iptables template fix

e6f10646 · Chris Croome · 9edd1dd8 · e6f10646 · e6f10646
Commit e6f10646 authored 7 years ago by Chris Croome
--- a/README.md
+++ b/README.md
@@ -25,7 +25,7 @@ Then check these settings for email:

 * **Required : notification email** set this to `discourse@$SERVERNAME` (use the actual domain name not $SERVERNAME)
 * **Email : reply by email enabled** tick *"Enable replying to topics via email."* 
-* **Email : reply by email address** set this to `discourse+%{reply_key}@$SERVERNAME`
+* **Email : reply by email address** set this to `discourse+%{reply_key}@$SERVERNAME` (use the actual domain name not $SERVERNAME)
 * **Email : manual polling enabled** rick *"Push emails using the API for email replies."*

 The email setup is based on the
@@ -39,10 +39,11 @@ Tighten some security settings:

 * **Security : force https** tick *"Force your site to use HTTPS only. WARNING: do NOT enable this until you verify HTTPS is fully set up and working absolutely everywhere! Did you check your CDN, all social logins, and any external logos / dependencies to make sure they are all HTTPS compatible, too?"*
 * **Security : same site cookies** select *"Strict"*
+
+If you are using this Playbook somewhere other than on a [Webarchitects](https://www.webarchitects.coop/) virtual server in Sheffield then the `iptables` and `munin-node` roles will as a minimum need editing and might be best omitted.
 
 TODO:

-* Test the email setup
-* Firewall / fail2ban configuration
-* Munin node configuration
+* Test the iptables / fail2ban configuration
+* Munin node plugin setup 

--- a/roles/iptables/templates/rules.v4.j2
+++ b/roles/iptables/templates/rules.v4.j2
@@ -8,11 +8,11 @@
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s {{ app_ip_address }}/32 -d {{ app_ip_address }}/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s {{ app_ip_address }}/32 -d {{ app_ip_address }}/32 -p tcp -m tcp --dport 80 -j MASQUERADE
+-A POSTROUTING -s {{ app_ip_address.stdout }}/32 -d {{ app_ip_address.stdout }}/32 -p tcp -m tcp --dport 443 -j MASQUERADE
+-A POSTROUTING -s {{ app_ip_address.stdout }}/32 -d {{ app_ip_address.stdout }}/32 -p tcp -m tcp --dport 80 -j MASQUERADE
 -A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination {{ app_ip_address }}:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination {{ app_ip_address }}:80
+-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination {{ app_ip_address.stdout }}:443
+-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination {{ app_ip_address.stdout }}:80
 COMMIT
 # 
 *filter
@@ -32,8 +32,8 @@ COMMIT
 -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
 -A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d {{ app_ip_address }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d {{ app_ip_address }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
+-A DOCKER -d {{ app_ip_address.stdout }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
+-A DOCKER -d {{ app_ip_address.stdout }}/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
 -A DOCKER-ISOLATION -j RETURN
 # The following 5 lines might be too strict
 -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable