Skip to content

S
servers-config
Commit 9da8513f authored by Mattia Rizzolo's avatar Mattia Rizzolo
Browse files
Options

firewall: s/command/cmd/g 

Signed-off-by: Mattia Rizzolo's avatarMattia Rizzolo <mapreri@ubuntu.com>
parent cac9bc27
Hide whitespace changes
Inline Side-by-side
Showing with 29 additions and 31 deletions
roles/common/templates/firewall/firewall.sh
View file @ 9da8513f
...@@ -25,17 +25,17 @@ PUBLIC_IFACE="eth0" ...@@ -25,17 +25,17 @@ PUBLIC_IFACE="eth0"
LOCAL_IFACE="lo" LOCAL_IFACE="lo"
# Execute a command on all iptables commands # Execute a command on all iptables commands
command() { cmd() {
for cmd in "${COMMANDS[@]}"; do for cmd in "${COMMANDS[@]}"; do
"${cmd}" $@ "${cmd}" $@
done done
} }
command4() { cmd4() {
"/sbin/iptables" $@ "/sbin/iptables" $@
} }
command6() { cmd6() {
if "${IPv6}"; then if "${IPv6}"; then
"/sbin/ip6tables" $@ "/sbin/ip6tables" $@
fi fi
...@@ -50,15 +50,15 @@ for arg; do ...@@ -50,15 +50,15 @@ for arg; do
done done
# Reset the firewall # Reset the firewall
command -D INPUT -j input 2>/dev/null || true # Remove firewall's input chain cmd -D INPUT -j input 2>/dev/null || true # Remove firewall's input chain
# Flush chains # Flush chains
for chain in "${CHAINS[@]}"; do for chain in "${CHAINS[@]}"; do
command -F "${chain}" 2>/dev/null || true cmd -F "${chain}" 2>/dev/null || true
done done
# Delete chains -- must be done after because of references # Delete chains -- must be done after because of references
for chain in "${CHAINS[@]}"; do for chain in "${CHAINS[@]}"; do
command -X "${chain}" 2>/dev/null || true cmd -X "${chain}" 2>/dev/null || true
done done
echo "Existing firewall configuration cleaned up" echo "Existing firewall configuration cleaned up"
...@@ -66,44 +66,44 @@ echo "Existing firewall configuration cleaned up" ...@@ -66,44 +66,44 @@ echo "Existing firewall configuration cleaned up"
# If you want only to reset the firewall, don't re-create rules and clear # If you want only to reset the firewall, don't re-create rules and clear
# policies # policies
if "${only_reset}"; then if "${only_reset}"; then
command -P INPUT ACCEPT cmd -P INPUT ACCEPT
command -P OUTPUT ACCEPT cmd -P OUTPUT ACCEPT
command -P FORWARD ACCEPT cmd -P FORWARD ACCEPT
echo "Firewall successifully disabled" echo "Firewall successifully disabled"
exit exit
fi fi
# Setup policies # Setup policies
command -P INPUT ACCEPT cmd -P INPUT ACCEPT
command -P OUTPUT ACCEPT cmd -P OUTPUT ACCEPT
command -P FORWARD DROP cmd -P FORWARD DROP
# Create chains # Create chains
for chain in "${CHAINS[@]}"; do for chain in "${CHAINS[@]}"; do
command -N "${chain}" cmd -N "${chain}"
done done
# Setup bad tcp packets chain # Setup bad tcp packets chain
command -A tcp_bad -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW \ cmd -A tcp_bad -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW \
-j REJECT --reject-with tcp-reset -j REJECT --reject-with tcp-reset
command -A tcp_bad -p tcp ! --syn -m state --state NEW -j DROP cmd -A tcp_bad -p tcp ! --syn -m state --state NEW -j DROP
# Setup tcp public input chain # Setup tcp public input chain
command -A public_input_tcp -j tcp_bad cmd -A public_input_tcp -j tcp_bad
command -A public_input_tcp -p tcp --dport 22 -j ACCEPT # sshd cmd -A public_input_tcp -p tcp --dport 22 -j ACCEPT # sshd
# Setup icmp public input chain # Setup icmp public input chain
command -A public_input_icmp -j ACCEPT cmd -A public_input_icmp -j ACCEPT
# Setup input chain # Setup input chain
command -A input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT cmd -A input -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
command -A input -i "${LOCAL_IFACE}" -j ACCEPT # Accept localhost connections cmd -A input -i "${LOCAL_IFACE}" -j ACCEPT # Accept localhost connections
command -A input -i "${PUBLIC_IFACE}" -p tcp -j public_input_tcp cmd -A input -i "${PUBLIC_IFACE}" -p tcp -j public_input_tcp
command -A input -i "${PUBLIC_IFACE}" -p udp -j public_input_udp cmd -A input -i "${PUBLIC_IFACE}" -p udp -j public_input_udp
command4 -A input -i "${PUBLIC_IFACE}" -p icmp -j public_input_icmp cmd4 -A input -i "${PUBLIC_IFACE}" -p icmp -j public_input_icmp
command6 -A input -i "${PUBLIC_IFACE}" -p ipv6-icmp -j public_input_icmp cmd6 -A input -i "${PUBLIC_IFACE}" -p ipv6-icmp -j public_input_icmp
command -A input -j DROP cmd -A input -j DROP
echo "Applied basic configuration to the firewall" echo "Applied basic configuration to the firewall"
...@@ -116,6 +116,6 @@ for file in /etc/firewall/*.sh; do ...@@ -116,6 +116,6 @@ for file in /etc/firewall/*.sh; do
done done
# Setup INPUT chain # Setup INPUT chain
command -A INPUT -j input # Move to my input chain cmd -A INPUT -j input # Move to my input chain
echo "Firewall successifully enabled" echo "Firewall successifully enabled"
roles/common/templates/munin/firewall.sh
View file @ 9da8513f
...@@ -2,4 +2,4 @@ ...@@ -2,4 +2,4 @@
# {{ ansible_managed }} # {{ ansible_managed }}
# #
command4 -A public_input_tcp -p tcp -s 178.62.47.107 --dport 4949 -j ACCEPT cmd4 -A public_input_tcp -p tcp -s 178.62.47.107 --dport 4949 -j ACCEPT
roles/lxd-container/templates/firewall.sh.j2
View file @ 9da8513f
#!/bin/bash
{% for port in expose_ports %} {% for port in expose_ports %}
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport {{ port }} -j DNAT --to-destination {{ ip }}:{{ port }} iptables -t nat -A PREROUTING -p tcp -i eth0 --dport {{ port }} -j DNAT --to-destination {{ ip }}:{{ port }}
{% endfor %} {% endfor %}
roles/nginx/templates/firewall.sh
View file @ 9da8513f
#!/bin/bash
# #
# {{ ansible_managed }} # {{ ansible_managed }}
# #
# Allow incoming requests on ports 80 and 443 # Allow incoming requests on ports 80 and 443
command -A public_input_tcp -p tcp --dport 80 -j ACCEPT cmd -A public_input_tcp -p tcp --dport 80 -j ACCEPT
command -A public_input_tcp -p tcp --dport 443 -j ACCEPT cmd -A public_input_tcp -p tcp --dport 443 -j ACCEPT
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment