Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/base/templates/iptables/iptables.ns04.phx2.fedoraproject.org
Tim Flink 41f79ab8d2 dhcp/inventory: removing beaker and beaker-client 
Removing references to beaker and the hosts that were part of that setup
2020-06-02 18:52:47 +00:00

3.5 KiB
Raw Blame History

*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state state RELATED,ESTABLISHED -j ACCEPT

{% if blocked_ips is defined %} {% for ip in blocked_ips %} -A INPUT -s {{ ip }} -j DROP {% endfor %} {% endif %}

-A INPUT -m conntrack ctstate NEW -m tcp -p tcp dport 22 -j ACCEPT

-A INPUT -p tcp -m tcp dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp dport 5666 -s 192.168.1.166 -j ACCEPT

-A INPUT -p tcp -m tcp dport 5666 -s 209.132.181.102 -j ACCEPT -A INPUT -p tcp -m tcp dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp dport 5666 -s 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp dport 5666 -s 10.5.126.241 -j ACCEPT

{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %} #

# {% for host in groups['staging']|sort %} {% if 'eth0_ip' in hostvars[host] %}# {{ host }} -A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT reject-with icmp-host-prohibited {% else %}# {{ host }} has no 'eth0_ip' listed {% endif %} {% endfor %} {% endif %}

{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %} #

# {% for host in groups['qa_isolated']|sort %} {% if 'eth0_ip' in hostvars[host] %}# {{ host }} -A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT reject-with icmp-host-prohibited {% else %}# {{ host }} has no 'eth0_ip' listed {% endif %} {% endfor %} {% endif %}

{% if wsgi_fedmsg_service is defined %} {% for i in range(wsgi_procs * wsgi_threads) %} -A INPUT -p tcp -m tcp dport 30{{ '%02d' % i }} -j ACCEPT {% endfor %} {% endif %}

{% if tcp_ports is defined %} {% for port in tcp_ports %} -A INPUT -p tcp -m tcp dport {{ port }} -j ACCEPT {% endfor %} {% endif %}

{% if udp_ports is defined %} {% for port in udp_ports %} -A INPUT -p udp -m udp dport {{ port }} -j ACCEPT {% endfor %} {% endif %}

{% if custom_rules is defined %} {% for rule in custom_rules %} {{ rule }} {% endfor %} {% endif %}

-A INPUT -j REJECT reject-with icmp-host-prohibited -A FORWARD -j REJECT reject-with icmp-host-prohibited COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] #

# -A PREROUTING -p udp -m udp dport 53 -j NOTRACK -A OUTPUT -p udp -m udp sport 53 -j NOTRACK COMMIT