So the block I wanted was too late in the process. Adding a new
variable and a template to work with.
--
Stephen J Smoogen.
From 1da4475134a510681bbfc62ef9ed389d5bcbd986 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@xxxxxxxxxx>
Date: Fri, 18 Mar 2016 20:31:07 +0000
Subject: [PATCH 1/2] make an iptables set for download-phx2
---
.../base/templates/iptables/iptables.download-phx2 | 114 +++++++++++++++++++++
1 file changed, 114 insertions(+)
create mode 100644 roles/base/templates/iptables/iptables.download-phx2
diff --git a/roles/base/templates/iptables/iptables.download-phx2 b/roles/base/templates/iptables/iptables.download-phx2
new file mode 100644
index 0000000..e876c53
--- /dev/null
+++ b/roles/base/templates/iptables/iptables.download-phx2
@@ -0,0 +1,114 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+
+{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
+#
+# In the phx2 datacenter, both production and staging hosts are in the same
+# subnet/vlan. We want production hosts to reject connectons from staging group hosts
+# to prevent them from interfering with production. There are however a few hosts in
+# production we have marked 'staging-friendly' that we do allow staging to talk to for
+# mostly read-only data they need.
+#
+{% for host in groups['staging']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %}
+#
+# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group
+# to block all access from that group. This is to protect them from any possible attack
+# vectors from qa-isolated machines.
+#
+# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible.
+-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited
+{% for host in groups['qa-isolated']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the block_hosts is defined - drop them
+{% if block_hosts is defined %}
+{% for ip in block_hosts %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if custom_rules is defined %}
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
--
1.8.3.1
From 07623cfffae1bb52ed7a6822a1053db6aa897a0a Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@xxxxxxxxxx>
Date: Fri, 18 Mar 2016 20:36:52 +0000
Subject: [PATCH 2/2] and put in items for the rules
---
inventory/group_vars/download-phx2 | 3 ++-
roles/base/templates/iptables/iptables.download-phx2 | 6 +++---
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/inventory/group_vars/download-phx2 b/inventory/group_vars/download-phx2
index e44d0e0..16bcc2d 100644
--- a/inventory/group_vars/download-phx2
+++ b/inventory/group_vars/download-phx2
@@ -8,4 +8,5 @@ nrpe_procs_crit: 1000
# nfs mount options, overrides the all/default
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=3"
-custom_rules: [ '-A INPUT -s 143.106.60.118 -j DROP', '-A INPUT -s 143.106.60.112 -j DROP', '-A INPUT -s 169.53.165.245 -j DROP', '-A INPUT -s 46.29.92.6 -j DROP', '-A INPUT -s 198.11.167.9 -j DROP', '-A INPUT -s 103.193.116.147 -j DROP', '-A INPUT -s 69.47.68.211 -j DROP' ]
+blocked_ips: ['143.106.60.118', '143.106.60.112', '169.53.165.245', '46.29.92.6', '198.11.167.9', '103.193.116.147', '69.47.68.211']
+
diff --git a/roles/base/templates/iptables/iptables.download-phx2 b/roles/base/templates/iptables/iptables.download-phx2
index e876c53..9047ba1 100644
--- a/roles/base/templates/iptables/iptables.download-phx2
+++ b/roles/base/templates/iptables/iptables.download-phx2
@@ -80,9 +80,9 @@
{% endfor %}
{% endif %}
-# if the block_hosts is defined - drop them
-{% if block_hosts is defined %}
-{% for ip in block_hosts %}
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
-A INPUT -s {{ ip }} -j DROP
{% endfor %}
{% endif %}
--
1.8.3.1
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
