iptables: clean up osbuild and add a external block set scaffolding

Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2023-06-26 12:38:37 -07:00
parent 7c6fe8c5b8
commit 679f7f6f16
13 changed files with 81 additions and 7 deletions

View file

@ -18,6 +18,10 @@ csi_security_category: High
#
custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
#
# This host is externally reachable
#
external: true
#
# Set this to get fasclient cron to make the aliases file
#
fas_aliases: true

View file

@ -20,6 +20,10 @@ csi_relationship: |
csi_security_category: High
# Neeed for rsync from log01 for logs.
custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
#
# This host is externally reachable
#
external: true
fedmsg_certs:
- can_send:
- ansible.playbook.complete

View file

@ -2,6 +2,10 @@
blocked_ips: []
datacenter: iad2
dns: 10.3.163.33
#
# This host is externally reachable
#
external: true
host_group: download-iad2
# nfs mount options, overrides the all/default
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=4"

View file

@ -0,0 +1,4 @@
---
# boolean to determine if a host is publically reachable via nat in iad2
# by default, hosts are not, only specific hosts/groups are.
external: False

View file

@ -20,6 +20,10 @@ clamscan_paths:
- /srv/cache/lookaside/pkgs
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
#
# This host is externally reachable
#
external: true
fedmsg_active: True
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

View file

@ -16,6 +16,10 @@ clamscan_paths:
- /srv/cache/lookaside/pkgs
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
#
# This host is externally reachable
#
external: true
fedmsg_active: True
# These are consumed by a task in roles/fedmsg/base/main.yml
fedmsg_certs:

View file

@ -2,6 +2,10 @@
datacenter: iad2
eth0_ipv4_gw: 10.3.163.254
eth0_ipv4_ip: 10.3.163.33
#
# This host is externally reachable
#
external: true
ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
vmhost: vmhost-x86-01.iad2.fedoraproject.org

View file

@ -2,6 +2,10 @@
datacenter: iad2
eth0_ipv4_gw: 10.3.163.254
eth0_ipv4_ip: 10.3.163.34
#
# This host is externally reachable
#
external: true
ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
vmhost: vmhost-x86-02.iad2.fedoraproject.org

View file

@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
dns_search3: "fedoraproject.org"
eth0_ipv4: 10.3.163.74
eth0_ipv4_gw: 10.3.163.254
#
# This host is externally reachable
#
external: true
freezes: true
has_ipv4: yes
ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/

View file

@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
dns_search3: "fedoraproject.org"
eth0_ipv4: 10.3.163.75
eth0_ipv4_gw: 10.3.163.254
#
# This host is externally reachable
#
external: true
freezes: true
has_ipv4: yes
ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/

View file

@ -2,6 +2,10 @@
datacenter: iad2
eth0_ipv4_gw: 10.3.163.254
eth0_ipv4_ip: 10.3.163.86
#
# This host is externally reachable
#
external: true
ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/
ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2
lvm_size: 40000

View file

@ -152,9 +152,41 @@
command: /usr/sbin/ipset create osbuildapi hash:ip
ignore_errors: true
changed_when: false
when: inventory_hostname.startswith('build')
when: "'osbuild' in group_names"
tags:
- base
- iptables
- name: install blocklist update script
copy:
src: "{{ private }}/files/blocklist/blocklist-update.sh"
dest: /usr/local/bin/blocklist-update.sh
owner: root
group: root
mode: "0700"
tags:
- base
- iptables
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
- name: setup blocklist ipset if this is a new install
command: /usr/sbin/ipset create blocklist hash:ip
ignore_errors: true
changed_when: false
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
tags:
- base
- iptables
- name: setup blocklist update cron job
cron:
name: blocklist-update
user: root
minute: 15
hour: "*/2"
job: /usr/local/bin/blocklist-update.sh
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
tags:
- packages
- base
- iptables

View file

@ -14,11 +14,9 @@
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# if the blocked_ips is defined - drop them
{% if blocked_ips is defined %}
{% for ip in blocked_ips %}
-A INPUT -s {{ ip }} -j DROP
{% endfor %}
# if the host is external, block some ips
{% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %}
-A INPUT -p any -m set --match-set blocklist src -j REJECT
{% endif %}
# allow ssh - always