|
5 | 5 | {% from "iptables/map.jinja" import firewall with context %} |
6 | 6 | {% set install = firewall.install %} |
7 | 7 | {% set strict_mode = firewall.strict %} |
8 | | -{% set ipv6 = firewall.get('ipv6', False) %} |
9 | 8 | {% set global_block_nomatch = firewall.block_nomatch %} |
10 | 9 | {% set packages = firewall.pkgs %} |
11 | 10 | {% set ipv4 = 'IPv4' %} |
12 | 11 | {% set ipv6 = 'IPv6' %} |
13 | 12 | {% set protocols = [ipv4] %} |
14 | | -{% if ipv6 %} |
| 13 | +{% if firewall.get('ipv6', False) %} |
15 | 14 | {% do protocols.append(ipv6) %} |
16 | 15 | {% endif %} |
17 | | -{% set sufixes = {ipv4: '', ipv6: '_ipv6'} %} |
| 16 | +{% set suffixes = {ipv4: '', ipv6: '_ipv6'} %} |
18 | 17 |
|
19 | 18 | {%- if firewall.enabled %} |
20 | 19 | {%- if install %} |
|
31 | 30 | # If the firewall is set to strict mode, we'll need to allow some |
32 | 31 | # that always need access to anything |
33 | 32 | {%- for protocol in protocols %} |
34 | | - iptables_allow_localhost{{sufixes[protocol]}}: |
| 33 | + iptables_allow_localhost{{suffixes[protocol]}}: |
35 | 34 | iptables.append: |
36 | 35 | - table: filter |
37 | 36 | - chain: INPUT |
|
45 | 44 | - save: True |
46 | 45 |
|
47 | 46 | # Allow related/established sessions |
48 | | - iptables_allow_established{{sufixes[protocol]}}: |
| 47 | + iptables_allow_established{{suffixes[protocol]}}: |
49 | 48 | iptables.append: |
50 | 49 | - table: filter |
51 | 50 | - chain: INPUT |
|
58 | 57 | - save: True |
59 | 58 |
|
60 | 59 | # Set the policy to deny everything unless defined |
61 | | - enable_reject_policy{{sufixes[protocol]}}: |
| 60 | + enable_reject_policy{{suffixes[protocol]}}: |
62 | 61 | iptables.set_policy: |
63 | 62 | - table: filter |
64 | 63 | - chain: INPUT |
|
67 | 66 | - family: ipv6 |
68 | 67 | {%- endif %} |
69 | 68 | - require: |
70 | | - - iptables: iptables_allow_localhost{{sufixes[protocol]}} |
71 | | - - iptables: iptables_allow_established{{sufixes[protocol]}} |
| 69 | + - iptables: iptables_allow_localhost{{suffixes[protocol]}} |
| 70 | + - iptables: iptables_allow_established{{suffixes[protocol]}} |
72 | 71 | {%- endfor %} |
73 | 72 | {%- endif %} |
74 | 73 |
|
75 | 74 | # Generate ipsets for all services that we have information about |
76 | 75 | {%- for protocol in protocols %} |
77 | | - {%- for service_name, service_details in firewall.get('services' + sufixes[protocol], {}).items() %} |
| 76 | + {%- for service_name, service_details in firewall.get('services' + suffixes[protocol], {}).items() %} |
78 | 77 | {% set block_nomatch = service_details.get('block_nomatch', False) %} |
79 | 78 | {% set interfaces = service_details.get('interfaces','') %} |
80 | 79 | {% set protos = service_details.get('protos',['tcp']) %} |
|
88 | 87 | {%- for ip in service_details.get('ips_allow', ['0.0.0.0/0']) %} |
89 | 88 | {%- if interfaces == '' %} |
90 | 89 | {%- for proto in protos %} |
91 | | - iptables_{{service_name}}_allow_{{ip}}_{{proto}}{{sufixes[protocol]}}: |
| 90 | + iptables_{{service_name}}_allow_{{ip}}_{{proto}}{{suffixes[protocol]}}: |
92 | 91 | iptables.insert: |
93 | 92 | - position: 1 |
94 | 93 | - table: filter |
|
106 | 105 | {%- else %} |
107 | 106 | {%- for interface in interfaces %} |
108 | 107 | {%- for proto in protos %} |
109 | | - iptables_{{service_name}}_allow_{{ip}}_{{proto}}_{{interface}}{{sufixes[protocol]}}: |
| 108 | + iptables_{{service_name}}_allow_{{ip}}_{{proto}}_{{interface}}{{suffixes[protocol]}}: |
110 | 109 | iptables.insert: |
111 | 110 | - position: 1 |
112 | 111 | - table: filter |
|
130 | 129 | # If strict mode is disabled we may want to block anything else |
131 | 130 | {%- if interfaces == '' %} |
132 | 131 | {%- for proto in protos %} |
133 | | - iptables_{{service_name}}_deny_other_{{proto}}{{sufixes[protocol]}}: |
| 132 | + iptables_{{service_name}}_deny_other_{{proto}}{{suffixes[protocol]}}: |
134 | 133 | iptables.append: |
135 | 134 | - position: last |
136 | 135 | - table: filter |
|
147 | 146 | {%- else %} |
148 | 147 | {%- for interface in interfaces %} |
149 | 148 | {%- for proto in protos %} |
150 | | - iptables_{{service_name}}_deny_other_{{proto}}_{{interface}}{{sufixes[protocol]}}: |
| 149 | + iptables_{{service_name}}_deny_other_{{proto}}_{{interface}}{{suffixes[protocol]}}: |
151 | 150 | iptables.append: |
152 | 151 | - position: last |
153 | 152 | - table: filter |
|
191 | 190 | {%- for protocol in protocols %} |
192 | 191 | {%- for service_name, service_details in firewall.get('whitelist', {}).items() %} |
193 | 192 | {%- for ip in service_details.get('ips_allow', []) %} |
194 | | - iptables_{{service_name}}_allow_{{ip}}{{sufixes[protocol]}}: |
| 193 | + iptables_{{service_name}}_allow_{{ip}}{{suffixes[protocol]}}: |
195 | 194 | iptables.append: |
196 | 195 | - table: filter |
197 | 196 | - chain: INPUT |
|
0 commit comments