The role also utilises the ``dig`` lookup plugin which requires ``dnspython``

package to be installed. Make sure you have the package available on controller

machine.

     pip install 'ansible~=1.9.0' dnspython

.. warning::

   The ``dnspython`` package is important since it is used internally via

   ``dig`` lookup plugin.

domain (ip ip6) {

    table filter {

        chain INPUT {

            saddr ({% for client in backup_clients %} {{ client.ip }}{% endfor %}) @subchain "backup_in" {

                # SSH

                proto tcp dport 2222 ACCEPT;

            }

# IPv4

domain ip {

    table filter {

        chain INPUT {

            policy DROP;

            interface lo ACCEPT;

            # Make sure not to allow flooding via ICMP ping packages by sending them

            # to flood chain before state module kicks in.

            proto icmp icmp-type echo-request jump flood;

            mod state state (ESTABLISHED RELATED) ACCEPT;

            # For TCP packages we perform floods checks after state module took care

            # of established and related connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;

            # Accept some common incoming connections.

            proto icmp icmp-type echo-request ACCEPT;

            proto tcp dport 22 ACCEPT;

        }

        # The flood chain is used for controlling the rate of the incoming connections.

        chain flood {

            # Rate-limit the ping requests.

            proto icmp icmp-type echo-request {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                DROP;

            }

            # Rate-limit the TCP connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                LOG;

                DROP;

            }

        }

}

# IPv6, same as IPv4 config, with addition of a couple of ICMP packets.

domain ip6 {

    table filter {

        chain INPUT {

            policy DROP;

            interface lo ACCEPT;

            # Make sure not to allow flooding via ICMP ping packages by sending them

            # to flood chain before state module kicks in.

            proto icmp icmp-type echo-request jump flood;

            mod state state (ESTABLISHED RELATED) ACCEPT;

            # For TCP packages we perform floods checks after state module took care

            # of established and related connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;

            # ICMPv6 packets required for proper functioning of IPv6.

            proto icmp icmp-type router-advertisement ACCEPT;

            proto icmp icmp-type neighbor-solicitation ACCEPT;

            proto icmp icmp-type neighbor-advertisement ACCEPT;

            # Accept some common incoming connections.

            proto icmp icmp-type echo-request ACCEPT;

            proto tcp dport 22 ACCEPT;

        # The flood chain is used for controlling the rate of the incoming connections.

        chain flood {

            # Rate-limit the ping requests.

            proto icmp icmp-type echo-request {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                DROP;

            }

            # Rate-limit the TCP connections.

            proto tcp tcp-flags (FIN SYN RST ACK) SYN {

                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}

                    hashlimit-mode srcip hashlimit-name icmp RETURN;

                LOG;

                DROP;

            }

domain (ip ip6) {

    table filter {

        chain INPUT {

            proto tcp dport 389 ACCEPT;

            proto tcp dport 636 ACCEPT;

        }

}

domain ip {

    # Accept incoming connections on port 25 from SMTP relay host.

    table filter {

        chain INPUT {

            # SMTP for server communication.

            proto tcp dport 25 {

                saddr {{ smtp_relay_host }} ACCEPT;

            }

{% if lookup('dig', smtp_relay_host + '/AAAA') not in ['NXDOMAIN', ''] %}

domain ip6 {

    # Accept incoming connections on port 25 from SMTP relay host.

    table filter {

        chain INPUT {

            # SMTP for server communication.

            proto tcp dport 25 {

                saddr {{ smtp_relay_host }} ACCEPT;

            }

        }

    }

}

{% endif %}

domain (ip ip6) {

    table filter {

        chain INPUT {

            # SMTP for server communication.

            proto tcp dport 25 ACCEPT;

            # SMTP for client submission (with alternative port)

            proto tcp dport 587 ACCEPT;

            proto tcp dport 26 ACCEPT;

            # IMAP

            proto tcp dport 143 ACCEPT;

            proto tcp dport 993 ACCEPT;

            # ManageSieve

            proto tcp dport 4190 ACCEPT;

        }

    table nat {

        chain PREROUTING {

            # Set-up redirection for alternate SMTP port (to avoid ISP/hotel blocks

            # etc).

            proto tcp dport 26 REDIRECT to-ports 587;

        }

}

domain (ip ip6) {

    table filter {

        chain INPUT {

            # HTTP

            proto tcp dport 80 ACCEPT;

            # HTTPS

            proto tcp dport 443 ACCEPT;

        }

domain (ip ip6) {

    table filter {

        chain INPUT {

            # XMPP client connections.

            proto tcp dport 5222 ACCEPT;

            proto tcp dport 5223 ACCEPT;

            # File proxying.

            proto tcp dport 5000 ACCEPT;

            # XMPP server connections.

            proto tcp dport 5269 ACCEPT;

        }

}