diff --git a/roles/base/templates/iptables/ip6tables b/roles/base/templates/iptables/ip6tables index 49db2f7851..add78a738a 100644 --- a/roles/base/templates/iptables/ip6tables +++ b/roles/base/templates/iptables/ip6tables @@ -17,6 +17,13 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT diff --git a/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org b/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org index 066f3609e5..92be2a5297 100644 --- a/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org +++ b/roles/base/templates/iptables/ip6tables.jenkins.fedorainfracloud.org @@ -33,6 +33,13 @@ COMMIT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 4e42a834d0..f3ebf69651 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -14,6 +14,13 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT @@ -80,6 +87,7 @@ {% endfor %} {% endif %} + # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} {% for port in tcp_ports %} diff --git a/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org b/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org index 1cbe7212fa..30f7b56a4e 100644 --- a/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org +++ b/roles/base/templates/iptables/iptables.jenkins.fedorainfracloud.org @@ -30,6 +30,13 @@ COMMIT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index ee1462b3a0..1600b746e1 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -20,6 +20,14 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + + # kojipkgs -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.openstack-compute b/roles/base/templates/iptables/iptables.openstack-compute index 3b7b11bf17..f8b1049cfa 100644 --- a/roles/base/templates/iptables/iptables.openstack-compute +++ b/roles/base/templates/iptables/iptables.openstack-compute @@ -14,6 +14,13 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.osuosl b/roles/base/templates/iptables/iptables.osuosl index 9efba777f6..44ddbad10d 100644 --- a/roles/base/templates/iptables/iptables.osuosl +++ b/roles/base/templates/iptables/iptables.osuosl @@ -14,6 +14,13 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh only from needed ips # vpn in from tun0 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 192.168.0.0/24 -i tun0 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.releng b/roles/base/templates/iptables/iptables.releng index 7a27e0cb1f..7a26944be7 100644 --- a/roles/base/templates/iptables/iptables.releng +++ b/roles/base/templates/iptables/iptables.releng @@ -34,6 +34,13 @@ COMMIT -A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5666 -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # SSH # ssh block against uni in .cz where problem(s) have been cited # added by skvidal on jan 24 2011 - as per request from spot diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging index fbd082e4ff..a0e32ffe12 100644 --- a/roles/base/templates/iptables/iptables.staging +++ b/roles/base/templates/iptables/iptables.staging @@ -26,6 +26,13 @@ COMMIT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org index dedc782570..56b3240650 100644 --- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org +++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org @@ -14,6 +14,13 @@ -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT @@ -80,6 +87,7 @@ {% endfor %} {% endif %} + # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} {% for port in tcp_ports %}