kotovalexarian/fedihub-ansible
Archived
1
0
Fork 0
Code Activity

Improve iptables

Browse source
This commit is contained in:
Alex Kotov 2020-07-13 22:27:44 +05:00
parent 1b1c7d4f29
commit d8eaf9c5cd
Signed by: kotovalexarian
GPG key ID: 553C0EBBEB5D5F08
2 changed files with 12 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
host_vars/git.crypto-libertarian.com.yml
View file

@ -24,20 +24,12 @@ common__certbot__pre_hook: 'systemctl is-active apache2.service && systemctl sto
common__iptables__drop_by_default: true common__iptables__drop_by_default: true
common__iptables__v4_filter: | common__iptables__v4_filter: |
# Allow incoming HTTP. # Allow incoming HTTP, HTTPS.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP. # Deny other HTTP, HTTPS.
-A INPUT -p tcp --dport 80 -j REJECT -A INPUT -p tcp -m multiport --dports 80,443 -j REJECT
-A OUTPUT -p tcp --sport 80 -j REJECT -A OUTPUT -p tcp -m multiport --sports 80,443 -j REJECT
# Allow incoming HTTPS.
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTPS.
-A INPUT -p tcp --dport 443 -j REJECT
-A OUTPUT -p tcp --sport 443 -j REJECT
common__iptables__v6_filter: '{{ common__iptables__v4_filter }}' common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'

28
host_vars/matrix.crypto-libertarian.com.yml
View file

@ -121,28 +121,12 @@ matrix__static__access_token: !vault |
common__iptables__drop_by_default: true common__iptables__drop_by_default: true
common__iptables__v4_filter: | common__iptables__v4_filter: |
# Allow incoming HTTP. # Allow incoming HTTP, HTTPS, Matrix.
-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dport 80,443,8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT -A OUTPUT -p tcp -m multiport --sport 80,443,8448 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTP. # Deny other HTTP, HTTPS, Matrix.
-A INPUT -p tcp --dport 80 -j REJECT -A INPUT -p tcp -m multiport --dport 80,443,8448 -j REJECT
-A OUTPUT -p tcp --sport 80 -j REJECT -A OUTPUT -p tcp -m multiport --sport 80,443,8448 -j REJECT
# Allow incoming HTTPS.
-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other HTTPS.
-A INPUT -p tcp --dport 443 -j REJECT
-A OUTPUT -p tcp --sport 443 -j REJECT
# Allow incoming Matrix (HTTPS).
-A INPUT -p tcp --dport 8448 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 8448 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Deny other Matrix (HTTPS).
-A INPUT -p tcp --dport 8448 -j REJECT
-A OUTPUT -p tcp --sport 8448 -j REJECT
common__iptables__v6_filter: '{{ common__iptables__v4_filter }}' common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'