From 80aa4bbbc2ec45c0ea6f6f3b5e36191273ac1677 Mon Sep 17 00:00:00 2001 From: James Antill Date: Fri, 4 Oct 2024 16:46:26 -0400 Subject: [PATCH] Initial version of iptables to nftables conversion. --- inventory/group_vars/all | 2 + inventory/group_vars/autosign | 1 + inventory/group_vars/autosign_hardware | 1 + inventory/group_vars/bastion | 3 + inventory/group_vars/bastion_stg | 3 + inventory/group_vars/batcave | 3 + inventory/group_vars/bodhi_backend | 1 + inventory/group_vars/bodhi_backend_stg | 1 + inventory/group_vars/certgetter | 3 + inventory/group_vars/certgetter_stg | 3 + inventory/group_vars/copr_keygen_aws | 5 + inventory/group_vars/copr_keygen_dev_aws | 5 + inventory/group_vars/github2fedmsg | 3 + inventory/group_vars/github2fedmsg_stg | 3 + inventory/group_vars/ipa | 1 + inventory/group_vars/ipsilon | 3 + inventory/group_vars/ipsilon_stg | 3 + inventory/group_vars/kernel_qa | 1 + inventory/group_vars/koji | 4 + inventory/group_vars/kojipkgs | 4 + inventory/group_vars/openqa_tap_workers | 4 + inventory/group_vars/os_proxies | 6 + inventory/group_vars/pagure | 5 + inventory/group_vars/people | 1 + inventory/group_vars/proxies | 26 +++ inventory/group_vars/proxies_stg | 24 +++ inventory/group_vars/rabbitmq | 8 + inventory/group_vars/rabbitmq_stg | 8 + inventory/group_vars/repospanner_temp | 9 + inventory/group_vars/retrace | 3 + inventory/group_vars/value | 9 + inventory/group_vars/value_stg | 10 + .../host_vars/db-fas01.iad2.fedoraproject.org | 12 ++ .../db-fas01.stg.iad2.fedoraproject.org | 2 + .../db-koji01.iad2.fedoraproject.org | 5 + .../db-koji01.stg.iad2.fedoraproject.org | 1 + .../host_vars/db01.iad2.fedoraproject.org | 1 + .../host_vars/db01.stg.iad2.fedoraproject.org | 1 + .../host_vars/noc01.iad2.fedoraproject.org | 5 + roles/base/templates/nftables/nf6tables | 58 +++++ roles/base/templates/nftables/nftables | 127 +++++++++++ .../templates/nftables/nftables.kojibuilder | 202 ++++++++++++++++++ roles/base/templates/nftables/nftables.osuosl | 61 ++++++ roles/base/templates/nftables/nftables.releng | 87 ++++++++ roles/base/templates/nftables/nftables.sign | 22 ++ .../base/templates/nftables/nftables.staging | 75 +++++++ ...nftables.storinator01.fedorainfracloud.org | 89 ++++++++ .../nftables.torrent02.fedoraproject.org | 94 ++++++++ .../templates/osbuildapi-update-nft.sh | 32 +++ 49 files changed, 1040 insertions(+) create mode 100644 roles/base/templates/nftables/nf6tables create mode 100644 roles/base/templates/nftables/nftables create mode 100644 roles/base/templates/nftables/nftables.kojibuilder create mode 100644 roles/base/templates/nftables/nftables.osuosl create mode 100644 roles/base/templates/nftables/nftables.releng create mode 100644 roles/base/templates/nftables/nftables.sign create mode 100644 roles/base/templates/nftables/nftables.staging create mode 100644 roles/base/templates/nftables/nftables.storinator01.fedorainfracloud.org create mode 100644 roles/base/templates/nftables/nftables.torrent02.fedoraproject.org create mode 100644 roles/koji_builder/templates/osbuildapi-update-nft.sh diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 402d7d0e01..65259cf693 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -97,6 +97,8 @@ csi_relationship: | csi_security_category: Unspecified custom6_rules: [] custom_rules: [] +nft_custom6_rules: [] +nft_custom_rules: [] # most of our systems are in IAD2 datacenter: iad2 # These are used to: diff --git a/inventory/group_vars/autosign b/inventory/group_vars/autosign index 2b06041e9a..d4df4cea07 100644 --- a/inventory/group_vars/autosign +++ b/inventory/group_vars/autosign @@ -18,6 +18,7 @@ csi_security_category: High # Make connections from signing bridges stateless, they break sigul connections # https://bugzilla.redhat.com/show_bug.cgi?id=1283364 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.3.169.120 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.169.120 tcp sport 44334 counter accept'] fedmsg_error_recipients: [] host_group: autosign ipa_client_shell_groups: diff --git a/inventory/group_vars/autosign_hardware b/inventory/group_vars/autosign_hardware index 767f52c912..e7d8154757 100644 --- a/inventory/group_vars/autosign_hardware +++ b/inventory/group_vars/autosign_hardware @@ -2,4 +2,5 @@ # Make connections from signing bridges stateless, they break sigul connections # https://bugzilla.redhat.com/show_bug.cgi?id=1283364 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.3.169.120 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.169.120 tcp sport 44334 counter accept'] host_group: autosign diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index c9f08e2da2..d54027edf8 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -17,6 +17,9 @@ csi_security_category: High # allow ntp from internal RH 10 nets # custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited' + - 'add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 123 counter accept' # # This host is externally reachable # diff --git a/inventory/group_vars/bastion_stg b/inventory/group_vars/bastion_stg index 49d4f8633f..86558e5154 100644 --- a/inventory/group_vars/bastion_stg +++ b/inventory/group_vars/bastion_stg @@ -28,6 +28,9 @@ csi_security_category: High # allow ntp from internal RH 10 nets # custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited' + - 'add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 123 counter accept' # # Set this to get fasjson-client cron to make the aliases file # diff --git a/inventory/group_vars/batcave b/inventory/group_vars/batcave index a967f1523f..c8962e8a64 100644 --- a/inventory/group_vars/batcave +++ b/inventory/group_vars/batcave @@ -20,6 +20,9 @@ csi_relationship: | csi_security_category: High # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' # # This host is externally reachable # diff --git a/inventory/group_vars/bodhi_backend b/inventory/group_vars/bodhi_backend index 53b774f583..22cd483566 100644 --- a/inventory/group_vars/bodhi_backend +++ b/inventory/group_vars/bodhi_backend @@ -7,6 +7,7 @@ bodhi_message_routing_keys: # Make connections from signing bridges stateless, they break sigul connections # https://bugzilla.redhat.com/show_bug.cgi?id=1283364 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.5.125.71 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.5.125.71 tcp sport 44334 counter accept'] host_group: bodhi2 ipa_client_shell_groups: - sysadmin-bodhi diff --git a/inventory/group_vars/bodhi_backend_stg b/inventory/group_vars/bodhi_backend_stg index 28d9c523e4..3e18a13eec 100644 --- a/inventory/group_vars/bodhi_backend_stg +++ b/inventory/group_vars/bodhi_backend_stg @@ -30,6 +30,7 @@ csi_security_category: Moderate # https://bugzilla.redhat.com/show_bug.cgi?id=1283364 # this is sign-bridge01.iad2 ip 10.3.169.120 custom_rules: ['-A INPUT --proto tcp --sport 44334 --source 10.3.169.120 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.169.120 tcp sport 44334 counter accept'] host_group: bodhi2 ipa_client_shell_groups: - sysadmin-bodhi diff --git a/inventory/group_vars/certgetter b/inventory/group_vars/certgetter index ff0224b0b9..e07c67809f 100644 --- a/inventory/group_vars/certgetter +++ b/inventory/group_vars/certgetter @@ -2,6 +2,9 @@ # Define resources for this group of hosts here. # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' lvm_size: 20000 mem_size: 2048 num_cpus: 2 diff --git a/inventory/group_vars/certgetter_stg b/inventory/group_vars/certgetter_stg index b5b6c5fae8..e573af21a8 100644 --- a/inventory/group_vars/certgetter_stg +++ b/inventory/group_vars/certgetter_stg @@ -2,6 +2,9 @@ # Define resources for this group of hosts here. # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' lvm_size: 20000 mem_size: 2048 num_cpus: 2 diff --git a/inventory/group_vars/copr_keygen_aws b/inventory/group_vars/copr_keygen_aws index c9aa2e0e55..550c45af60 100644 --- a/inventory/group_vars/copr_keygen_aws +++ b/inventory/group_vars/copr_keygen_aws @@ -8,6 +8,11 @@ custom_rules: - '-A INPUT -p tcp -m tcp -s 52.44.175.77 --dport 5167 -j ACCEPT' - '-A INPUT -p tcp -m tcp -s 172.30.2.145 --dport 80 -j ACCEPT' - '-A INPUT -p tcp -m tcp -s 172.30.2.145 --dport 5167 -j ACCEPT' +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 52.44.175.77 tcp dport 80 counter accept' + - 'add rule ip filter INPUT ip saddr 52.44.175.77 tcp dport 5167 counter accept' + - 'add rule ip filter INPUT ip saddr 172.30.2.145 tcp dport 80 counter accept' + - 'add rule ip filter INPUT ip saddr 172.30.2.145 tcp dport 5167 counter accept' freezes: false tcp_ports: [22, # node_exporter/prometheus diff --git a/inventory/group_vars/copr_keygen_dev_aws b/inventory/group_vars/copr_keygen_dev_aws index e1da670fb5..568d57b38a 100644 --- a/inventory/group_vars/copr_keygen_dev_aws +++ b/inventory/group_vars/copr_keygen_dev_aws @@ -8,6 +8,11 @@ custom_rules: - '-A INPUT -p tcp -m tcp -s 172.30.2.173 --dport 5167 -j ACCEPT' - '-A INPUT -p tcp -m tcp -s 18.208.10.131 --dport 80 -j ACCEPT' - '-A INPUT -p tcp -m tcp -s 18.208.10.131 --dport 5167 -j ACCEPT' +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 172.30.2.173 tcp dport 80 counter accept' + - 'add rule ip filter INPUT ip saddr 172.30.2.173 tcp dport 5167 counter accept' + - 'add rule ip filter INPUT ip saddr 18.208.10.131 tcp dport 80 counter accept' + - 'add rule ip filter INPUT ip saddr 18.208.10.131 tcp dport 5167 counter accept' freezes: false tcp_ports: [22, # node_exporter/prometheus diff --git a/inventory/group_vars/github2fedmsg b/inventory/group_vars/github2fedmsg index 5bb527b602..b60e071982 100644 --- a/inventory/group_vars/github2fedmsg +++ b/inventory/group_vars/github2fedmsg @@ -2,6 +2,9 @@ # Define resources for this group of hosts here. # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' deployment_type: prod # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/github2fedmsg_stg b/inventory/group_vars/github2fedmsg_stg index 983d974655..e631f64b82 100644 --- a/inventory/group_vars/github2fedmsg_stg +++ b/inventory/group_vars/github2fedmsg_stg @@ -2,6 +2,9 @@ # Define resources for this group of hosts here. # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' deployment_type: stg # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/ipa b/inventory/group_vars/ipa index 239c4f10cf..b69dca6de9 100644 --- a/inventory/group_vars/ipa +++ b/inventory/group_vars/ipa @@ -1,6 +1,7 @@ --- # Define resources for this group of hosts here. custom_rules: ['-A INPUT -p udp -m udp -s 10.3.0.0/16 --dport 53 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.0.0/16 udp dport 53 counter accept'] host_backup_targets: ['/var/lib/ipa/backup', '/var/log/dirsrv/slapd-FEDORAPROJECT-ORG'] ipa_client_shell_groups: - sysadmin-accounts diff --git a/inventory/group_vars/ipsilon b/inventory/group_vars/ipsilon index bdecc08476..d32010d0ad 100644 --- a/inventory/group_vars/ipsilon +++ b/inventory/group_vars/ipsilon @@ -2,6 +2,9 @@ # Define resources for this group of hosts here. # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' ipa_host_group: ipsilon ipa_host_group_desc: Ipsilon SSO application lvm_size: 50000 diff --git a/inventory/group_vars/ipsilon_stg b/inventory/group_vars/ipsilon_stg index 152068fbe9..c0b858465a 100644 --- a/inventory/group_vars/ipsilon_stg +++ b/inventory/group_vars/ipsilon_stg @@ -2,6 +2,9 @@ # Define resources for this group of hosts here. # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' ipa_host_group: ipsilon ipa_host_group_desc: Ipsilon SSO application ipa_client_shell_groups: diff --git a/inventory/group_vars/kernel_qa b/inventory/group_vars/kernel_qa index 0c06b9d269..0343a50700 100644 --- a/inventory/group_vars/kernel_qa +++ b/inventory/group_vars/kernel_qa @@ -1,5 +1,6 @@ --- custom_rules: ['-A INPUT -p tcp -m tcp -s 192.168.122.0/24 --dport 2049 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 192.168.122.0/24 tcp dport 2049 counter accept'] freezes: false ipa_client_shell_groups: - sysadmin-kernel diff --git a/inventory/group_vars/koji b/inventory/group_vars/koji index 17d8db0a3b..5eb37cd3e0 100644 --- a/inventory/group_vars/koji +++ b/inventory/group_vars/koji @@ -3,6 +3,10 @@ custom_rules: [ # Needed for keepalived '-A INPUT -d 224.0.0.0/8 -j ACCEPT', '-A INPUT -p vrrp -j ACCEPT'] +# Needed for keepalived +nft_custom_rules: + - 'add rule ip filter INPUT ip daddr 224.0.0.0/8 counter accept' + - 'add rule ip filter INPUT ip protocol vrrp counter accept' docker_registry: "candidate-registry.fedoraproject.org" # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/kojipkgs b/inventory/group_vars/kojipkgs index bce7be6e68..2219525fa3 100644 --- a/inventory/group_vars/kojipkgs +++ b/inventory/group_vars/kojipkgs @@ -20,6 +20,10 @@ csi_security_category: Moderate custom_rules: [ # Need for rsync from log01 for logs. '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +# Need for rsync from log01 for logs. +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' ipa_client_shell_groups: - sysadmin-noc - sysadmin-releng diff --git a/inventory/group_vars/openqa_tap_workers b/inventory/group_vars/openqa_tap_workers index 9d0e814e0c..3a27f7e555 100644 --- a/inventory/group_vars/openqa_tap_workers +++ b/inventory/group_vars/openqa_tap_workers @@ -1,6 +1,10 @@ # firewall rules to allow openQA openvswitch guests to communicate # uses interface definition from host vars custom_rules: ['-A FORWARD -i br0 -j ACCEPT', '-A FORWARD -m state -i {{ openqa_tap_iface }} -o br0 --state RELATED,ESTABLISHED -j ACCEPT', '-A INPUT -i br0 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter FORWARD iifname "br0" counter accept' + - 'add rule ip filter FORWARD iifname "{{ openqa_tap_iface }}" oifname "br0" ct state related,established counter accept' + - 'add rule ip filter INPUT iifname "br0" counter accept' # for iptables rules...maybe other stuff in future? both staging # and prod workers are in this group host_group: openqa-tap-workers diff --git a/inventory/group_vars/os_proxies b/inventory/group_vars/os_proxies index d5f013fc9a..97579daf6a 100644 --- a/inventory/group_vars/os_proxies +++ b/inventory/group_vars/os_proxies @@ -4,6 +4,12 @@ custom_rules: [ '-A INPUT -d 224.0.0.0/8 -j ACCEPT', '-A INPUT -p vrrp -j ACCEPT', # machinectl api '-A INPUT -p tcp --dport 22623 --src 38.145.48.0/27 -j ACCEPT'] +nft_custom_rules: + # Needed for keepalived + - 'add rule ip filter INPUT ip daddr 224.0.0.0/8 counter accept' + - 'add rule ip filter INPUT ip protocol vrrp counter accept' + # machinectl api + - 'add rule ip filter INPUT ip saddr 38.145.48.0/27 tcp dport 22623 counter accept' datacenter: cloud host_group: cloud lvm_size: 20000 diff --git a/inventory/group_vars/pagure b/inventory/group_vars/pagure index 9e8270abbb..20cb48a357 100644 --- a/inventory/group_vars/pagure +++ b/inventory/group_vars/pagure @@ -7,6 +7,11 @@ custom_rules: [ '-A INPUT -s 47.76.209.138/32 -j REJECT', '-A INPUT -s 47.76.99.127/32 -j REJECT' ] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 81.69.171.38 counter reject' + - 'add rule ip filter INPUT ip saddr 175.24.248.206 counter reject' + - 'add rule ip filter INPUT ip saddr 47.76.209.138 counter reject' + - 'add rule ip filter INPUT ip saddr 47.76.99.127 counter reject' csi_primary_contact: Fedora admins - admin@fedoraproject.org csi_purpose: Run the pagure instances for fedora csi_relationship: | diff --git a/inventory/group_vars/people b/inventory/group_vars/people index 15ba3216ae..55339494cd 100644 --- a/inventory/group_vars/people +++ b/inventory/group_vars/people @@ -17,6 +17,7 @@ csi_relationship: | csi_security_category: Low # Neeed for rsync from log01 for logs. custom_rules: ['-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept'] fedmsg_certs: - can_send: - logger.log diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies index 350a2c2533..08e0df2e5a 100644 --- a/inventory/group_vars/proxies +++ b/inventory/group_vars/proxies @@ -24,6 +24,32 @@ custom_rules: [ # Allow openqa01 to talk to the inbound fedmsg relay. '-A INPUT -p tcp -m tcp --dport 9941 -s 10.3.174.0/24 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.123 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.124 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.125 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.126 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.65 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.127 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.128 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.163.129 -j ACCEPT'] +nft_custom_rules: + # Need for rsync from log01 for logs. + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 209.132.181.102 tcp dport 873 counter accept' + # allow varnish from localhost + - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept' + - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept' + # also allow varnish from internal for purge requests + - 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.0/24 tcp dport 6081 counter accept' + # Allow happinesspackets.fedorainfracloud.org to talk to inbound fedmsg relay. + - 'add rule ip filter INPUT ip saddr 209.132.184.58 tcp dport 9941 counter accept' + # Allow openqa01 to talk to the inbound fedmsg relay. + - 'add rule ip filter INPUT ip saddr 10.3.174.0/24 tcp dport 9941 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.120 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.121 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.122 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.123 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.124 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.125 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.126 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.65 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.127 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.128 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.129 tcp dport 22623 counter accept' external: true ipa_client_shell_groups: - fi-apprentice diff --git a/inventory/group_vars/proxies_stg b/inventory/group_vars/proxies_stg index 29444af7a1..b6de879e4d 100644 --- a/inventory/group_vars/proxies_stg +++ b/inventory/group_vars/proxies_stg @@ -22,6 +22,30 @@ custom_rules: [ # yet as of 2015-04-27 (threebean). '-A INPUT -p tcp -m tcp --dport 9941 -s 104.207.133.220 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.115 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.116 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.117 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.118 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.119 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.120 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.121 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.122 -j ACCEPT', '-A INPUT -p tcp -m tcp --dport 22623 -s 10.3.166.123 -j ACCEPT'] +nft_custom_rules: + # Need for rsync from log01 for logs. + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' + # allow varnish from localhost + - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6081 counter accept' + - 'add rule ip filter INPUT ip saddr 127.0.0.1 tcp dport 6082 counter accept' + # also allow varnish from internal for purge requests + - 'add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 6081 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.0/24 tcp dport 6081 counter accept' + # Allow stg.fedoramagazine.org running at vultr.com to talk inbound fedmsg + # Contact cydrobolt about the status of this. It hasn't hit prod status + # yet as of 2015-04-27 (threebean). + #!# FIXME: Keep?? + - 'add rule ip filter INPUT ip saddr 104.207.133.220 tcp dport 9941 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.115 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.116 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.117 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.118 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.119 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.120 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.121 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.122 tcp dport 22623 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.123 tcp dport 22623 counter accept' external: true ipa_client_shell_groups: - fi-apprentice diff --git a/inventory/group_vars/rabbitmq b/inventory/group_vars/rabbitmq index 783fc27879..7ccaa88de4 100644 --- a/inventory/group_vars/rabbitmq +++ b/inventory/group_vars/rabbitmq @@ -4,6 +4,14 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', # Inter-node traffic '-A INPUT -p tcp -m tcp -s 10.3.163.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.80 --dport 25672 -j ACCEPT'] +nft_custom_rules: + # Neeed for rsync from log01 for logs. + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' + # Inter-node traffic + - 'add rule ip filter INPUT ip saddr 10.3.163.78 tcp dport 25672 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.79 tcp dport 25672 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.80 tcp dport 25672 counter accept' ipa_host_group: rabbitmq ipa_host_group_desc: RabbitMQ service ipa_shell_groups: diff --git a/inventory/group_vars/rabbitmq_stg b/inventory/group_vars/rabbitmq_stg index ae9ddc81a1..8b6a116d77 100644 --- a/inventory/group_vars/rabbitmq_stg +++ b/inventory/group_vars/rabbitmq_stg @@ -4,6 +4,14 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT', # Inter-node traffic '-A INPUT -p tcp -m tcp -s 10.3.166.78 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.79 --dport 25672 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.166.80 --dport 25672 -j ACCEPT'] +nft_custom_rules: + # Neeed for rsync from log01 for logs. + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' + # Inter-node traffic + - 'add rule ip filter INPUT ip saddr 10.3.166.78 tcp dport 25672 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.79 tcp dport 25672 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.166.80 tcp dport 25672 counter accept' datacenter: iad2 ipa_host_group: rabbitmq ipa_host_group_desc: RabbitMQ service diff --git a/inventory/group_vars/repospanner_temp b/inventory/group_vars/repospanner_temp index 0b6b7db809..905aca5d57 100644 --- a/inventory/group_vars/repospanner_temp +++ b/inventory/group_vars/repospanner_temp @@ -5,6 +5,15 @@ csi_purpose: repospanner git syncing host # For the MOTD csi_security_category: Low custom_rules: ['-A INPUT -p tcp -m tcp -s 8.43.84.211 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.84.212 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.76 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.149 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 209.132.181.20 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 8.43.85.78 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.191 --dport 8443:8445 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 140.211.169.199 --dport 8443:8445 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 8.43.84.211 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 8.43.84.212 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 8.43.85.76 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 152.19.134.149 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 209.132.181.20 