diff --git a/files/iptables/iptables b/files/iptables/iptables index 85f56c1a27..137fef7362 100644 --- a/files/iptables/iptables +++ b/files/iptables/iptables @@ -1,15 +1,39 @@ -# Simple static firewall loaded by iptables.service. Replace -# this with your own custom rules, run lokkit, or switch to -# shorewall or firewalld as your needs dictate. +# {{ ansible_managed }} *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] --A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + +# allow ping and traceroute -A INPUT -p icmp -j ACCEPT + +# localhost is fine -A INPUT -i lo -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT + + +# if the host/group defines incoming tcp_ports - allow them +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if the host/group defines incoming udp_ports - allow them +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if there are custom rules - put them in as-is +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} + +# otherwise kick everything out -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT diff --git a/files/iptables/releng b/files/iptables/releng index 3eb0542d09..eb3d0e3f99 100644 --- a/files/iptables/releng +++ b/files/iptables/releng @@ -1,5 +1,5 @@ # -# NOTE: Chaging this template updates iptables on all hosts. +# NOTE: Chaging this template updates iptables on all releng hosts :) # Please check with sysadmin-main before pushing out an update here. # *nat diff --git a/tasks/koji/base_builder.yml b/tasks/koji/base_builder.yml index 034c98221b..aa529906b3 100644 --- a/tasks/koji/base_builder.yml +++ b/tasks/koji/base_builder.yml @@ -33,7 +33,7 @@ action: copy src=$files/kojibuilder/ftbfs_auth_keys dest=/home/mockbuilder/.ssh/authorized_keys mode=644 owner=mockbuilder group=mockbuilder - name: iptables - action: copy src=$files/iptables/kojibuilder dest=/etc/sysconfig/iptables mode=600 + action: template src=$files/iptables/kojibuilder dest=/etc/sysconfig/iptables mode=600 notify: - restart iptables diff --git a/tasks/koji/releng_config.yml b/tasks/koji/releng_config.yml index 5d3b56b43e..12683154a9 100644 --- a/tasks/koji/releng_config.yml +++ b/tasks/koji/releng_config.yml @@ -46,7 +46,7 @@ - name: iptables - action: copy src=$files/iptables/releng dest=/etc/sysconfig/iptables mode=600 + action: template src=$files/iptables/releng dest=/etc/sysconfig/iptables mode=600 notify: - restart iptables tags: