From 42cae5591f299af9e1bd57236231688a67ef572c Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 24 Sep 2024 10:35:17 -0700 Subject: [PATCH] bastion: adjust smtp firewall rules for mimecast Setup things so we accept smtp connections from all the places we currently do, but also from mimecast as incoming emails may come via that. We don't want to globally allow everyone to inject emails here. Signed-off-by: Kevin Fenzi --- inventory/group_vars/bastion | 1 + .../base/templates/iptables/iptables.bastion | 153 ++++++++++++++++++ 2 files changed, 154 insertions(+) create mode 100644 roles/base/templates/iptables/iptables.bastion diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index 9f2ee5b8bf..7a7b67e89d 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -30,6 +30,7 @@ fas_aliases: true # fasjson_aliases: false fasjson_url: https://fasjson.fedoraproject.org/ +host_group: bastion ipa_client_shell_groups: - pungi-devel - sysadmin-analysis diff --git a/roles/base/templates/iptables/iptables.bastion b/roles/base/templates/iptables/iptables.bastion new file mode 100644 index 0000000000..d7f0576ff8 --- /dev/null +++ b/roles/base/templates/iptables/iptables.bastion @@ -0,0 +1,153 @@ +# {{ ansible_managed }} +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +# allow ping and traceroute +-A INPUT -p icmp -j ACCEPT + +# localhost is fine +-A INPUT -i lo -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# allow ssh - always +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT + +# for nrpe - allow it from nocs +-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT +# FIXME - this is the global nat-ip and we need the noc01-specific ip +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.16 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.15 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT +# zabbix01 +-A INPUT -p tcp -m tcp --dport 10051 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 10050 -s 10.3.163.198 -j ACCEPT + +{% if env != 'staging' and datacenter == 'iad2' and inventory_hostname not in groups['staging_friendly'] %} +# +# In the iad2 datacenter, both production and staging hosts are in different +# vlans, and different subnets. However, just as a precaution, we want prod machines to +# reject connections from any staging host just in case there's some globally enabled port. +# There are however a few hosts in production we have marked 'staging-friendly' +# that we do allow staging to talk to for mostly read-only data they need. +# +-A INPUT -s 10.3.166.0/24 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.3.167.0/24 -j REJECT --reject-with icmp-host-prohibited +{% endif %} + +{% if vpn %} +# +# We want to have all vpn hosts reject most things from the 'less secure' vpn network +# +{% if inventory_hostname == 'log01.iad2.fedoraproject.org' %} +# Allow all vpn hosts to talk to the log server for rsyslog +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 514 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 25826 -j ACCEPT +{% endif %} +{% if inventory_hostname in groups['ipa'] %} +# Allow all vpn hosts to talk to the ipa servers for auth +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 80 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 88 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 389 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 464 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 636 -j ACCEPT + +-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 88 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 464 -j ACCEPT +{% endif %} +# Reject all further connections from less secure vpn +-A INPUT -s 192.168.100.0/24 -j REJECT --reject-with icmp-host-prohibited +{% endif %} +# if the host declares a fedmsg-enabled wsgi app, open ports for it +{% if wsgi_fedmsg_service is defined %} +{% for i in range(wsgi_procs * wsgi_threads) %} +-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT +{% endfor %} +{% endif %} + +# smtp rules we want to allow vpn and out internal networks and mimecast +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 192.168.0.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 10.3.160.0/19 -m tcp -p tcp --dport 25 -j ACCEPT +# mimecast ips from +# https://community.mimecast.com/s/article/email-security-cloud-gateway-data-centers-and-urls?r=297&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1 +-A INPUT -s 170.10.132.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 170.10.133.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 170.10.128.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 170.10.129.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 170.10.130.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 170.10.131.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 207.211.31.0/25 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 207.211.30.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 205.139.110.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 205.139.111.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 216.205.24.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 63.128.21.0/24 -m tcp -p tcp --dport 25 -j ACCEPT + +IP Addresses / Network Ranges for Non-SPF Email Traffic + +Where messages are being sent from accounts with envelope addresses not registered as internal domains, Mimecast routes through separate ranges. +Region + United States of America (US-Grid) 207.211.30.40 to 207.211.30.49 205.139.111.40 to 205.139.111.49 + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} +{% endif %} + +# if there are any proxy-only tcp_ports - allow them +{% if proxy_tcp_ports is defined %} +{% for port in proxy_tcp_ports %} +{% for proxy in (groups['proxies'] + groups['proxies_internal']) %} +{% if hostvars[proxy]['datacenter'] == "phx2" and 'ansible_eth0' in hostvars[proxy] %} +-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_eth0']['ipv4']['address'] }} -j ACCEPT +{% else %} +-A INPUT -p tcp -m tcp --dport {{ port }} --src {{ hostvars[proxy]['ansible_tun0']['ipv4']['address'] }} -j ACCEPT +{% endif %} +{% endfor %} +# nagios +-A INPUT -p tcp -m tcp --dport {{ port }} --src 10.3.163.10 -j ACCEPT +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if custom_rules is defined %} +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -j REJECT --reject-with icmp-host-prohibited +COMMIT + +{% if nat_rules %} +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] + +{% for rule in nat_rules %} +{{ rule }} +{% endfor %} +COMMIT +{% endif %}