Allow outgoing traffic only through specific interfaces
This commit is contained in:
parent
cf0641ea5f
commit
5f1ddcc519
|
@ -5,6 +5,7 @@ common__iptables__state: install
|
||||||
common__iptables__drop_by_default: false
|
common__iptables__drop_by_default: false
|
||||||
common__iptables__v4_filter: null
|
common__iptables__v4_filter: null
|
||||||
common__iptables__v6_filter: null
|
common__iptables__v6_filter: null
|
||||||
|
common__iptables__allow_output_ifaces: []
|
||||||
|
|
||||||
common__certbot__state: install
|
common__certbot__state: install
|
||||||
common__certbot__run: true
|
common__certbot__run: true
|
||||||
|
|
|
@ -18,8 +18,15 @@
|
||||||
-A OUTPUT -o lo -j ACCEPT
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
# Allow all outgoing traffic.
|
# Allow all outgoing traffic.
|
||||||
|
{% if common__iptables__allow_output_ifaces %}
|
||||||
|
{% for iface in common__iptables__allow_output_ifaces %}
|
||||||
|
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
{% endfor %}
|
||||||
|
{% else %}
|
||||||
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Allow some important ICMP.
|
# Allow some important ICMP.
|
||||||
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
|
||||||
|
|
|
@ -18,8 +18,15 @@
|
||||||
-A OUTPUT -o lo -j ACCEPT
|
-A OUTPUT -o lo -j ACCEPT
|
||||||
|
|
||||||
# Allow all outgoing traffic.
|
# Allow all outgoing traffic.
|
||||||
|
{% if common__iptables__allow_output_ifaces %}
|
||||||
|
{% for iface in common__iptables__allow_output_ifaces %}
|
||||||
|
-A OUTPUT -o {{ iface }} -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A INPUT -i {{ iface }} -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
{% endfor %}
|
||||||
|
{% else %}
|
||||||
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# Allow some important ICMP.
|
# Allow some important ICMP.
|
||||||
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
-A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT
|
||||||
|
|
Loading…
Reference in New Issue