From 8c2a89412e190df3dca7204eb837d621b4f8a93d Mon Sep 17 00:00:00 2001
From: Alex Kotov <kotovalexarian@gmail.com>
Date: Mon, 13 Jul 2020 17:04:02 +0500
Subject: [PATCH] Configure iptables for group "postgres"

---
 group_vars/postgres.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/group_vars/postgres.yml b/group_vars/postgres.yml
index 75dee68..41922f8 100644
--- a/group_vars/postgres.yml
+++ b/group_vars/postgres.yml
@@ -1,4 +1,18 @@
 ---
+common__iptables__drop_by_default: true
+
+common__iptables__v4_filter: |
+  # Allow incoming PostgreSQL.
+  -A INPUT  -p tcp --dport 5432 -s 134.209.196.172/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 134.209.196.172/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  -A INPUT  -p tcp --dport 5432 -s 10.133.8.214/32    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 10.133.8.214/32    -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+
+common__iptables__v6_filter: |
+  # Allow incoming PostgreSQL.
+  -A INPUT  -p tcp --dport 5432 -s 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::142:3001/128 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+
 postgresql_backups_dir: '/var/lib/postgresql/backups/12/main'
 
 postgresql_global_config_options: