vps-set-up-playbook/roles/ufw-opnxng/templates/oracle4.user.rules.j2

*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###

### tuple ### allow tcp {{ ssh_port }} 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport {{ ssh_port }} -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT

### tuple ### allow tcp 8870 0.0.0.0/0 any {{ oracle_ipv4_cidr_block }}/16 in
-A ufw-user-input -p tcp --dport 8870 -s {{ oracle_ipv4_cidr_block }}/16 -j ACCEPT

### tuple ### allow tcp 8870 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport 8870 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT

### tuple ### allow tcp 2049 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport 2049 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT

### tuple ### allow udp 51820 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p udp --dport 51820 -j ACCEPT

### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT

### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT

### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p udp --dport 443 -j ACCEPT

### END RULES ###

### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###

### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT
Added and fixed some roles 2023-11-13 11:47:39 +08:00			`*filter`
			`:ufw-user-input - [0:0]`
			`:ufw-user-output - [0:0]`
			`:ufw-user-forward - [0:0]`
			`:ufw-before-logging-input - [0:0]`
			`:ufw-before-logging-output - [0:0]`
			`:ufw-before-logging-forward - [0:0]`
			`:ufw-user-logging-input - [0:0]`
			`:ufw-user-logging-output - [0:0]`
			`:ufw-user-logging-forward - [0:0]`
			`:ufw-after-logging-input - [0:0]`
			`:ufw-after-logging-output - [0:0]`
			`:ufw-after-logging-forward - [0:0]`
			`:ufw-logging-deny - [0:0]`
			`:ufw-logging-allow - [0:0]`
			`:ufw-user-limit - [0:0]`
			`:ufw-user-limit-accept - [0:0]`
			`### RULES ###`

			`### tuple ### allow tcp {{ ssh_port }} 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in`
			`-A ufw-user-input -p tcp --dport {{ ssh_port }} -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT`

			`### tuple ### allow tcp 8870 0.0.0.0/0 any {{ oracle_ipv4_cidr_block }}/16 in`
			`-A ufw-user-input -p tcp --dport 8870 -s {{ oracle_ipv4_cidr_block }}/16 -j ACCEPT`

			`### tuple ### allow tcp 8870 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in`
			`-A ufw-user-input -p tcp --dport 8870 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT`

			`### tuple ### allow tcp 2049 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in`
			`-A ufw-user-input -p tcp --dport 2049 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT`

			`### tuple ### allow udp 51820 0.0.0.0/0 any 0.0.0.0/0 in`
			`-A ufw-user-input -p udp --dport 51820 -j ACCEPT`

			`### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in`
			`-A ufw-user-input -p tcp --dport 80 -j ACCEPT`

			`### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in`
			`-A ufw-user-input -p tcp --dport 443 -j ACCEPT`

			`### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in`
			`-A ufw-user-input -p udp --dport 443 -j ACCEPT`

			`### END RULES ###`

			`### LOGGING ###`
			`-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10`
			`-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10`
			`-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10`
			`-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10`
			`-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10`
			`### END LOGGING ###`

			`### RATE LIMITING ###`
			`-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "`
			`-A ufw-user-limit -j REJECT`
			`-A ufw-user-limit-accept -j ACCEPT`
			`### END RATE LIMITING ###`
			`COMMIT`