From 55cc28c3b1badcfd711e51a1f2f6b0da118b8294 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 19 Mar 2021 09:24:14 -0700 Subject: [PATCH] base / iptables: Add rules to block staging networks on prod hosts In IAD2 the prod and stg hosts are on different VLANs, so we thought we didn't need this. However, we are still seeing some odd mixing of prod and stg fedmsgs, so likely some fedmsg port has become enabled accross all the VLANS. In any case this should do no harm, it just adds 2 subnets on all prod hosts to block staging, except for a small number of staging_friendly hosts (in the staging_friendly ansible group). Signed-off-by: Kevin Fenzi --- roles/base/templates/iptables/iptables | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 8b879523c3..c0b7b73b69 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -33,15 +33,16 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT -{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %} +{% if env != 'staging' and datacenter == 'iad2' and inventory_hostname not in groups['staging_friendly'] %} # -# In the phx2 datacenter, both production and staging hosts are in the same -# vlan, but different subnets. We want production hosts to reject connectons from staging group hosts -# to prevent them from interfering with production. There are however a few hosts in -# production we have marked 'staging-friendly' that we do allow staging to talk to for -# mostly read-only data they need. +# In the iad2 datacenter, both production and staging hosts are in different +# vlans, and different subnets. However, just as a precaution, we want prod machines to +# reject connections from any staging host just in case there's some globally enabled port. +# There are however a few hosts in production we have marked 'staging-friendly' +# that we do allow staging to talk to for mostly read-only data they need. # - +-A INPUT -s 10.3.166.0/24 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.3.167.0/24 -j REJECT --reject-with icmp-host-prohibited {% endif %} # if the host declares a fedmsg-enabled wsgi app, open ports for it