From b547198a95f6f732427ef6506b230ff5f7d62b4b Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Mon, 18 Aug 2014 15:52:05 +0000 Subject: [PATCH] Ban staging from prod. --- roles/base/templates/iptables/iptables | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 97160bdbce..7b995743ab 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -30,6 +30,12 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT +# ban staging from non-staging hosts +{% if env != 'staging' %} +{% for host in groups['staging'] %} +-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited +{% endfor %} +{% endif %} # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %}