From a7028a95c3233db71f6793c38017a565f93fd125 Mon Sep 17 00:00:00 2001
From: Seth Vidal <skvidal@fedoraproject.org>
Date: Wed, 3 Jul 2013 18:44:47 +0000
Subject: [PATCH] modify iptables tasks to look for $env extension for staging
 systems

---
 files/iptables/iptables.staging | 63 +++++++++++++++++++++++++++++++++
 tasks/base.yml                  |  1 +
 tasks/iptables.yml              |  1 +
 3 files changed, 65 insertions(+)
 create mode 100644 files/iptables/iptables.staging

diff --git a/files/iptables/iptables.staging b/files/iptables/iptables.staging
new file mode 100644
index 0000000000..3ff24914a2
--- /dev/null
+++ b/files/iptables/iptables.staging
@@ -0,0 +1,63 @@
+# {{ ansible_managed }}
+*nat
+:PREROUTING ACCEPT []
+:POSTROUTING ACCEPT []
+:OUTPUT ACCEPT []
+
+# Redirect staging attempts to talk to the external proxy to an internal ip.
+# This is primarily for openid in staging which needs to get around proxy
+# redirects.
+-A OUTPUT -d 209.132.181.14 -j DNAT --to-destination 10.5.126.89
+
+COMMIT
+
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for fireball mode - allow port 5099 from lockbox and it's ips
+-A INPUT -p tcp -m tcp --dport 5099 -s 192.168.1.58 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.126.23 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 10.5.127.51 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5099 -s 209.132.181.6 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
diff --git a/tasks/base.yml b/tasks/base.yml
index ae932524fd..6853975bcc 100644
--- a/tasks/base.yml
+++ b/tasks/base.yml
@@ -71,6 +71,7 @@
     - $iptables
     - $files/iptables/iptables.${ansible_fqdn}
     - $files/iptables/iptables.${host_group}
+    - $files/iptables/iptables.${env}
     - $files/iptables/iptables
   notify:
   - restart iptables
diff --git a/tasks/iptables.yml b/tasks/iptables.yml
index 3d7243ce95..af8bba24e3 100644
--- a/tasks/iptables.yml
+++ b/tasks/iptables.yml
@@ -27,6 +27,7 @@
     - $iptables
     - $files/iptables/iptables.${ansible_fqdn}
     - $files/iptables/iptables.${host_group}
+    - $files/iptables/iptables.${env}
     - $files/iptables/iptables
   notify:
   - restart iptables