From 6bf8552e7fe3b5d3e4c60308531c87141fdcdb5b Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 25 Mar 2021 10:10:55 -0700
Subject: [PATCH] base / iptables / kojibuilder: add ipa ports for koji builder
 ipa clients

Note that this will not yet work, it needs the RHIT firewall between
vlans opened on these ports first, but after that this is needed to
allow them to use those ports.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../templates/iptables/iptables.kojibuilder   | 24 +++++++++++++++----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder
index 0fd0015dfb..6c2136eee0 100644
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@@ -78,12 +78,26 @@
 -A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT
-# for 2 facter auth (fas-all)
--A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 8443 -j ACCEPT
--A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 8443 -j ACCEPT
--A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 8443 -j ACCEPT
--A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 8443 -j ACCEPT
 
+# ipa client ports
+-A OUTPUT -p tcp -m tcp -d 10.3.163.54 --dport 389 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.55 --dport 389 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.104 --dport 389 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.54 --dport 636 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.55 --dport 636 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.104 --dport 636 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.54 --dport 88 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.55 --dport 88 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.104 --dport 88 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.54 --dport 88 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.55 --dport 88 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.104 --dport 88 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.54 --dport 464 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.55 --dport 464 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.104 --dport 464 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.54 --dport 464 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.55 --dport 464 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.104 --dport 464 -j ACCEPT
 
 #nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but 
 # kinda necessary