Allow to prepend iptables rules
This commit is contained in:
parent
5f1ddcc519
commit
be19a68185
|
@ -3,9 +3,11 @@ common__basics__additional_packages: []
|
||||||
|
|
||||||
common__iptables__state: install
|
common__iptables__state: install
|
||||||
common__iptables__drop_by_default: false
|
common__iptables__drop_by_default: false
|
||||||
common__iptables__v4_filter: null
|
|
||||||
common__iptables__v6_filter: null
|
|
||||||
common__iptables__allow_output_ifaces: []
|
common__iptables__allow_output_ifaces: []
|
||||||
|
common__iptables__v4_filter_prepend: null
|
||||||
|
common__iptables__v4_filter_append: null
|
||||||
|
common__iptables__v6_filter_prepend: null
|
||||||
|
common__iptables__v6_filter_append: null
|
||||||
|
|
||||||
common__certbot__state: install
|
common__certbot__state: install
|
||||||
common__certbot__run: true
|
common__certbot__run: true
|
||||||
|
|
|
@ -11,6 +11,8 @@
|
||||||
-F
|
-F
|
||||||
-X
|
-X
|
||||||
|
|
||||||
|
{{ common__iptables__v4_filter_prepend }}
|
||||||
|
|
||||||
# Allow all loopback (lo) traffic and reject anything
|
# Allow all loopback (lo) traffic and reject anything
|
||||||
# to localhost that does not originate from lo.
|
# to localhost that does not originate from lo.
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
@ -46,6 +48,6 @@
|
||||||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
{{ common__iptables__v4_filter }}
|
{{ common__iptables__v4_filter_append }}
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
|
@ -11,6 +11,8 @@
|
||||||
-F
|
-F
|
||||||
-X
|
-X
|
||||||
|
|
||||||
|
{{ common__iptables__v6_filter_prepend }}
|
||||||
|
|
||||||
# Allow all loopback (lo) traffic and reject anything
|
# Allow all loopback (lo) traffic and reject anything
|
||||||
# to localhost that does not originate from lo.
|
# to localhost that does not originate from lo.
|
||||||
-A INPUT -i lo -j ACCEPT
|
-A INPUT -i lo -j ACCEPT
|
||||||
|
@ -57,6 +59,6 @@
|
||||||
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
-A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
{{ common__iptables__v6_filter }}
|
{{ common__iptables__v6_filter_append }}
|
||||||
|
|
||||||
COMMIT
|
COMMIT
|
||||||
|
|
Loading…
Reference in New Issue