36 lines
1.8 KiB
Django/Jinja
36 lines
1.8 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
# vim:set ts=2 sw=2 et:
|
|
|
|
flush ruleset
|
|
|
|
table ip filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# allow established/related connections
|
|
ct state { established, related } accept
|
|
|
|
# early drop of invalid connections
|
|
ct state invalid drop
|
|
|
|
# allow from loopback
|
|
iifname lo accept
|
|
|
|
# allow icmp
|
|
ip protocol icmp accept
|
|
|
|
iifname "{{ network_interface }}" tcp dport {{ ssh_port }} accept comment "SSH"
|
|
iifname "{{ network_interface }}" tcp dport {{ gitlab_ssh_port }} accept comment "Gitlab SSH"
|
|
iifname "{{ network_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
|
|
iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission"
|
|
|
|
iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
|
|
iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"
|
|
|
|
iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
|
|
iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"
|
|
iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
|
|
iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD"
|
|
iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"
|
|
}
|
|
}
|