iptables: clean up osbuild and add a external block set scaffolding
Setup osbuild so it only needs to exist on the specific builders in the osbuild channel, not all builders. Also, setup things so we can add a blocklist that will block external subnets/ip's if we need to do so. Currently it should just be an empty set, but we can implement it as needed/desired starting with the ips we already were blocking on just some hosts. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
parent
7c6fe8c5b8
commit
679f7f6f16
13 changed files with 81 additions and 7 deletions
|
@ -18,6 +18,10 @@ csi_security_category: High
|
|||
#
|
||||
custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
#
|
||||
# Set this to get fasclient cron to make the aliases file
|
||||
#
|
||||
fas_aliases: true
|
||||
|
|
|
@ -20,6 +20,10 @@ csi_relationship: |
|
|||
csi_security_category: High
|
||||
# Neeed for rsync from log01 for logs.
|
||||
custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
fedmsg_certs:
|
||||
- can_send:
|
||||
- ansible.playbook.complete
|
||||
|
|
|
@ -2,6 +2,10 @@
|
|||
blocked_ips: []
|
||||
datacenter: iad2
|
||||
dns: 10.3.163.33
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
host_group: download-iad2
|
||||
# nfs mount options, overrides the all/default
|
||||
nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=4"
|
||||
|
|
4
inventory/group_vars/iad2
Normal file
4
inventory/group_vars/iad2
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
# boolean to determine if a host is publically reachable via nat in iad2
|
||||
# by default, hosts are not, only specific hosts/groups are.
|
||||
external: False
|
|
@ -20,6 +20,10 @@ clamscan_paths:
|
|||
- /srv/cache/lookaside/pkgs
|
||||
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
|
||||
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
fedmsg_active: True
|
||||
# These are consumed by a task in roles/fedmsg/base/main.yml
|
||||
fedmsg_certs:
|
||||
|
|
|
@ -16,6 +16,10 @@ clamscan_paths:
|
|||
- /srv/cache/lookaside/pkgs
|
||||
# We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
|
||||
# To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
fedmsg_active: True
|
||||
# These are consumed by a task in roles/fedmsg/base/main.yml
|
||||
fedmsg_certs:
|
||||
|
|
|
@ -2,6 +2,10 @@
|
|||
datacenter: iad2
|
||||
eth0_ipv4_gw: 10.3.163.254
|
||||
eth0_ipv4_ip: 10.3.163.33
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
|
||||
ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
|
||||
vmhost: vmhost-x86-01.iad2.fedoraproject.org
|
||||
|
|
|
@ -2,6 +2,10 @@
|
|||
datacenter: iad2
|
||||
eth0_ipv4_gw: 10.3.163.254
|
||||
eth0_ipv4_ip: 10.3.163.34
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
|
||||
ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
|
||||
vmhost: vmhost-x86-02.iad2.fedoraproject.org
|
||||
|
|
|
@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
|
|||
dns_search3: "fedoraproject.org"
|
||||
eth0_ipv4: 10.3.163.74
|
||||
eth0_ipv4_gw: 10.3.163.254
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
freezes: true
|
||||
has_ipv4: yes
|
||||
ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/
|
||||
|
|
|
@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
|
|||
dns_search3: "fedoraproject.org"
|
||||
eth0_ipv4: 10.3.163.75
|
||||
eth0_ipv4_gw: 10.3.163.254
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
freezes: true
|
||||
has_ipv4: yes
|
||||
ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/
|
||||
|
|
|
@ -2,6 +2,10 @@
|
|||
datacenter: iad2
|
||||
eth0_ipv4_gw: 10.3.163.254
|
||||
eth0_ipv4_ip: 10.3.163.86
|
||||
#
|
||||
# This host is externally reachable
|
||||
#
|
||||
external: true
|
||||
ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/
|
||||
ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2
|
||||
lvm_size: 40000
|
||||
|
|
|
@ -152,9 +152,41 @@
|
|||
command: /usr/sbin/ipset create osbuildapi hash:ip
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
when: inventory_hostname.startswith('build')
|
||||
when: "'osbuild' in group_names"
|
||||
tags:
|
||||
- base
|
||||
- iptables
|
||||
|
||||
- name: install blocklist update script
|
||||
copy:
|
||||
src: "{{ private }}/files/blocklist/blocklist-update.sh"
|
||||
dest: /usr/local/bin/blocklist-update.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0700"
|
||||
tags:
|
||||
- base
|
||||
- iptables
|
||||
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
|
||||
|
||||
- name: setup blocklist ipset if this is a new install
|
||||
command: /usr/sbin/ipset create blocklist hash:ip
|
||||
ignore_errors: true
|
||||
changed_when: false
|
||||
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
|
||||
tags:
|
||||
- base
|
||||
- iptables
|
||||
|
||||
- name: setup blocklist update cron job
|
||||
cron:
|
||||
name: blocklist-update
|
||||
user: root
|
||||
minute: 15
|
||||
hour: "*/2"
|
||||
job: /usr/local/bin/blocklist-update.sh
|
||||
when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
|
||||
tags:
|
||||
- packages
|
||||
- base
|
||||
- iptables
|
||||
|
||||
|
|
|
@ -14,11 +14,9 @@
|
|||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# if the blocked_ips is defined - drop them
|
||||
{% if blocked_ips is defined %}
|
||||
{% for ip in blocked_ips %}
|
||||
-A INPUT -s {{ ip }} -j DROP
|
||||
{% endfor %}
|
||||
# if the host is external, block some ips
|
||||
{% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %}
|
||||
-A INPUT -p any -m set --match-set blocklist src -j REJECT
|
||||
{% endif %}
|
||||
|
||||
# allow ssh - always
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue