And we have a lot of small fixes whcih.
--
Stephen J Smoogen.
From 134036a9b0bcb4b9dca0c4195a8e4e3d438ab3a1 Mon Sep 17 00:00:00 2001
From: Stephen Smoogen <smooge@xxxxxxxxxx>
Date: Fri, 18 Mar 2016 22:57:28 +0000
Subject: [PATCH] And we have lots of iptables changes so we can block things
when we want
---
roles/base/templates/iptables/ip6tables | 7 +++++++
.../templates/iptables/ip6tables.jenkins.fedorainfracloud.org | 7 +++++++
roles/base/templates/iptables/iptables | 8 ++++++++
.../base/templates/iptables/iptables.jenkins.fedorainfracloud.org | 7 +++++++
roles/base/templates/iptables/iptables.kojibuilder | 8 ++++++++
roles/base/templates/iptables/iptables.openstack-compute | 7 +++++++
roles/base/templates/iptables/iptables.osuosl | 7 +++++++
roles/base/templates/iptables/iptables.releng | 7 +++++++
roles/base/templates/iptables/iptables.staging | 7 +++++++
.../base/templates/iptables/iptables.torrent02.fedoraproject.org | 8 ++++++++
10 files changed, 73 insertions(+)
diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables
index 49db2f7..add78a7 100644
--- a/roles/base/templates/iptables/ip6tables
+++ b/roles/base/templates/iptables/ip6tables
@@ -17,6 +17,13 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
diff --git a/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org b/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org
index 066f360..92be2a5 100644
--- a/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org
+++ b/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org
@@ -33,6 +33,13 @@ COMMIT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables
index 4e42a83..f3ebf69 100644
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@@ -14,6 +14,13 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
@@ -80,6 +87,7 @@
{% endfor %}
{% endif %}
+
# if the host/group defines incoming tcp_ports - allow them
{% if tcp_ports is defined %}
{% for port in tcp_ports %}
diff --git a/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org b/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
index 1cbe721..30f7b56 100644
--- a/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
+++ b/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
@@ -30,6 +30,13 @@ COMMIT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder
index ee1462b..1600b74 100644
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@@ -20,6 +20,14 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+
# kojipkgs
-A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT
diff --git a/roles/base/templates/iptables/iptables.openstack-compute b/roles/base/templates/iptables/iptables.openstack-compute
index 3b7b11b..f8b1049 100644
--- a/roles/base/templates/iptables/iptables.openstack-compute
+++ b/roles/base/templates/iptables/iptables.openstack-compute
@@ -14,6 +14,13 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
diff --git a/roles/base/templates/iptables/iptables.osuosl b/roles/base/templates/iptables/iptables.osuosl
index 9efba77..44ddbad 100644
--- a/roles/base/templates/iptables/iptables.osuosl
+++ b/roles/base/templates/iptables/iptables.osuosl
@@ -14,6 +14,13 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh only from needed ips
# vpn in from tun0
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 192.168.0.0/24 -i tun0 -j ACCEPT
diff --git a/roles/base/templates/iptables/iptables.releng b/roles/base/templates/iptables/iptables.releng
index 7a27e0c..7a26944 100644
--- a/roles/base/templates/iptables/iptables.releng
+++ b/roles/base/templates/iptables/iptables.releng
@@ -34,6 +34,13 @@ COMMIT
-A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5666 -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# SSH
# ssh block against uni in .cz where problem(s) have been cited
# added by skvidal on jan 24 2011 - as per request from spot
diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging
index fbd082e..a0e32ff 100644
--- a/roles/base/templates/iptables/iptables.staging
+++ b/roles/base/templates/iptables/iptables.staging
@@ -26,6 +26,13 @@ COMMIT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
diff --git a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
index dedc782..56b3240 100644
--- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
@@ -14,6 +14,13 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
@@ -80,6 +87,7 @@
{% endfor %}
{% endif %}
+
# if the host/group defines incoming tcp_ports - allow them
{% if tcp_ports is defined %}
{% for port in tcp_ports %}
--
1.8.3.1
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
