diff --git a/inventory/inventory b/inventory/inventory index 5c879b7f9c..e0068caa00 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1106,3 +1106,39 @@ infinote.fedoraproject.org [gnome-backups] gnome-backups01.phx2.fedoraproject.org + +[qa-isolated] +beaker01.qa.fedoraproject.org +beaker-stg01.qa.fedoraproject.org +qa02.qa.fedoraproject.org +qa08.qa.fedoraproject.org +qa04.qa.fedoraproject.org +openqa01.qa.fedoraproject.org +qa05.qa.fedoraproject.org +qa06.qa.fedoraproject.org +openqa-stg01.qa.fedoraproject.org +qa07.qa.fedoraproject.org +db-qa01.qa.fedoraproject.org +taskotron-dev01.qa.fedoraproject.org +taskotron-client26.qa.fedoraproject.org +taskotron-client27.qa.fedoraproject.org +taskotron-client28.qa.fedoraproject.org +taskotron-client29.qa.fedoraproject.org +qa11.qa.fedoraproject.org +taskotron-stg01.qa.fedoraproject.org +taskotron-client11.qa.fedoraproject.org +taskotron-client12.qa.fedoraproject.org +taskotron-client13.qa.fedoraproject.org +taskotron-client14.qa.fedoraproject.org +taskotron-client19.qa.fedoraproject.org +taskotron-client20.qa.fedoraproject.org +taskotron-client21.qa.fedoraproject.org +taskotron01.qa.fedoraproject.org +taskotron-client07.qa.fedoraproject.org +taskotron-client08.qa.fedoraproject.org +taskotron-client09.qa.fedoraproject.org +taskotron-client10.qa.fedoraproject.org +taskotron-client22.qa.fedoraproject.org +taskotron-client23.qa.fedoraproject.org +taskotron-client24.qa.fedoraproject.org +taskotron-client25.qa.fedoraproject.org diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index b4bcbac1eb..3042ddfc86 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -40,6 +40,40 @@ {% endfor %} {% endif %} +{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %} +# +# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group +# to block all access from that group. This is to protect them from any possible attack +# vectors from qa-isolated machines. +# +# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible. +-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited +{% for host in groups['qa-isolated']|sort %} +{% if 'eth0_ip' in hostvars[host] %}# {{ host }} +-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited +{% else %}# {{ host }} has no 'eth0_ip' listed +{% endif %} +{% endfor %} +{% endif %} + # if the host declares a fedmsg-enabled wsgi app, open ports for it {% if wsgi_fedmsg_service is defined %} {% for i in range(wsgi_procs * wsgi_threads) %}