Ban staging from prod.

2014-08-18 15:52:05 +00:00 · 2014-08-18 15:52:05 +00:00 · b547198a95
commit b547198a95
parent 03f908c8ce
1 changed files with 6 additions and 0 deletions
--- a/roles/base/templates/iptables/iptables
+++ b/roles/base/templates/iptables/iptables
@ -30,6 +30,12 @@
 -A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT

+# ban staging from non-staging hosts
+{% if env != 'staging' %}
+{% for host in groups['staging'] %}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% endfor %}
+{% endif %}

 # if the host/group defines incoming tcp_ports - allow them
 {% if tcp_ports is defined %}