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 8.43.85.78 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 152.19.134.191 tcp dport 8443-8445 counter accept' + - 'add rule ip filter INPUT ip saddr 140.211.169.199 tcp dport 8443-8445 counter accept' lvm_size: 50000 max_mem_size: 16348 mem_size: 8192 diff --git a/inventory/group_vars/retrace b/inventory/group_vars/retrace index fdd22429e0..b58c2649db 100644 --- a/inventory/group_vars/retrace +++ b/inventory/group_vars/retrace @@ -14,6 +14,9 @@ csi_relationship: | custom_rules: - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 2049 -j ACCEPT' - '-A INPUT -p tcp -m tcp -s 10.5.78.11 --dport 5432 -j ACCEPT' +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.5.78.11 tcp dport 2049 counter accept' + - 'add rule ip filter INPUT ip saddr 10.5.78.11 tcp dport 5432 counter accept' env: production # Since retrace is on the qa network, it needs to actively connect to our # inbound relay. diff --git a/inventory/group_vars/value b/inventory/group_vars/value index ce2880eb72..0ab52bb4ab 100644 --- a/inventory/group_vars/value +++ b/inventory/group_vars/value @@ -17,6 +17,15 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5050 -j ACCEPT', # batcave01 also needs access to announce commits. '-A INPUT -p tcp -m tcp -s 10.3.163.35 --dport 5050 -j ACCEPT'] +nft_custom_rules: + # Needed for rsync from log01 for logs. + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' + # Needed to let nagios on noc01 and noc02 pipe alerts to zodbot here + - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5050 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.20 tcp dport 5050 counter accept' + # batcave01 also needs access to announce commits. + - 'add rule ip filter INPUT ip saddr 10.3.163.35 tcp dport 5050 counter accept' deployment_type: prod # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/group_vars/value_stg b/inventory/group_vars/value_stg index 337f9ca403..b7a6f6b75d 100644 --- a/inventory/group_vars/value_stg +++ b/inventory/group_vars/value_stg @@ -17,6 +17,16 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5050 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 152.19.134.192 --dport 5050 -j ACCEPT', # batcave01 also needs access to announce commits. '-A INPUT -p tcp -m tcp -s 10.3.163.35 --dport 5050 -j ACCEPT'] +nft_custom_rules: + # Neeed for rsync from log01 for logs. + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' + # Needed to let nagios on noc01 and noc02 (noc01.stg) pipe alerts to zodbot here + - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5050 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5050 counter accept' + - 'add rule ip filter INPUT ip saddr 152.19.134.192 tcp dport 5050 counter accept' + # batcave01 also needs access to announce commits. + - 'add rule ip filter INPUT ip saddr 10.3.163.35 tcp dport 5050 counter accept' deployment_type: stg # These are consumed by a task in roles/fedmsg/base/main.yml fedmsg_certs: diff --git a/inventory/host_vars/db-fas01.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.iad2.fedoraproject.org index 8f2dcc8635..56b71d8c94 100644 --- a/inventory/host_vars/db-fas01.iad2.fedoraproject.org +++ b/inventory/host_vars/db-fas01.iad2.fedoraproject.org @@ -9,6 +9,18 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT', # Ipsilon VMs '-A INPUT -p tcp -m tcp -s 10.3.163.105 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.106 --dport 5432 -j ACCEPT'] +nft_custom_rules: + # Openshift nodes (egress policy will block connection from non-authorized projects) + - 'add rule ip filter INPUT ip saddr 10.3.163.69 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.70 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.71 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.72 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.73 tcp dport 5432 counter accept' + # noc01 needs to connect to check the db + - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5432 counter accept' + # Ipsilon VMs + - 'add rule ip filter INPUT ip saddr 10.3.163.105 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.106 tcp dport 5432 counter accept' # This is a generic list, monitored by collectd databases: - fas2 diff --git a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org index 7ac489fd7d..fb4a35e62e 100644 --- a/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db-fas01.stg.iad2.fedoraproject.org @@ -13,6 +13,8 @@ custom_rules: # - '-A INPUT -p tcp -m tcp -s 10.5.128.107 --dport 5432 -j ACCEPT' # TODO: lock it down more - '-A INPUT -p tcp -m tcp -s 10.3.166.0/24 --dport 5432 -j ACCEPT' +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.166.0/24 tcp dport 5432 counter accept' # This is a generic list, monitored by collectd databases: - fas2 diff --git a/inventory/host_vars/db-koji01.iad2.fedoraproject.org b/inventory/host_vars/db-koji01.iad2.fedoraproject.org index a62fb55c58..df0956741c 100644 --- a/inventory/host_vars/db-koji01.iad2.fedoraproject.org +++ b/inventory/host_vars/db-koji01.iad2.fedoraproject.org @@ -3,6 +3,11 @@ # Only allow postgresql access from the frontend node. # custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.169.104 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.169.105 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.169.10 --dport 5432 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5432 -j ACCEPT'] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 10.3.169.104 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.169.105 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.169.10 tcp dport 5432 counter accept' + - 'add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5432 counter accept' # This is a generic list, monitored by collectd databases: - koji diff --git a/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org b/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org index fb84965eb1..1a436362e7 100644 --- a/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db-koji01.stg.iad2.fedoraproject.org @@ -3,6 +3,7 @@ # Only allow postgresql access from the frontend node. # custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.167.64 --dport 5432 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT ip saddr 10.3.167.64 tcp dport 5432 counter accept'] # This is a generic list, monitored by collectd databases: - koji diff --git a/inventory/host_vars/db01.iad2.fedoraproject.org b/inventory/host_vars/db01.iad2.fedoraproject.org index 71b832e206..b7d3ccc885 100644 --- a/inventory/host_vars/db01.iad2.fedoraproject.org +++ b/inventory/host_vars/db01.iad2.fedoraproject.org @@ -3,6 +3,7 @@ # We should narrow this down at some point # custom_rules: ['-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT tcp dport 5432 counter accept'] # This is a generic list, monitored by collectd databases: - anitya diff --git a/inventory/host_vars/db01.stg.iad2.fedoraproject.org b/inventory/host_vars/db01.stg.iad2.fedoraproject.org index 2bcfc2eb14..305dc448db 100644 --- a/inventory/host_vars/db01.stg.iad2.fedoraproject.org +++ b/inventory/host_vars/db01.stg.iad2.fedoraproject.org @@ -3,6 +3,7 @@ # We should narrow this down at some point # custom_rules: ['-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT'] +nft_custom_rules: ['add rule ip filter INPUT tcp dport 5432 counter accept'] # This is a generic list, monitored by collectd databases: - askfedora diff --git a/inventory/host_vars/noc01.iad2.fedoraproject.org b/inventory/host_vars/noc01.iad2.fedoraproject.org index 56c1ea2d3a..93a7b5194e 100644 --- a/inventory/host_vars/noc01.iad2.fedoraproject.org +++ b/inventory/host_vars/noc01.iad2.fedoraproject.org @@ -5,6 +5,11 @@ custom_rules: [ '-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT' ] +nft_custom_rules: + - 'add rule ip filter INPUT ip saddr 192.168.1.20 tcp dport 5666 counter accept' + # needed to allow rsync from log01 + - 'add rule ip filter INPUT ip saddr 10.3.163.39 tcp dport 873 counter accept' + - 'add rule ip filter INPUT ip saddr 192.168.1.59 tcp dport 873 counter accept' datacenter: iad2 eth0_ipv4_gw: 10.3.163.254 eth0_ipv4_ip: 10.3.163.10 diff --git a/roles/base/templates/nftables/nf6tables b/roles/base/templates/nftables/nf6tables new file mode 100644 index 0000000000..c1fa235ccf --- /dev/null +++ b/roles/base/templates/nftables/nf6tables @@ -0,0 +1,58 @@ +# {{ ansible_managed }} +add table ip6 filter +add chain ip6 filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip6 filter OUTPUT { type filter hook output priority 0; policy accept; } + +# loopback allowed +add rule ip6 filter INPUT iifname "lo" counter accept + +# Accept ping and traceroute (needs icmp) +add rule ip6 filter INPUT meta l4proto ipv6-icmp counter accept + +# Established connections allowed +add rule ip6 filter INPUT ct state related,established counter accept + +# Established connections allowed +add rule ip6 filter OUTPUT ct state related,established counter accept + +# allow dhcp6d from aws +add rule ip6 filter INPUT ip6 daddr fe80::/64 udp sport 547 udp dport 546 counter accept + +# if the blocked_ips is defined - drop them +{% if blocked_ip_v6 is defined %} +{% for ip in blocked_ip_v6 %} +add rule ip6 filter INPUT ip6 saddr {{ ip }} counter drop +{% endfor %} +{% endif %} + +# allow ssh - always +add rule ip6 filter INPUT ct state new tcp dport 22 counter accept + +# for nrpe (if we want noc02 to be able to get into remote systems) +#add rule ip6 filter INPUT ip6 saddr 2600:2701:4000:5211:dead:beef:fe:fed9 tcp dport 5666 counter accept + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +add rule ip6 filter INPUT tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +add rule ip6 filter INPUT udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are custom6 rules - put them in as-is +{% if nft_custom6_rules is defined %} +{% for rule in nft_custom6_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +add rule ip6 filter INPUT counter reject with icmpv6 type admin-prohibited +add rule ip6 filter FORWARD counter reject with icmpv6 type admin-prohibited diff --git a/roles/base/templates/nftables/nftables b/roles/base/templates/nftables/nftables new file mode 100644 index 0000000000..edbdeeb0db --- /dev/null +++ b/roles/base/templates/nftables/nftables @@ -0,0 +1,127 @@ +# {{ ansible_managed }} +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# allow ping and traceroute +add rule ip filter INPUT ip protocol icmp counter accept + +# localhost is fine +add rule ip filter INPUT iifname "lo" counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter OUTPUT ct state related,established counter accept + +# allow ssh - always +add rule ip filter INPUT ct state new tcp dport 22 counter accept + +# for nrpe - allow it from nocs +add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept +# FIXME - this is the global nat-ip and we need the noc01-specific ip +add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.166.10 tcp dport 5666 counter accept +# zabbix01 +add rule ip filter INPUT tcp dport 10051 counter accept +add rule ip filter INPUT ip saddr 10.3.163.198 tcp dport 10050 counter accept + +{% if env != 'staging' and datacenter == 'iad2' and inventory_hostname not in groups['staging_friendly'] %} +# +# In the iad2 datacenter, both production and staging hosts are in different +# vlans, and different subnets. However, just as a precaution, we want prod machines to +# reject connections from any staging host just in case there's some globally enabled port. +# There are however a few hosts in production we have marked 'staging-friendly' +# that we do allow staging to talk to for mostly read-only data they need. +# +add rule ip filter INPUT ip saddr 10.3.166.0/24 counter reject with icmp type host-prohibited +add rule ip filter INPUT ip saddr 10.3.167.0/24 counter reject with icmp type host-prohibited +{% endif %} + +{% if vpn %} +# +# We want to have all vpn hosts reject most things from the 'less secure' vpn network +# +{% if inventory_hostname == 'log01.iad2.fedoraproject.org' %} +# Allow all vpn hosts to talk to the log server for rsyslog +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 514 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 udp dport 25826 counter accept +{% endif %} +{% if inventory_hostname in groups['ipa'] %} +# Allow all vpn hosts to talk to the ipa servers for auth +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 80 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 88 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 389 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 443 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 464 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 636 counter accept + +add rule ip filter INPUT ip saddr 192.168.100.0/24 udp dport 88 counter accept +add rule ip filter INPUT ip saddr 192.168.100.0/24 udp dport 464 counter accept +{% endif %} +# Reject all further connections from less secure vpn +add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited +{% endif %} +# if the host declares a fedmsg-enabled wsgi app, open ports for it +{% if wsgi_fedmsg_service is defined %} +{% for i in range(wsgi_procs * wsgi_threads) %} +add rule ip filter INPUT tcp dport 30{{ '%02d' % i }} counter accept +{% endfor %} +{% endif %} + + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +add rule ip filter INPUT tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +add rule ip filter INPUT udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are any proxy-only tcp_ports - allow them +{% if proxy_tcp_ports is defined %} +{% for port in proxy_tcp_ports %} +{% for proxy in (groups['proxies'] + groups['proxies_internal']) %} +{% if hostvars[proxy]['datacenter'] == "phx2" and 'ansible_eth0' in hostvars[proxy] %} +add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_eth0']['ipv4']['address'] }} tcp dport {{ port }} counter accept +{% else %} +add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_tun0']['ipv4']['address'] }} tcp dport {{ port }} counter accept +{% endif %} +{% endfor %} +# nagios +add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if nft_custom_rules is defined %} +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +add rule ip filter INPUT counter reject with icmp type host-prohibited +add rule ip filter FORWARD counter reject with icmp type host-prohibited + +{% if nft_nat_rules %} + +add table ip nat +add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; } +add chain ip nat INPUT { type nat hook input priority 100; policy accept; } +add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; } +add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; } + +{% for rule in nft_nat_rules %} +{{ rule }} +{% endfor %} +{% endif %} diff --git a/roles/base/templates/nftables/nftables.kojibuilder b/roles/base/templates/nftables/nftables.kojibuilder new file mode 100644 index 0000000000..58ccda54ff --- /dev/null +++ b/roles/base/templates/nftables/nftables.kojibuilder @@ -0,0 +1,202 @@ +# {{ ansible_managed }} +*add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy drop; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy drop; } + +# loopback allowed +add rule ip filter INPUT iifname "lo" counter accept +add rule ip filter OUTPUT oifname "lo" counter accept +add rule ip filter INPUT iifname "virbr0" counter accept +add rule ip filter OUTPUT oifname "virbr0" counter accept +add rule ip filter INPUT ip daddr 127.0.0.0/8 counter accept +add rule ip filter OUTPUT ip daddr 127.0.0.0/8 counter accept + +# Accept ping and traceroute (needs icmp) +add rule ip filter INPUT ip protocol icmp counter accept +add rule ip filter OUTPUT ip protocol icmp counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter OUTPUT ct state related,established counter accept + +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +add rule ip filter INPUT ip saddr {{ ip }} counter drop +{% endfor %} +{% endif %} + +{% if host in groups['osbuild'] %} +# osbuild api for osbuild koji plugin +#!# WARNING: This is very different... +# -A OUTPUT -p tcp --dport 443 -m set --match-set osbuildapi dst -j ACCEPT + +add table inet global +add set inet global osbuildapi { type ipv4_addr ; size 65536; } + +add rule ip filter OUTPUT tcp dport 443 ip daddr @osbuildapi accept + +# Then in the update script... +# nft flush set global osbuildapi +# ... +# nft add element ip global osbuildapi { 10.0.0.1 } + +# Also See: nft list ruleset + +{% endif %} + +# kojipkgs +{% if host in groups['buildvm_s390x'] %} +add rule ip filter OUTPUT ip daddr 10.16.0.17 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.16.0.35 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.1.102.24 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.1.102.50 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.169.106 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.169.107 tcp dport 80 counter accept +{% endif %} + +# tang for buildhw +add rule ip filter OUTPUT ip daddr 10.3.163.37 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.38 tcp dport 80 counter accept + +# DNS +add rule ip filter OUTPUT ip daddr 10.3.163.33 udp dport 53 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.33 tcp dport 53 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.34 udp dport 53 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.34 tcp dport 53 counter accept + +# bastion smtp +add rule ip filter OUTPUT ip daddr 10.3.163.31 tcp dport 25 counter accept + +# infra.fp.o +add rule ip filter OUTPUT ip daddr 10.3.163.35 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.35 tcp dport 443 counter accept + +# rsyslog out to log01 +add rule ip filter OUTPUT ip daddr 10.3.163.39 tcp dport 514 counter accept + +# SSH +add rule ip filter INPUT ip saddr 10.3.160.0/19 tcp dport 22 counter accept +add rule ip filter OUTPUT ip daddr 10.3.160.0/19 tcp sport 22 counter accept + +{% if inventory_hostname.startswith (('buildvm-s390x-11', 'buildvm-s390x-12', 'buildvm-s390x-13')) %} +# Allow SSHFS binding to koji01 +add rule ip filter OUTPUT ip daddr 10.3.169.104 tcp dport 22 counter accept +{% endif %} + +# http to pull sources from pkgs lookaside +#add rule ip filter OUTPUT ip daddr 10.5.125.44 tcp dport 80 counter accept + +# https git on pagure,io +add rule ip filter OUTPUT ip daddr 8.43.85.76 tcp dport 443 counter accept + +# admin.fedoraproject.org for fas (proyx(1)01 and proxy(1)10) +{% if host in groups['staging'] %} +add rule ip filter OUTPUT ip daddr 10.3.166.74 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.74 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.75 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.75 tcp dport 443 counter accept +{% endif %} + +add rule ip filter OUTPUT ip daddr 10.3.163.74 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.74 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.75 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.75 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.76 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.76 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.77 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.77 tcp dport 443 counter accept + +# ipa client ports +{% if host in groups['staging'] %} +add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 389 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 389 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 636 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 636 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 udp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 udp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 tcp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 tcp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 udp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 udp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.21 udp dport 53 counter accept +add rule ip filter OUTPUT ip daddr 10.3.166.63 udp dport 53 counter accept +{% else %} +add rule ip filter OUTPUT ip daddr 10.3.163.54 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 80 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 443 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 tcp dport 389 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 tcp dport 389 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 389 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 tcp dport 636 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 tcp dport 636 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 636 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 tcp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 tcp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 udp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 udp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 udp dport 88 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 tcp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 tcp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 tcp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 udp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 udp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 udp dport 464 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.54 udp dport 53 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.55 udp dport 53 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.104 udp dport 53 counter accept +{% endif %} + +{% if host in groups['staging'] %} +# Allow nfs from koji01 +add rule ip filter INPUT ip daddr 10.3.167.64 tcp dport 2049 counter accept +add rule ip filter OUTPUT ip daddr 10.3.167.64 tcp dport 2049 counter accept +{% endif %} +#nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but +# kinda necessary +add rule ip filter INPUT ip saddr 10.3.162.11 counter accept +add rule ip filter OUTPUT ip daddr 10.3.162.11 counter accept +#!# NOTE: tcp/udp doesn't translate without a port?? +add rule ip filter INPUT ip saddr 10.3.162.12 counter accept +add rule ip filter OUTPUT ip daddr 10.3.162.12 counter accept +add rule ip filter INPUT ip saddr 10.3.162.13 counter accept +add rule ip filter OUTPUT ip daddr 10.3.162.13 counter accept +add rule ip filter INPUT ip saddr 10.3.162.14 counter accept +add rule ip filter OUTPUT ip daddr 10.3.162.14 counter accept + +# ntp +add rule ip filter OUTPUT ip daddr 10.3.163.31 udp dport 123 counter accept +add rule ip filter OUTPUT ip daddr 10.3.163.32 udp dport 123 counter accept + +# dhcp +add rule ip filter OUTPUT ip daddr 10.3.163.10 udp dport 67 counter accept + +# s390x builders ssh +add rule ip filter INPUT ip saddr 10.3.0.0/16 tcp dport 22 counter accept +add rule ip filter OUTPUT ip daddr 10.3.0.0/16 tcp sport 22 counter accept + +# if the host/group defines incoming tcp_ports - allow them +{% for port in tcp_ports %} +add rule ip filter INPUT tcp dport {{ port }} counter accept +{% endfor %} + +# if the host/group defines incoming udp_ports - allow them +{% for port in udp_ports %} +add rule ip filter INPUT udp dport {{ port }} counter accept +{% endfor %} + +# if there are custom rules - put them in as-is +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} diff --git a/roles/base/templates/nftables/nftables.osuosl b/roles/base/templates/nftables/nftables.osuosl new file mode 100644 index 0000000000..fd1a171379 --- /dev/null +++ b/roles/base/templates/nftables/nftables.osuosl @@ -0,0 +1,61 @@ +# {{ ansible_managed }} +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# allow ping and traceroute +add rule ip filter INPUT ip protocol icmp counter accept + +# localhost is fine +add rule ip filter INPUT iifname "lo" counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter OUTPUT ct state related,established counter accept + +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +add rule ip filter INPUT ip saddr {{ ip }} counter drop +{% endfor %} +{% endif %} + +# allow ssh only from needed ips +# vpn in from tun0 +add rule ip filter INPUT iifname "tun0" ip saddr 192.168.0.0/24 ct state new tcp dport 22 counter accept +# external ip for iad2 +add rule ip filter INPUT iifname "tun0" ip saddr 38.145.60.0/24 ct state new tcp dport 22 counter accept + +# for nrpe - allow it from nocs +add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept +# FIXME - this is the global nat-ip and we need the noc01-specific ip +add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5666 counter accept + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +add rule ip filter INPUT tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +add rule ip filter INPUT udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if nft_custom_rules is defined %} +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +add rule ip filter INPUT counter reject with icmp type host-prohibited +add rule ip filter FORWARD counter reject with icmp type host-prohibited diff --git a/roles/base/templates/nftables/nftables.releng b/roles/base/templates/nftables/nftables.releng new file mode 100644 index 0000000000..5ca033a2e2 --- /dev/null +++ b/roles/base/templates/nftables/nftables.releng @@ -0,0 +1,87 @@ +# {{ ansible_managed }} +# +# NOTE: Chaging this template updates iptables on all releng hosts :) +# Please check with sysadmin-main before pushing out an update here. +# +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy drop; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# loopback allowed +add rule ip filter INPUT iifname "lo" counter accept + +# Accept ping and traceroute (needs icmp) +add rule ip filter INPUT ip protocol icmp counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept + +# Overwrite any global rules +# for nrpe - allow it from nocs +add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept +# FIXME - this is the global nat-ip and we need the noc01-specific ip +add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.166.10 tcp dport 5666 counter accept +# Zabbix +add rule ip filter INPUT tcp dport 10051 counter accept +add rule ip filter INPUT ip saddr 10.3.163.198 tcp dport 10050 counter accept + +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +add rule ip filter INPUT ip saddr {{ ip }} counter drop +{% endfor %} +{% endif %} + +# SSH +#!# NOTE: Do we still need/wants these 13+ years later? +# ssh block against uni in .cz where problem(s) have been cited +# added by skvidal on jan 24 2011 - as per request from spot +add rule ip filter INPUT ip saddr 147.251.0.0/16 tcp dport 22 counter reject +# matches last rule for a service we want blocked +add rule ip filter INPUT ip saddr 192.168.100.0/24 tcp dport 22 counter reject with tcp reset +add rule ip filter INPUT tcp dport 22 counter accept + +# Allow all netapp traffic +add rule ip filter INPUT ip saddr 10.3.162.0/24 counter accept + + +# Custom Services + +# Services TCP +add rule ip filter INPUT tcp dport 22 counter accept +add rule ip filter INPUT tcp dport 80 counter accept +add rule ip filter INPUT tcp dport 443 counter accept + +# Services UDP + +# more services we use - ports for random services and TG listeners. +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +add rule ip filter INPUT tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +add rule ip filter INPUT udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if nft_custom_rules is defined %} +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# Extra protection for 192.168.100.x vpn hosts. +add rule ip filter INPUT ip saddr 192.168.100.0/24 counter reject with icmp type host-prohibited + +add rule ip filter INPUT counter reject with icmp type host-prohibited diff --git a/roles/base/templates/nftables/nftables.sign b/roles/base/templates/nftables/nftables.sign new file mode 100644 index 0000000000..cb26a74942 --- /dev/null +++ b/roles/base/templates/nftables/nftables.sign @@ -0,0 +1,22 @@ +# {{ ansible_managed }} +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# loopback allowed +add rule ip filter INPUT iifname "lo" counter accept + +# Accept ping and traceroute (needs icmp) +add rule ip filter INPUT ip protocol icmp counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept + +# Allow connections from client/server +add rule ip filter INPUT tcp dport 44333-44334 counter accept + +# otherwise kick everything out +add rule ip filter INPUT counter reject with icmp type host-prohibited +add rule ip filter FORWARD counter reject with icmp type host-prohibited + diff --git a/roles/base/templates/nftables/nftables.staging b/roles/base/templates/nftables/nftables.staging new file mode 100644 index 0000000000..78fbb14bfd --- /dev/null +++ b/roles/base/templates/nftables/nftables.staging @@ -0,0 +1,75 @@ +# {{ ansible_managed }} +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# allow ping and traceroute +add rule ip filter INPUT ip protocol icmp counter accept + +# localhost is fine +add rule ip filter INPUT iifname "lo" counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter OUTPUT ct state related,established counter accept + +# allow ssh - always +add rule ip filter INPUT ct state new tcp dport 22 counter accept + +# for nrpe - allow it from nocs +add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept +# FIXME - this is the global nat-ip and we need the noc01-specific ip +add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5666 counter accept +# zabbix01.stg +add rule ip filter INPUT tcp dport 10051 counter accept +add rule ip filter INPUT ip saddr 10.3.166.61 tcp dport 10050 counter accept + + +# if the host declares a fedmsg-enabled wsgi app, open ports for it +{% if wsgi_fedmsg_service is defined %} +{% for i in range(wsgi_procs * wsgi_threads) %} +add rule ip filter INPUT tcp dport 30{{ '%02d' % i }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming tcp_ports - allow them +{% for port in tcp_ports %} +add rule ip filter INPUT tcp dport {{ port }} counter accept +{% endfor %} + +# if the host/group defines incoming udp_ports - allow them +{% for port in udp_ports %} +add rule ip filter INPUT udp dport {{ port }} counter accept +{% endfor %} + +# if there are any proxy-only tcp_ports - allow them +{% if proxy_tcp_ports is defined %} +{% for port in proxy_tcp_ports %} +{% for proxy in groups['proxies_stg'] %} +{% if hostvars[proxy]['vpn'] %} +#!