Add default rules for OUTPUT and FORWARD chains

2019-09-02 17:54:06 +00:00 · 2019-09-02 17:54:06 +00:00 · 3e8161f350
commit 3e8161f350
parent dbaebf70b8
2 changed files with 8 additions and 0 deletions
--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@ -111,6 +111,10 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established inet6" -j ACCEPT

 -A INPUT -m comment --comment "default drop inet6" -j LOG_DROP
+
+-A FORWARD -m comment --comment "default forward drop inet6" -j LOG_DROP
+
+-A OUTPUT -m comment --comment "default output accept inet6" -j ACCEPT
 COMMIT

 *raw
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@ -95,6 +95,10 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "accept related/established" -j ACCEPT

 -A INPUT -m comment --comment "default drop" -j LOG_DROP
+
+-A FORWARD -m comment --comment "default forward drop" -j LOG_DROP
+
+-A OUTPUT -m comment --comment "default output accept" -j ACCEPT
 COMMIT

 *raw