs en maintenance
{% for host in groups.full_maintenance | default([]) %}
-A DOCKER-USER -s {{ hostvars[host].ansible_host }} -p tcp -m tcp --dport {{ logstash_port }} -m state --state NEW,ESTABLISHED -j ACCEPT
{% endfor %}
-A DOCKER-USER -p tcp -m tcp --dport {{ logstash_port }} -j LOGGING
{% endif %}
## INPUT chain
# Ne pas casser les connexions etablies
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
-A INPUT -i lo -j ACCEPT
# ICMP (Ping)
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
{% if inventory_hostname in groups.docker_nagios | default([]) %}
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
{% endif %}
# SSH
-A INPUT -p tcp -m tcp --dport {{ default_sshd_port }} -j ACCEPT
{% if inventory_hostname in groups.gitlab | default([]) %}
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
# REGISTRY
-A INPUT -p tcp -m tcp --dport 5050 -j ACCEPT
{% endif %}
# WEB
{% if inventory_hostname in groups.odoo_server | default([]) | union(groups.owncloud_server | default([])) | union(groups.gitlab | default([])) %}
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
{% endif %}
{% if inventory_hostname in groups.docker_nagios | default([]) %}
-A INPUT -s 192.168.239.0/24 -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
{% endif %}
# NRPE
{% for host in groups.docker_nagios | default([]) %}
-A INPUT -s {{ hostvars[host].ansible_host }} -p tcp -m tcp --dport 5666 -m state --state NEW,ESTABLISHED -j ACCEPT
{% endfor %}
{% if inventory_hostname in groups.docker_nagios | default([]) %}
-A INPUT -s 192.168.239.0/24 -p tcp -m tcp --dport 5666 -m state --state NEW,ESTABLISHED -j ACCEPT
{% endif %}
{% if inventory_hostname == "CGScop" %}
# Postgres
-A INPUT -s 178.208.15.181 -p tcp -m tcp --dport 15432 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 172.30.173.3 -p tcp -m tcp --dport 15432 -m state --state NEW,ESTABLISHED -j ACCEPT
{% endif %}
# Log incoming traffic blocked by IPTables
-A INPUT -j LOGGING
## OUTPUT chain
# Ne pas casser les connexions etablies
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Autoriser loopback
-A OUTPUT -o lo -j ACCEPT
# ICMP (Ping)
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
{% if inventory_hostname in groups.docker_nagios | default([]) %}
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
{% endif %}
{% if inventory_hostname == "ICCFinance_Pilotage" %}
-A OUTPUT -p tcp -m tcp --dport 1433 -j ACCEPT
{% endif %}
# SSH
    {% if private_pull %}
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
{% endif %}
-A OUTPUT -p tcp -m tcp --dport {{ default_sshd_port }} -j ACCEPT
{% for host in groups.gitlab | default([]) | union(groups.docker_gitlab | default([])) %}
-A OUTPUT -d {{ hostvars[host].ansible_host }} -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -d {{ hostvars[host].ansible_host }} -p tcp -m tcp --dport 5050 -j ACCEPT
{% endfor %}
# WEB
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
{% if inventory_hostname in groups.gitlab | default([]) %}
# Plesk WebHooks
-A OUTPUT -p tcp -m tcp --dport 8443 -j ACCEPT
{% endif %}
# DNS
-A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# NTP Out
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
# SMTP Postfix
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 587 -j ACCEPT
# WhoIs
-A OUTPUT -p tcp -m tcp --dport 43 -j ACCEPT
# DHCP
-A OUTPUT -p udp -m udp --dport 67 -j ACCEPT
# GPG
-A OUTPUT -p udp -m udp --dport 11371 -j ACCEPT
{% if inventory_hostname in groups.full_maintenance | default([]) %}
# Log Server
{% for host in groups.docker_elk | default([]) %}
-A OUTPUT -d {{ hostvars[host].ansible_host }} -p tcp -m tcp --dport {{ logstash_port }} -j ACCEPT
{% endfor %}
-A OUTPUT -d {{ logstash_public_ip }} -p tcp -m tcp --dport {{ logstash_port }} -j ACCEPT
{% endif %}
{% if inventory_hostname in groups.odoo_server | default([]) %}
# IMAP
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT
{% endif %}
# Log outgoing traffic blocked by IPTables
-A OUTPUT -j LOGGING
## LOGGING chain
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
-A LOGGING -j DROP
COMMIT