And we have lots of iptables changes so we can block things when we want

2016-03-18 22:57:28 +00:00 · 2016-03-18 22:57:28 +00:00 · 134036a9b0
commit 134036a9b0
parent eb44a82979
10 changed files with 73 additions and 0 deletions
--- a/roles/base/templates/iptables/ip6tables
+++ b/roles/base/templates/iptables/ip6tables
@ -17,6 +17,13 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

--- a/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org
+++ b/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org
@ -33,6 +33,13 @@ COMMIT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@ -14,6 +14,13 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

@ -80,6 +87,7 @@
 {% endfor %}
 {% endif %}

+
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
 {% for port in tcp_ports %}
--- a/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
+++ b/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org
@ -30,6 +30,13 @@ COMMIT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@ -20,6 +20,14 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+
 # kojipkgs
 -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT
--- a/roles/base/templates/iptables/iptables.openstack-compute
+++ b/roles/base/templates/iptables/iptables.openstack-compute
@ -14,6 +14,13 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

--- a/roles/base/templates/iptables/iptables.osuosl
+++ b/roles/base/templates/iptables/iptables.osuosl
@ -14,6 +14,13 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh only from needed ips
 # vpn in from tun0
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 192.168.0.0/24 -i tun0 -j ACCEPT
--- a/roles/base/templates/iptables/iptables.releng
+++ b/roles/base/templates/iptables/iptables.releng
@ -34,6 +34,13 @@ COMMIT
 -A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT
 -A INPUT -p tcp -m tcp -s 10.5.126.41  --dport 5666 -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # SSH
 # ssh block against uni in .cz where problem(s) have been cited
 # added by skvidal on jan 24 2011 - as per request from spot
--- a/roles/base/templates/iptables/iptables.staging
+++ b/roles/base/templates/iptables/iptables.staging
@ -26,6 +26,13 @@ COMMIT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

--- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org
@ -14,6 +14,13 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
 # allow ssh - always
 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT

@ -80,6 +87,7 @@
 {% endfor %}
 {% endif %}

+
 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}
 {% for port in tcp_ports %}