sebastian/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6224cd01c6a55afb5f7739ee70fc87a8958fc9f5
ansible/roles/firewall/templates/rules-v4.d/90_allow_outbound.sh.j2
sebastian 6224cd01c6 initial upload
2025-10-10 11:07:34 +00:00

70 lines
2.6 KiB
Django/Jinja
Raw Blame History

# {{ ansible_managed }}
{% if firewall_output_default_drop or firewall_output_whitelist_ipv4 %}
{% for ip in network_nameservers + ['8.8.8.8'] if ip|ipv4 %}
{% if loop.first %}
# Allow DNS
{% endif %}
iptables -A OUTPUT -d {{ ip }} -p tcp --dport 53 -m comment --comment "dns" -j ACCEPT
iptables -A OUTPUT -d {{ ip }} -p udp --dport 53 -m comment --comment "dns" -j ACCEPT
{% endfor %}
if getent group postfix >/dev/null 2>&1; then
# Permit outbound SMTP for Postfix only (TODO: move to postfix role)
iptables -A OUTPUT -p tcp --dport 25 -m owner --gid-owner postfix -m comment --comment "smtp" -j ACCEPT
fi
{% if not (firewall_output_learning or firewall_output_whitelist_ipv4) %}
# Permit outbound HTTP for user _apt
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m owner --uid-owner _apt -m comment --comment "apt" -j ACCEPT
# Permit outbound SSH for normal users
iptables -A OUTPUT -p tcp --dport 22 -m owner --uid-owner 1000-65500 -m comment --comment "ssh" -j ACCEPT
# Allow all outbound traffic for the root user
iptables -A OUTPUT -m owner --uid-owner 0 -j ACCEPT
{% endif %}
{% for ip in datacenter_global_networks|default([]) + datacenter_all_networks|default([]) %}
iptables -A OUTPUT -d {{ ip }} -m comment --comment "keepcalling" -j ACCEPT
{% endfor %}
{% if firewall_output_whitelist_domains %}
# Outbound ACL for whitelist
if [ -r /etc/firewall/outbound_whitelist_ipv4.acl ]; then
ipset -exist create outbound-whitelist hash:net counters comment
ipset flush outbound-whitelist
grep -v '^#' /etc/firewall/outbound_whitelist_ipv4.acl | while read ip name; do
ipset -exist add outbound-whitelist "$ip" comment "$name"
done < /etc/firewall/outbound_whitelist_ipv4.acl
# iptables -A OUTPUT -m set --match-set outbound-whitelist,dst -j ACCEPT
fi
{% endif %}
{% if firewall_output_whitelist_ipv4 %}
# Outbound ACL for whitelist
iptables -N outbound-whitelist
{% for item in firewall_output_whitelist_ipv4 %}
iptables -A outbound-whitelist -d {{ item.ip }} -m comment --comment "{{ item.name }}" -j ACCEPT
{% endfor %}
iptables -A OUTPUT -j outbound-whitelist
{% endif %}
{% if firewall_output_learning %}
ipset -exist create outbound hash:ip counters
iptables -A OUTPUT -p tcp --syn -m set --match-set outbound dst -j ACCEPT
iptables -A OUTPUT -p udp -m set --match-set outbound dst -j ACCEPT
iptables -A OUTPUT -p tcp --syn -j SET --add-set outbound dst
iptables -A OUTPUT -p udp -j SET --add-set outbound dst
iptables -A internal-out -m limit --limit 10/min --limit-burst 2 -j LOG --log-prefix "{{ firewall_log_prefix }} internal-out DROP: " --log-level 5 --log-uid
{% endif %}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink