From a2ffc3adcd47cad1e732e87b81ccf0c87cc58071 Mon Sep 17 00:00:00 2001 From: khaledk2 Date: Sun, 8 Dec 2024 21:23:00 +0000 Subject: [PATCH] use firwalld instead of iptables --- ansible/idr-firewall.yml | 55 ++-------------------------------------- ansible/requirements.yml | 3 --- 2 files changed, 2 insertions(+), 56 deletions(-) diff --git a/ansible/idr-firewall.yml b/ansible/idr-firewall.yml index f148edaa..4e0a9fd1 100644 --- a/ansible/idr-firewall.yml +++ b/ansible/idr-firewall.yml @@ -4,9 +4,6 @@ {{ idr_environment | default('idr') }}-database-hosts {{ idr_environment | default('idr') }}-omero-hosts - roles: - - role: ome.iptables_raw - tasks: - name: Accept all traffic ansible.posix.firewalld: @@ -14,33 +11,17 @@ state: enabled permanent: true rich_rule: - - 'rule family="ipv4" forward reject' + - 'rule family="ipv4" forward accept' - 'rule family="ipv4" source address="0.0.0.0/0" accept' - 'rule family="ipv4" destination address="0.0.0.0/0" accept' - - name: Iptables internal hosts allow all - become: yes - iptables_raw_25: - name: default_accept - keep_unmanaged: no - rules: | - -A INPUT -j ACCEPT - -A FORWARD -j ACCEPT - -A OUTPUT -j ACCEPT - state: present - # Highest priority - weight: 0 - - -# Docker sets up its own rules, don't overwrite + # Docker sets up its own rules, don't overwrite # - hosts: > # {{ idr_environment | default('idr') }}-management-hosts - hosts: "{{ idr_environment | default('idr') }}-proxy-hosts" - roles: - - role: ome.iptables_raw tasks: # Allow: @@ -76,27 +57,6 @@ # allow TCP traffic on idr_external_tcp_ports - 'rule family="ipv4" protocol value="tcp" destination port={{ idr_external_tcp_ports | join(',' ) }} accept' - - - name: Iptables ssh and related - become: yes - iptables_raw_25: - name: default_and_idr_external - keep_unmanaged: no - rules: | - -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - -A INPUT -i lo -j ACCEPT - -A INPUT -p tcp -s 10.0.0.0/8 -j ACCEPT - -A INPUT -p udp -s 10.0.0.0/8 -j ACCEPT - -A INPUT -p tcp -s 192.168.0.0/16 -j ACCEPT - -A INPUT -p udp -s 192.168.0.0/16 -j ACCEPT - -A INPUT -p icmp --icmp-type echo-request -j ACCEPT - -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT - -A INPUT -p tcp -m multiport --dports {{ idr_external_tcp_ports | join(',' ) }} -j ACCEPT - state: present - # Highest priority - weight: 0 - # Use a low priority REJECT rule so that clients can detect when # they've been rejected # The alternative of setting a default DROP policy will leave them @@ -114,17 +74,6 @@ - 'rule family="ipv4" destination address="0.0.0.0/0" accept' - - name: Iptables default - become: yes - iptables_raw_25: - name: default_reject - rules: | - -A INPUT -j REJECT - -A FORWARD -j REJECT - -A OUTPUT -j ACCEPT - state: present - # Lowest priority - weight: 99 vars: idr_external_tcp_ports: diff --git a/ansible/requirements.yml b/ansible/requirements.yml index bb51bb01..badb224c 100644 --- a/ansible/requirements.yml +++ b/ansible/requirements.yml @@ -39,9 +39,6 @@ - name: ome.ice version: 4.4.4 -- src: ome.iptables_raw - version: 0.4.0 - - src: ome.java version: 2.2.0