initial upload
This commit is contained in:
69
roles/firewall/templates/rules-v4.d/90_allow_outbound.sh.j2
Normal file
69
roles/firewall/templates/rules-v4.d/90_allow_outbound.sh.j2
Normal file
@@ -0,0 +1,69 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
{% if firewall_output_default_drop or firewall_output_whitelist_ipv4 %}
|
||||
{% for ip in network_nameservers + ['8.8.8.8'] if ip|ipv4 %}
|
||||
{% if loop.first %}
|
||||
# Allow DNS
|
||||
{% endif %}
|
||||
iptables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT
|
||||
iptables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
|
||||
{% endfor %}
|
||||
|
||||
if getent group postfix >/dev/null 2>&1; then
|
||||
# Permit outbound SMTP for Postfix only (TODO: move to postfix role)
|
||||
iptables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT
|
||||
fi
|
||||
|
||||
{% if not (firewall_output_learning or firewall_output_whitelist_ipv4) %}
|
||||
# Permit outbound HTTP for user _apt
|
||||
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT
|
||||
|
||||
# Permit outbound SSH for normal users
|
||||
iptables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT
|
||||
|
||||
# Allow all outbound traffic for the root user
|
||||
iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
|
||||
{% endif %}
|
||||
|
||||
{% for ip in datacenter_global_networks|default([]) + datacenter_all_networks|default([]) %}
|
||||
iptables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT
|
||||
{% endfor %}
|
||||
|
||||
{% if firewall_output_whitelist_domains %}
|
||||
# Outbound ACL for whitelist
|
||||
if [ -r /etc/firewall/outbound_whitelist_ipv4.acl ]; then
|
||||
|
||||
ipset -exist create outbound-whitelist hash:net counters comment
|
||||
ipset flush outbound-whitelist
|
||||
grep -v '^#' /etc/firewall/outbound_whitelist_ipv4.acl | while read ip name; do
|
||||
ipset -exist add outbound-whitelist "$ip" comment "$name"
|
||||
done < /etc/firewall/outbound_whitelist_ipv4.acl
|
||||
|
||||
# iptables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT
|
||||
fi
|
||||
{% endif %}
|
||||
|
||||
{% if firewall_output_whitelist_ipv4 %}
|
||||
# Outbound ACL for whitelist
|
||||
iptables -N outbound-whitelist
|
||||
{% for item in firewall_output_whitelist_ipv4 %}
|
||||
iptables -A outbound-whitelist -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT
|
||||
{% endfor %}
|
||||
iptables -A OUTPUT -j outbound-whitelist
|
||||
{% endif %}
|
||||
|
||||
{% if firewall_output_learning %}
|
||||
|
||||
ipset -exist create outbound hash:ip counters
|
||||
|
||||
iptables -A OUTPUT -p tcp --syn -m set --match-set outbound dst -j ACCEPT
|
||||
iptables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT
|
||||
|
||||
iptables -A OUTPUT -p tcp --syn -j SET --add-set outbound dst
|
||||
iptables -A OUTPUT -p udp -j SET --add-set outbound dst
|
||||
|
||||
iptables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% endif %}
|
||||
Reference in New Issue
Block a user