# {{ ansible_managed }} {% if firewall_output_default_drop or firewall_output_whitelist_ipv6 %} {% for ip in network_nameservers if ip|ipv6 %} {% if loop.first %} # Allow DNS {% endif %} ip6tables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT ip6tables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT {% endfor %} if getent group postfix >/dev/null 2>&1; then # Permit outbound SMTP for Postfix only (TODO: move to postfix role) ip6tables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT fi {% if not firewall_output_learning %} # Permit outbound HTTP for user _apt ip6tables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT # Permit outbound SSH for normal users ip6tables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT # Allow all outbound traffic for the root user ip6tables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT {% endif %} {% for ip in datacenter_all_ipv6_networks|default([]) %} ip6tables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT {% endfor %} {% if firewall_output_whitelist_domains %} # Outbound ACL for whitelist if [ -r /etc/firewall/outbound_whitelist_ipv6.acl ]; then ipset -exist create outbound-whitelist hash:net family inet6 counters comment ipset flush outbound-whitelist grep -v '^#' /etc/firewall/outbound_whitelist_ipv6.acl | while read ip name; do ipset -exist add outbound-whitelist "$ip" comment "$name" done < /etc/firewall/outbound_whitelist_ipv6.acl # ip6tables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT fi {% endif %} {% if firewall_output_whitelist_ipv6 %} # Outbound ACL for whitelist ip6tables -N outbound-whitelist {% for item in firewall_output_whitelist_ipv6 %} ip6tables -A OUTPUT -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT {% endfor %} ip6tables -A OUTPUT -j outbound-whitelist {% endif %} {% if firewall_output_learning %} ipset -exist create outbound-ipv6 hash:ip family inet6 netmask 64 counters ip6tables -A OUTPUT -p tcp --syn -m set --match-set outbound-ipv6 dst -j ACCEPT ip6tables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT ip6tables -A OUTPUT -p tcp --syn -j SET --add-set outbound-ipv6 dst ip6tables -A OUTPUT -p udp -j SET --add-set outbound-ipv6 dst ip6tables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid {% endif %} {% endif %}