use firwalld instead of iptables

khaledk2 · Dec 8, 2024 · a2ffc3a · a2ffc3a
1 parent f635c4b
commit a2ffc3a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 56 deletions.
diff --git a/ansible/idr-firewall.yml b/ansible/idr-firewall.yml
@@ -4,43 +4,24 @@
     {{ idr_environment | default('idr') }}-database-hosts
     {{ idr_environment | default('idr') }}-omero-hosts
 
-  roles:
-    - role: ome.iptables_raw
-
   tasks:
     - name: Accept all traffic
       ansible.posix.firewalld:
         zone: public
         state: enabled
         permanent: true
         rich_rule:
-          - 'rule family="ipv4" forward reject'
+          - 'rule family="ipv4" forward accept'
           - 'rule family="ipv4" source address="0.0.0.0/0" accept'
           - 'rule family="ipv4" destination address="0.0.0.0/0" accept'
 
-    - name: Iptables internal hosts allow all
-      become: yes
-      iptables_raw_25:
-        name: default_accept
-        keep_unmanaged: no
-        rules: |
-          -A INPUT -j ACCEPT
-          -A FORWARD -j ACCEPT
-          -A OUTPUT -j ACCEPT
-        state: present
-        # Highest priority
-        weight: 0
-
-
-# Docker sets up its own rules, don't overwrite
+  # Docker sets up its own rules, don't overwrite
 # - hosts: >
 #     {{ idr_environment | default('idr') }}-management-hosts
 
 
 - hosts: "{{ idr_environment | default('idr') }}-proxy-hosts"
 
-  roles:
-    - role: ome.iptables_raw
 
   tasks:
     # Allow:
@@ -76,27 +57,6 @@
           #  allow TCP traffic on idr_external_tcp_ports
           -  'rule family="ipv4" protocol value="tcp" destination port={{ idr_external_tcp_ports | join(',' ) }} accept'
 
-
-    - name: Iptables ssh and related
-      become: yes
-      iptables_raw_25:
-        name: default_and_idr_external
-        keep_unmanaged: no
-        rules: |
-          -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-          -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-          -A INPUT -i lo -j ACCEPT
-          -A INPUT -p tcp -s 10.0.0.0/8 -j ACCEPT
-          -A INPUT -p udp -s 10.0.0.0/8 -j ACCEPT
-          -A INPUT -p tcp -s 192.168.0.0/16 -j ACCEPT
-          -A INPUT -p udp -s 192.168.0.0/16 -j ACCEPT
-          -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-          -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-          -A INPUT -p tcp -m multiport --dports {{ idr_external_tcp_ports | join(',' ) }} -j ACCEPT
-        state: present
-        # Highest priority
-        weight: 0
-
     # Use a low priority REJECT rule so that clients can detect when
     # they've been rejected
     # The alternative of setting a default DROP policy will leave them
@@ -114,17 +74,6 @@
           - 'rule family="ipv4" destination address="0.0.0.0/0" accept'
 
 
-    - name: Iptables default
-      become: yes
-      iptables_raw_25:
-        name: default_reject
-        rules: |
-          -A INPUT -j REJECT
-          -A FORWARD -j REJECT
-          -A OUTPUT -j ACCEPT
-        state: present
-        # Lowest priority
-        weight: 99
 
   vars:
     idr_external_tcp_ports:

diff --git a/ansible/requirements.yml b/ansible/requirements.yml
@@ -39,9 +39,6 @@
 - name: ome.ice
   version: 4.4.4
 
-- src: ome.iptables_raw
-  version: 0.4.0
-
 - src: ome.java
   version: 2.2.0