Cleanup firewall + make it more strict

- Do not put too many empty newlines in rendered file - Also write redirect rules in the output chain. This will allow us to use the port from the same machine. Note that redirect does rewrite the destination to localhost if used on the same machine, so your application should also listen to localhost - made the file a bit clearer with better comments - Add the explicit device if we can for redirects
2025-08-15 22:52:03 +02:00 · 2025-08-15 22:52:03 +02:00 · 4d8c4e5f48
commit 4d8c4e5f48
parent dc99b61ea8
1 changed files with 37 additions and 12 deletions
--- a/roles/ppm/files/ppmfirewall
+++ b/roles/ppm/files/ppmfirewall
@ -3,20 +3,45 @@
 # PPM Firewall
 {% for app in otherapps -%}
 # App {{ app }}
 {%- if "firewall" in otherapps[app]["imports"] -%}
 {%- set oneapp = otherapps[app]["imports"]["firewall"] %}
-
+{%- for redirect in oneapp.redirect %}
-{% for redirect in oneapp.redirect %}
+{%- if redirect.version == "ipv4" %}
 {%- if redirect.ip is defined %}
 # Redirect {{ redirect.ip }}:{{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
 inputinterface=$(ip -o -4 addr show | awk '$3 == "inet"  && index($4,"{{ redirect.ip }}/")==1 {print "-i " $2}')
 iptables -A INPUT -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
 iptables -t nat -A PREROUTING $inputinterface -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
 iptables -t nat -A OUTPUT -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
 {%- else %}
 # Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
-iptables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+iptables -A INPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
-ip6tables -A INPUT -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
+iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
-iptables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+iptables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
-ip6tables -t nat -A PREROUTING -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
+{%- endif %}
-{% endfor %}
+{%- else %}{# ipv6 #}
-{% for openport in oneapp.open %}
+{%- if redirect.ip is defined %}
 # Redirect {{ redirect.ip }}:{{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
 inputinterface=$(ip -o -6 addr show | awk '$3 == "inet6"  && index($4,"{{ redirect.ip }}/")==1 {print "-i " $2}')
 ip6tables -A INPUT -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
 ip6tables -t nat -A PREROUTING -d {{ redirect.ip }} $inputinterface -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
 ip6tables -t nat -A OUTPUT -d {{ redirect.ip }} -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
 {%- else %}
 # Redirect {{ redirect.from }} to {{ redirect.to }} ({{ redirect.proto | default('tcp') }})  for {{ app }}
 ip6tables -A INPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.to }} -j ACCEPT
 ip6tables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
 ip6tables -t nat -A OUTPUT -m addrtype --dst-type LOCAL -p {{ redirect.proto | default('tcp') }} --dport {{ redirect.from }} -j REDIRECT --to-ports {{ redirect.to }}
 {%- endif %}
 {%- endif %}
 {%- endfor %}
 {%- for openport in oneapp.open %}
 # Open port {{ openport.port }}/{{ openport.proto | default('tcp') }} for app {{ app }}
-iptables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+{%- if redirect.version == "ipv4" %}
-ip6tables -A INPUT -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
+iptables -A INPUT {% if firewall_bindservices_ipv4 is defined %}-s {{firewall_bindservices_ipv4 }}{% endif %} -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
-{% endfor %}
+{%- else %}
-{% endif %}
+ip6tables -A INPUT {% if firewall_bindservices_ipv6 is defined %}-s {{firewall_bindservices_ipv6 }}{% endif %} -p {{ openport.proto | default('tcp') }} --dport {{ openport.port }} -j ACCEPT
 {%- endif %}
 {%- endfor %}
 {%- endif %}
 {% endfor %}