The iptables rules need more work

9b602412 · Chris Croome · e6f10646 · 9b602412 · 9b602412
Commit 9b602412 authored 7 years ago by Chris Croome
--- a/discourse.yml
+++ b/discourse.yml
@@ -3,7 +3,7 @@
  hosts: "{{ hostname }}"

  roles:
-    #- sshd 
+    - sshd 
    - apt
    - locale
    - vim

--- a/roles/iptables/templates/rules.v4.j2
+++ b/roles/iptables/templates/rules.v4.j2
@@ -22,11 +22,6 @@ COMMIT
 :DOCKER - [0:0]
 :DOCKER-ISOLATION - [0:0]
 :f2b-sshd - [0:0]
-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
-# The following rule is for munin.webarch.net
-A INPUT -m state --state NEW -m tcp -p tcp -s 81.95.52.102 --dport 4949 -j ACCEPT
-# The following rule is for mx.webarch.net
-A INPUT -m state --state NEW -m tcp -p tcp -s 81.95.52.71 --dport 25 -j ACCEPT
 -A FORWARD -j DOCKER-ISOLATION
 -A FORWARD -o docker0 -j DOCKER
 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
@@ -35,13 +30,19 @@ COMMIT
 -A DOCKER -d {{ app_ip_address.stdout }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
 -A DOCKER -d {{ app_ip_address.stdout }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER-ISOLATION -j RETURN
+-A INPUT -p tcp -m multiport --dports 22 -j f2b-sshd
+-A f2b-sshd -j RETURN
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+# The following rule is for munin.webarch.net
+-A INPUT -m state --state NEW -m tcp -p tcp -s 81.95.52.102 --dport 4949 -j ACCEPT
+# The following rule is for mx.webarch.net
+-A INPUT -m state --state NEW -m tcp -p tcp -s 81.95.52.71 --dport 25 -j ACCEPT
 # The following 5 lines might be too strict
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
+#-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
+#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+#-A INPUT -j REJECT --reject-with icmp-port-unreachable
+#-A FORWARD -j REJECT --reject-with icmp-port-unreachable
 -A OUTPUT -j ACCEPT
-A f2b-sshd -j RETURN
 COMMIT
 #