Skip to content

Get rid of fixed variable named for iptable rules #515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Get rid of fixed variable named for iptable rules #515

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 6 additions & 73 deletions roles/iptables/templates/iptables.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,86 +24,19 @@
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}

{% if iptables_incoming_lb is defined %}
### Loadbalancer rules
{% for service in iptables_incoming_lb %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} {{'-d '+service.destination if service.destination is defined else ''}} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_php is defined %}
### PHP apps rules
{% for service in iptables_incoming_php %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_stepup is defined %}
### STEPUP apps rules
{% for service in iptables_incoming_stepup %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_java is defined %}
### JAVA apps rules
{% for service in iptables_incoming_java %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}
{# select all variables that start with iptables_incoming_ and put them in a dict #}
{% set iptables_all = vars | dict2items | selectattr('key', 'match', '^iptables_incoming_') | list | items2dict %}

{% if iptables_incoming_db_mongo is defined %}
### Mongo rules
{% for service in iptables_incoming_db_mongo %}
{% for name, rules in iptables_all.iteritems() %}
### Rules from {{ name }}
{% for service in rules %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_db_galera is defined %}
### Galera rules
{% for service in iptables_incoming_db_galera %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} {{'-d '+service.destination if service.destination is defined else ''}} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_elk is defined %}
### ELK rules
{% for service in iptables_incoming_elk %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_extra is defined %}
### Optional extra rules for flexibility
{% for service in iptables_incoming_extra %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if iptables_incoming_hostspecific is defined %}
### Host specific rules
{% for service in iptables_incoming_hostspecific %}
{{'##'|e }} {{ service.name }}
{{'##'|e }} {{'=' * service.name|length }}
-A INPUT -p {{ service.protocol | default('tcp') }} {{ '-s '+service.source if service.source is defined else '' }} -m multiport --dports {{ service.port }} -j ACCEPT
{% endfor %}
{% endif %}

{% if 'loadbalancer' in group_names %}
### Allow VRRP
Expand Down