diff options
| author | Quentin <quentin@deuxfleurs.fr> | 2019-06-01 16:02:49 +0200 |
|---|---|---|
| committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2019-07-11 09:33:07 +0200 |
| commit | 61d009f18d5886db8b22ae41e04bb41a4ba2fddb (patch) | |
| tree | e44bb326caf3107653c7a48749527cfd77f02cf2 /ansible/roles/network/templates | |
| download | infrastructure-61d009f18d5886db8b22ae41e04bb41a4ba2fddb.tar.gz infrastructure-61d009f18d5886db8b22ae41e04bb41a4ba2fddb.zip | |
Initial commit
Diffstat (limited to 'ansible/roles/network/templates')
| -rw-r--r-- | ansible/roles/network/templates/nomad-interface.j2 | 8 | ||||
| -rw-r--r-- | ansible/roles/network/templates/rules.v4.j2 | 72 |
2 files changed, 80 insertions, 0 deletions
diff --git a/ansible/roles/network/templates/nomad-interface.j2 b/ansible/roles/network/templates/nomad-interface.j2 new file mode 100644 index 0000000..74e9cd4 --- /dev/null +++ b/ansible/roles/network/templates/nomad-interface.j2 @@ -0,0 +1,8 @@ +auto nomad1 +iface nomad1 inet manual + pre-up /sbin/ip link add nomad1 type dummy + up /sbin/ip addr add {{ public_ip }} dev nomad1 + up /sbin/iptables -t nat -A PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 + down /sbin/iptables -t nat -D PREROUTING -d {{ private_ip }}/32 -j NETMAP --to {{ public_ip }}/32 + post-down /sbin/ip link del nomad1 + diff --git a/ansible/roles/network/templates/rules.v4.j2 b/ansible/roles/network/templates/rules.v4.j2 new file mode 100644 index 0000000..a77852f --- /dev/null +++ b/ansible/roles/network/templates/rules.v4.j2 @@ -0,0 +1,72 @@ + +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT ACCEPT [0:0] + +# DNS +-A INPUT -p udp --dport 53 -j ACCEPT +-A INPUT -p tcp --dport 53 -j ACCEPT + +# Email +-A INPUT -p tcp --dport 993 -j ACCEPT +-A INPUT -p tcp --dport 25 -j ACCEPT +-A INPUT -p tcp --dport 465 -j ACCEPT +-A INPUT -p tcp --dport 587 -j ACCEPT + +# Old SSH configuration +-A INPUT -p tcp --dport 110 -j ACCEPT + +# New SSH configuration +-A INPUT -p tcp --dport 22 -j ACCEPT + +# LDAP +-A INPUT -p tcp --dport 389 -j ACCEPT + +# Web +-A INPUT -p tcp --dport 80 -j ACCEPT +-A INPUT -p tcp --dport 443 -j ACCEPT + +# Coturn +-A INPUT -p tcp --dport 3478 -j ACCEPT +-A INPUT -p udp --dport 3478 -j ACCEPT +-A INPUT -p tcp --dport 3479 -j ACCEPT +-A INPUT -p udp --dport 3479 -j ACCEPT + +# Cluster +{% for selected_host in groups['cluster_nodes'] %} +-A INPUT -s {{ hostvars[selected_host]['public_ip'] }} -j ACCEPT +-A INPUT -s {{ hostvars[selected_host]['private_ip'] }} -j ACCEPT +{% endfor %} + +# Rennes +-A INPUT -s 82.253.205.190 -j ACCEPT + +-A INPUT -i docker0 -j ACCEPT + +-A INPUT -s 127.0.0.1/8 -j ACCEPT + +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +COMMIT + + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] + +COMMIT + + +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] + +COMMIT + + |