Re: Freeze break request: create production docker iptables file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



+1 from me. If it doesn't work won't break anything else it would seem.

On 17 August 2016 at 13:48, Patrick Uiterwijk <puiterwijk@xxxxxxxxxx> wrote:
> Hi,
>
> So, this seems to have never been picked up, and I'm guessing the
> blocking didn't work before
> or it wasn't tested before (Either way, it's my fault, for which I'm sorry).
>
> Can I get +1s to add the production version of the osbs-master iptables rules?
>
> The actual changes are just a duplicate of the file to prod and
> updating the ip addresses in there.
>
>
>
> commit bb4b4696f99da9b202e454874ee492ceed54a3d9
> Author: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
> Date:   Wed Aug 17 17:43:54 2016 +0000
>
>     Create production docker iptables script
>
>     Signed-off-by: Patrick Uiterwijk <puiterwijk@xxxxxxxxxx>
>
> diff --git a/roles/osbs-master/files/fix-docker-iptables
> b/roles/osbs-master/files/fix-docker-iptables
> deleted file mode 100644
> index c204f74..0000000
> --- a/roles/osbs-master/files/fix-docker-iptables
> +++ /dev/null
> @@ -1,54 +0,0 @@
> -#!/bin/bash -xe
> -# Note: this is done as a script because it needs to be run after
> -# every docker service restart.
> -# And just doing an iptables-restore is going to mess up kubernetes'
> -# NAT table.
> -
> -# Delete all old rules
> -iptables --flush FORWARD
> -
> -# Re-insert some basic rules
> -iptables -A FORWARD -o docker0 -j DOCKER
> -iptables -A FORWARD -o docker0 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> -iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
> -
> -# Now insert access to allowed boxes
> -# docker-registry
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport
> 443 -j ACCEPT
> -
> -#koji.fp.o
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
> 443 -j ACCEPT
> -
> -# pkgs.stg
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
> 443 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
> 9418 -j ACCEPT
> -
> -# DNS
> -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport
> 53 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport
> 53 -j ACCEPT
> -
> -# mirrors.fp.o
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport
> 443 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport
> 443 -j ACCEPT
> -
> -# dl.phx2
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
> 443 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
> 443 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
> 443 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
> 443 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
> 80 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
> 443 -j ACCEPT
> -
> -
> -# Docker is CRAZY and forces Google DNS upon us.....
> -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
> -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
> -
> -iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> -
> diff --git a/roles/osbs-master/files/fix-docker-iptables.production
> b/roles/osbs-master/files/fix-docker-iptables.production
> new file mode 100644
> index 0000000..fc84186
> --- /dev/null
> +++ b/roles/osbs-master/files/fix-docker-iptables.production
> @@ -0,0 +1,54 @@
> +#!/bin/bash -xe
> +# Note: this is done as a script because it needs to be run after
> +# every docker service restart.
> +# And just doing an iptables-restore is going to mess up kubernetes'
> +# NAT table.
> +
> +# Delete all old rules
> +iptables --flush FORWARD
> +
> +# Re-insert some basic rules
> +iptables -A FORWARD -o docker0 -j DOCKER
> +iptables -A FORWARD -o docker0 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
> +
> +# Now insert access to allowed boxes
> +# docker-registry
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport
> 443 -j ACCEPT
> +
> +#koji.fp.o
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport
> 443 -j ACCEPT
> +
> +# pkgs
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport
> 9418 -j ACCEPT
> +
> +# DNS
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport
> 53 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport
> 53 -j ACCEPT
> +
> +# mirrors.fp.o
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport
> 443 -j ACCEPT
> +
> +# dl.phx2
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
> 443 -j ACCEPT
> +
> +
> +# Docker is CRAZY and forces Google DNS upon us.....
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
> +
> +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> +
> diff --git a/roles/osbs-master/files/fix-docker-iptables.staging
> b/roles/osbs-master/files/fix-docker-iptables.staging
> new file mode 100644
> index 0000000..c204f74
> --- /dev/null
> +++ b/roles/osbs-master/files/fix-docker-iptables.staging
> @@ -0,0 +1,54 @@
> +#!/bin/bash -xe
> +# Note: this is done as a script because it needs to be run after
> +# every docker service restart.
> +# And just doing an iptables-restore is going to mess up kubernetes'
> +# NAT table.
> +
> +# Delete all old rules
> +iptables --flush FORWARD
> +
> +# Re-insert some basic rules
> +iptables -A FORWARD -o docker0 -j DOCKER
> +iptables -A FORWARD -o docker0 -m conntrack --ctstate
> RELATED,ESTABLISHED -j ACCEPT
> +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
> +
> +# Now insert access to allowed boxes
> +# docker-registry
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport
> 443 -j ACCEPT
> +
> +#koji.fp.o
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport
> 443 -j ACCEPT
> +
> +# pkgs.stg
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport
> 9418 -j ACCEPT
> +
> +# DNS
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport
> 53 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport
> 53 -j ACCEPT
> +
> +# mirrors.fp.o
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport
> 443 -j ACCEPT
> +
> +# dl.phx2
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport
> 443 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
> 80 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport
> 443 -j ACCEPT
> +
> +
> +# Docker is CRAZY and forces Google DNS upon us.....
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
> +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
> +
> +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
> +
> diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml
> index bb622d9..d0b0c25 100644
> --- a/roles/osbs-master/tasks/main.yml
> +++ b/roles/osbs-master/tasks/main.yml
> @@ -126,7 +126,7 @@
>    when: osbs_export_dir is defined
>
>  - name: copy docker iptables script
> -  copy: src=fix-docker-iptables
> dest=/usr/local/bin/fix-docker-iptables mode=0755
> +  copy: src="fix-docker-iptables.{{ env }}"
> dest=/usr/local/bin/fix-docker-iptables mode=0755
>
>  - name: copy docker service config
>    copy: src=docker.service dest=/etc/systemd/system/docker.service
> _______________________________________________
> infrastructure mailing list
> infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx



-- 
Stephen J Smoogen.
_______________________________________________
infrastructure mailing list
infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Development]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux