iptables: clean up osbuild and add a external block set scaffolding

Setup osbuild so it only needs to exist on the specific builders in the osbuild channel, not all builders. Also, setup things so we can add a blocklist that will block external subnets/ip's if we need to do so. Currently it should just be an empty set, but we can implement it as needed/desired starting with the ips we already were blocking on just some hosts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2023-06-26 12:38:37 -07:00 · 2023-06-26 12:38:37 -07:00 · 679f7f6f16
commit 679f7f6f16
parent 7c6fe8c5b8
13 changed files with 81 additions and 7 deletions
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@ -18,6 +18,10 @@ csi_security_category: High
 #
 custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
 #
+# This host is externally reachable
+#
+external: true
+#
 # Set this to get fasclient cron to make the aliases file
 #
 fas_aliases: true
--- a/inventory/group_vars/batcave
+++ b/inventory/group_vars/batcave
@ -20,6 +20,10 @@ csi_relationship: |
 csi_security_category: High
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_certs:
  - can_send:
      - ansible.playbook.complete
--- a/inventory/group_vars/download_iad2
+++ b/inventory/group_vars/download_iad2
@ -2,6 +2,10 @@
 blocked_ips: []
 datacenter: iad2
 dns: 10.3.163.33
+#
+# This host is externally reachable
+#
+external: true
 host_group: download-iad2
 # nfs mount options, overrides the all/default
 nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=4"
--- a/inventory/group_vars/iad2
+++ b/inventory/group_vars/iad2
@ -0,0 +1,4 @@
+---
+# boolean to determine if a host is publically reachable via nat in iad2
+# by default, hosts are not, only specific hosts/groups are.
+external: False
--- a/inventory/group_vars/pkgs
+++ b/inventory/group_vars/pkgs
@ -20,6 +20,10 @@ clamscan_paths:
  - /srv/cache/lookaside/pkgs
 # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_active: True
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/group_vars/pkgs_stg
+++ b/inventory/group_vars/pkgs_stg
@ -16,6 +16,10 @@ clamscan_paths:
  - /srv/cache/lookaside/pkgs
 # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_active: True
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:
--- a/inventory/host_vars/ns01.iad2.fedoraproject.org
+++ b/inventory/host_vars/ns01.iad2.fedoraproject.org
@ -2,6 +2,10 @@
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.33
+#
+# This host is externally reachable
+#
+external: true
 ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
 ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
 vmhost: vmhost-x86-01.iad2.fedoraproject.org
--- a/inventory/host_vars/ns02.iad2.fedoraproject.org
+++ b/inventory/host_vars/ns02.iad2.fedoraproject.org
@ -2,6 +2,10 @@
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.34
+#
+# This host is externally reachable
+#
+external: true
 ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
 ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
 vmhost: vmhost-x86-02.iad2.fedoraproject.org
--- a/inventory/host_vars/proxy01.iad2.fedoraproject.org
+++ b/inventory/host_vars/proxy01.iad2.fedoraproject.org
@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
 dns_search3: "fedoraproject.org"
 eth0_ipv4: 10.3.163.74
 eth0_ipv4_gw: 10.3.163.254
+#
+# This host is externally reachable
+#
+external: true
 freezes: true
 has_ipv4: yes
 ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/
--- a/inventory/host_vars/proxy10.iad2.fedoraproject.org
+++ b/inventory/host_vars/proxy10.iad2.fedoraproject.org
@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
 dns_search3: "fedoraproject.org"
 eth0_ipv4: 10.3.163.75
 eth0_ipv4_gw: 10.3.163.254
+#
+# This host is externally reachable
+#
+external: true
 freezes: true
 has_ipv4: yes
 ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/
--- a/inventory/host_vars/secondary01.iad2.fedoraproject.org
+++ b/inventory/host_vars/secondary01.iad2.fedoraproject.org
@ -2,6 +2,10 @@
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.86
+#
+# This host is externally reachable
+#
+external: true
 ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/
 ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2
 lvm_size: 40000
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@ -152,9 +152,41 @@
  command: /usr/sbin/ipset create osbuildapi hash:ip
  ignore_errors: true
  changed_when: false
-  when: inventory_hostname.startswith('build')
+  when: "'osbuild' in group_names"
+  tags:
+    - base
+    - iptables
+
+- name: install blocklist update script
+  copy:
+    src: "{{ private }}/files/blocklist/blocklist-update.sh"
+    dest: /usr/local/bin/blocklist-update.sh
+    owner: root
+    group: root
+    mode: "0700"
+  tags:
+    - base
+    - iptables
+  when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
+
+- name: setup blocklist ipset if this is a new install
+  command: /usr/sbin/ipset create blocklist hash:ip
+  ignore_errors: true
+  changed_when: false
+  when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
+  tags:
+    - base
+    - iptables
+
+- name: setup blocklist update cron job
+  cron:
+    name: blocklist-update
+    user: root
+    minute: 15
+    hour: "*/2"
+    job: /usr/local/bin/blocklist-update.sh
+  when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
  tags:
-    - packages
    - base
    - iptables

--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@ -14,11 +14,9 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-# if the blocked_ips is defined - drop them
-{% if blocked_ips is defined %}
-{% for ip in blocked_ips %}
-A INPUT -s {{ ip }} -j DROP
-{% endfor %}
+# if the host is external, block some ips
+{% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %}
+-A INPUT -p any -m set --match-set blocklist src -j REJECT
 {% endif %}

 # allow ssh - always