# FIXME: This test is the negation of the one in iptables. +add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_tun0']['ipv4']['address'] }} tcp dport {{ port }} counter accept +{% else %} +add rule ip filter INPUT ip saddr {{ hostvars[proxy]['ansible_eth0']['ipv4']['address'] }} tcp dport {{ port }} counter accept +{% endif %} +{% endfor %} +# No nagios +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if nft_custom_rules is defined %} +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +add rule ip filter INPUT counter reject with icmp type host-prohibited +add rule ip filter FORWARD counter reject with icmp type host-prohibited + +# No nat rules diff --git a/roles/base/templates/nftables/nftables.storinator01.fedorainfracloud.org b/roles/base/templates/nftables/nftables.storinator01.fedorainfracloud.org new file mode 100644 index 0000000000..4e1885a941 --- /dev/null +++ b/roles/base/templates/nftables/nftables.storinator01.fedorainfracloud.org @@ -0,0 +1,89 @@ +# {{ ansible_managed }} +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# allow ping and traceroute +add rule ip filter INPUT ip protocol icmp counter accept + +# localhost is fine +add rule ip filter INPUT iifname "lo" counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter OUTPUT ct state related,established counter accept + +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +add rule ip filter INPUT ip saddr {{ ip }} counter drop +{% endfor %} +{% endif %} + +# allow ssh - always +add rule ip filter INPUT ct state new tcp dport 22 counter accept + +# for nrpe - allow it from nocs +add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept +# FIXME - this is the global nat-ip and we need the noc01-specific ip +add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept +# NOTE: we don't allow 10.3.163.10 / 10.3.166.10 or zabbix? + +# if the host/group defines incoming tcp_ports - allow them +# NOTE: These are specific to eth0 +{% if tcp_ports_eth0 is defined %} +{% for port in tcp_ports_eth0 %} +add rule ip filter INPUT iifname "eth0" tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +# NOTE: These are specific to eth0 +{% if udp_ports_eth0 is defined %} +{% for port in udp_ports_eth0 %} +add rule ip filter INPUT iifname "eth0" udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming tcp_ports - allow them +# NOTE: These are specific to eth1 +{% if tcp_ports_eth1 is defined %} +{% for port in tcp_ports_eth1 %} +add rule ip filter INPUT iifname "eth1" tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +# NOTE: These are specific to eth1 +{% if udp_ports_eth1 is defined %} +{% for port in udp_ports_eth1 %} +add rule ip filter INPUT iifname "eth1" udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if nft_custom_rules is defined %} +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +add rule ip filter INPUT counter reject with icmp type host-prohibited +add rule ip filter FORWARD counter reject with icmp type host-prohibited + +{% if nft_nat_rules %} +#!# FIXME: These are different priority to iptables template... +add table ip nat +add chain ip nat PREROUTING { type nat hook prerouting priority 0; policy accept; } +add chain ip nat INPUT { type nat hook input priority 0; policy accept; } +add chain ip nat OUTPUT { type nat hook output priority 0; policy accept; } +add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; } + +{% for rule in nft_nat_rules %} +{{ rule }} +{% endfor %} +{% endif %} diff --git a/roles/base/templates/nftables/nftables.torrent02.fedoraproject.org b/roles/base/templates/nftables/nftables.torrent02.fedoraproject.org new file mode 100644 index 0000000000..f7ec0c8ffe --- /dev/null +++ b/roles/base/templates/nftables/nftables.torrent02.fedoraproject.org @@ -0,0 +1,94 @@ +# {{ ansible_managed }} +add table ip filter +add chain ip filter INPUT { type filter hook input priority 0; policy accept; } +add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; } +add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; } + +# allow ping and traceroute +add rule ip filter INPUT ip protocol icmp counter accept + +# localhost is fine +add rule ip filter INPUT iifname "lo" counter accept + +# Established connections allowed +add rule ip filter INPUT ct state related,established counter accept +add rule ip filter OUTPUT ct state related,established counter accept + +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +add rule ip filter INPUT ip saddr {{ ip }} counter drop +{% endfor %} +{% endif %} + +# allow ssh - always +add rule ip filter INPUT ct state new tcp dport 22 counter accept + +# for nrpe - allow it from nocs +add rule ip filter INPUT ip saddr 192.168.1.10 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 192.168.1.166 tcp dport 5666 counter accept +# FIXME - this is the global nat-ip and we need the noc01-specific ip +add rule ip filter INPUT ip saddr 38.145.60.16 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 38.145.60.15 tcp dport 5666 counter accept +add rule ip filter INPUT ip saddr 10.3.163.10 tcp dport 5666 counter accept +# NOTE: This doesn't include 10.3.166.10 +# NOTE: This doesn't include zabbix. + +{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %} +# +# In the phx2 datacenter, both production and staging hosts are in the same +# subnet/vlan. We want production hosts to reject connectons from staging group hosts +# to prevent them from interfering with production. There are however a few hosts in +# production we have marked 'staging-friendly' that we do allow staging to talk to for +# mostly read-only data they need. +# +{% for host in groups['staging']|sort %} +{% if 'eth0_ip' in hostvars[host] %}# {{ host }} +add rule ip filter INPUT ip saddr {{ hostvars[host]['eth0_ip'] }} counter reject with icmp type host-prohibited +{% else %}# {{ host }} has no 'eth0_ip' listed +{% endif %} +{% endfor %} +{% endif %} + +# if the host declares a fedmsg-enabled wsgi app, open ports for it +{% if wsgi_fedmsg_service is defined %} +{% for i in range(wsgi_procs * wsgi_threads) %} +add rule ip filter INPUT tcp dport 30{{ '%02d' % i }} counter accept +{% endfor %} +{% endif %} + + +# if the host/group defines incoming tcp_ports - allow them +{% if tcp_ports is defined %} +{% for port in tcp_ports %} +add rule ip filter INPUT tcp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if the host/group defines incoming udp_ports - allow them +{% if udp_ports is defined %} +{% for port in udp_ports %} +add rule ip filter INPUT udp dport {{ port }} counter accept +{% endfor %} +{% endif %} + +# if there are custom rules - put them in as-is +{% if nft_custom_rules is defined %} +{% for rule in nft_custom_rules %} +{{ rule }} +{% endfor %} +{% endif %} + +# otherwise kick everything out +add rule ip filter INPUT counter reject with icmp type host-prohibited +add rule ip filter FORWARD counter reject with icmp type host-prohibited + +add table ip raw +add chain ip raw PREROUTING { type filter hook prerouting priority -300; policy accept; } +add chain ip raw OUTPUT { type filter hook output priority -300; policy accept; } + +# +# We don't want to track all the torrent tracker connections, there's too many. +# +add rule ip raw PREROUTING tcp dport 6969 counter notrack +add rule ip raw OUTPUT tcp sport 6969 counter notrack diff --git a/roles/koji_builder/templates/osbuildapi-update-nft.sh b/roles/koji_builder/templates/osbuildapi-update-nft.sh new file mode 100644 index 0000000000..2c112bf93a --- /dev/null +++ b/roles/koji_builder/templates/osbuildapi-update-nft.sh @@ -0,0 +1,32 @@ +#!/bin/bash + +# in staging we need to allow api.stage and in prod api. +{% if env == 'staging' %} +RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query api.stage.openshift.com 2> /dev/null` +{% else %} +RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query api.openshift.com 2> /dev/null` +{% endif %} +test $? -eq 0 || exit $? + +NEWIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n` + + +# both stage and prod authenticate using sso.redhat.com +RESOLVEQUERY=`resolvectl -4 --cache=no --legend=no query sso.redhat.com 2> /dev/null` +test $? -eq 0 || exit $? + +NEWIDENTITYIPS=`echo "$RESOLVEQUERY" | grep link | sed -E 's/.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/\1/g' | sort -n` + +# Empty the filter: We do this at the end for a small window.` +nft flush set global osbuildapi + +# Add the IPs... +for j in $NEWIPS +do + nft add element ip global osbuildapi { $j } +done + +for j in $NEWIDENTITYIPS +do + nft add element ip global osbuildapi { $j } +done