File diff 5eeaa6ef80fd → 736e06e7ffd6
roles/common/templates/00-base.conf.j2
Show inline comments
 
#jinja2:trim_blocks:True,lstrip_blocks:True
 
# IPv4
 
domain ip {
 
    table filter {
 
@@ -15,8 +16,8 @@ domain ip {
 
            proto icmp icmp-type echo-request ACCEPT;
 
            proto tcp dport 22 ACCEPT;
 
{% if maintenance %}
 
            # Validate source IP against list of allowed hosts in maintenance mode.
 
            jump allowed_hosts;
 
            # Validate source IP against list of allowed source addresses in maintenance mode.
 
            jump allowed_sources;
 
{% endif %}
 
        }
 

			




	
	
		
 
@@ -37,11 +38,12 @@ domain ip {

			




	
	
	
		
 
            }

			




	
	
	
		
 
        }

			




	
	
	
		
 
{% if maintenance %}

			




	
	
	
		
 
        # Resume processing in case of allowed hosts, drop packets for

			




	
	
	
		
 
        # any other hosts.

			




	
	
	
		
 
        chain allowed_hosts {

			




	
	
	
		
 
            {% for host in maintenance_allowed_hosts %}

			




	
	
	
		
 
            saddr {{ host }} RETURN;

			




	
	
	
		
 
        # Resume processing for allowed source addresses, otherwise drop packets.

			




	
	
	
		
 
        chain allowed_sources {

			




	
	
	
		
 
            {% for source in maintenance_allowed_sources %}

			




	
	
	
		
 
                {% if source | ipv4 %}

			




	
	
	
		
 
            saddr {{ source }} RETURN;

			




	
	
	
		
 
                {% endif %}

			




	
	
	
		
 
            {% endfor %}

			




	
	
	
		
 
            DROP;

			




	
	
	
		
 
        }

			




	
	
		
 
@@ -70,8 +72,8 @@ domain ip6 {

			




	
	
	
		
 
            proto icmp icmp-type echo-request ACCEPT;

			




	
	
	
		
 
            proto tcp dport 22 ACCEPT;

			




	
	
	
		
 
{% if maintenance %}

			




	
	
	
		
 
            # Validate source IP against list of allowed hosts in maintenance mode.

			




	
	
	
		
 
            jump allowed_hosts;

			




	
	
	
		
 
            # Validate source IP against list of allowed source addresses in maintenance mode.

			




	
	
	
		
 
            jump allowed_sources;

			




	
	
	
		
 
{% endif %}

			




	
	
	
		
 
        }

			




	
	
	
		
 

			




	
	
		
 
@@ -92,12 +94,11 @@ domain ip6 {

			




	
	
	
		
 
            }

			




	
	
	
		
 
        }

			




	
	
	
		
 
{% if maintenance %}

			




	
	
	
		
 
        # Resume processing in case of allowed hosts, drop packets for

			




	
	
	
		
 
        # any other hosts.

			




	
	
	
		
 
        chain allowed_hosts {

			




	
	
	
		
 
            {% for host in maintenance_allowed_hosts %}

			




	
	
	
		
 
                {% if lookup('dig', host + '/AAAA') not in ['NXDOMAIN', ''] %}

			




	
	
	
		
 
            saddr {{ host }} RETURN;

			




	
	
	
		
 
        # Resume processing for allowed source addresses, otherwise drop packets.

			




	
	
	
		
 
        chain allowed_sources {

			




	
	
	
		
 
            {% for source in maintenance_allowed_sources %}

			




	
	
	
		
 
                {% if source | ipv6 %}

			




	
	
	
		
 
            saddr {{ source }} RETURN;

			




	
	
	
		
 
                {% endif %}

			




	
	
	
		
 
            {% endfor %}

			




	
	
	
		
 
            DROP;

			




        

    



    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2023 by various authors & licensed under GPLv3.