ldap ports auf 0.0.0.0 binden und per iptables blocken

webserver/docker_ldap/tasks/main.yml

@@ -50,8 +50,8 @@
       LDAP_READONLY_USER_USERNAME: readonly
       LDAP_READONLY_USER_PASSWORD: "{{ ldap_readonly_pass }}"
     ports:
-      - 127.0.0.1:389:389
-      - 127.0.0.1:636:636
+      - 0.0.0.0:389:389
+      - 0.0.0.0:636:636
       
 - name: start phpldapadmin docker
   docker_container: 

webserver/iptables/tasks/main.yml

+
+- name: Konfiguration erstellen 
+  template: src=rc.local dest=/etc/rc.local mode=o+x
+

webserver/iptables/templates/rc.local

+#!/bin/sh -e
+#
+# rc.local
+#
+# This script is executed at the end of each multiuser runlevel.
+# Make sure that the script will "exit 0" on success or any other
+# value on error.
+#
+# In order to enable or disable this script just change the execution
+# bits.
+#
+# By default this script does nothing.
+
+iptables -I FORWARD -p tcp -m tcp --dport 389 -j REJECT --reject-with icmp-port-unreachable
+iptables -I FORWARD -p tcp -m tcp --dport 636 -j REJECT --reject-with icmp-port-unreachable
+iptables -I FORWARD -s 127.0.0.0/8 -p tcp -m tcp --dport 636 -j ACCEPT
+iptables -I FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 636 -j ACCEPT
+iptables -I FORWARD -s 172.17.0.0/24 -p tcp -m tcp --dport 636 -j ACCEPT
+iptables -I FORWARD -s 192.168.0.0/24 -p tcp -m tcp --dport 389 -j ACCEPT
+iptables -I FORWARD -s 127.0.0.0/8 -p tcp -m tcp --dport 389 -j ACCEPT
+iptables -I FORWARD -s 172.17.0.0/24 -p tcp -m tcp --dport 389 -j ACCEPT
+
+exit 0

webserver/main.yml

@@ -3,6 +3,7 @@
 - hosts: webserver
   remote_user: root
   roles:
+    - { role: iptables, tags: iptables }
     - { role: nginx, tags: nginx }
     - { role: openvpn, tags: openvpn }
     - { role: docker, tags: docker }