From d55a3cb36f589021b3f50042dfae7582ccc6e5fa Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 8 Jan 2016 16:29:18 +0000 Subject: [PATCH] Setup a qa-isolated group in the qa net and have all other machines in that net reject anything from them. This helps us isolate higher risk qa hosts from lower risk ones without having to move everything to a different network/vlan for now. --- inventory/inventory | 36 ++++++++++++++++++++++++++ roles/base/templates/iptables/iptables | 34 ++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/inventory/inventory b/inventory/inventory index 5c879b7f9c..e0068caa00 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1106,3 +1106,39 @@ infinote.fedoraproject.org [gnome-backups] gnome-backups01.phx2.fedoraproject.org + +[qa-isolated] +beaker01.qa.fedoraproject.org +beaker-stg01.qa.fedoraproject.org +qa02.qa.fedoraproject.org +qa08.qa.fedoraproject.org +qa04.qa.fedoraproject.org +openqa01.qa.fedoraproject.org +qa05.qa.fedoraproject.org +qa06.qa.fedoraproject.org +openqa-stg01.qa.fedoraproject.org +qa07.qa.fedoraproject.org +db-qa01.qa.fedoraproject.org +taskotron-dev01.qa.fedoraproject.org +taskotron-client26.qa.fedoraproject.org +taskotron-client27.qa.fedoraproject.org +taskotron-client28.qa.fedoraproject.org +taskotron-client29.qa.fedoraproject.org +qa11.qa.fedoraproject.org +taskotron-stg01.qa.fedoraproject.org +taskotron-client11.qa.fedoraproject.org +taskotron-client12.qa.fedoraproject.org +taskotron-client13.qa.fedoraproject.org +taskotron-client14.qa.fedoraproject.org +taskotron-client19.qa.fedoraproject.org +taskotron-client20.qa.fedoraproject.org +taskotron-client21.qa.fedoraproject.org +taskotron01.qa.fedoraproject.org +taskotron-client07.qa.fedoraproject.org +taskotron-client08.qa.fedoraproject.org +taskotron-client09.qa.fedoraproject.org +taskotron-client10.qa.fedoraproject.org +taskotron-client22.qa.fedoraproject.org +taskotron-client23.qa.fedoraproject.org +taskotron-client24.qa.fedoraproject.org +taskotron-client25.qa.fedoraproject.org diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index b4bcbac1eb..3042ddfc86 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -40,6 +40,40 @@ {% endfor %} {% endif %} +{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %} +# +# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group +# to block all access from that group. This is to protect them from any possible attack +# vectors from qa-isolated machines. +# +# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible. +-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited +-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited +{% for host in groups['qa-isolated']|sort %} +{% if 'eth0_ip' in hostvars[host] %}# {{ host }} +-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited +{% else %}# {{ host }} has no 'eth0_ip' listed +{% endif %} +{% endfor %} +{% endif %} + # if the host declares a fedmsg-enabled wsgi app, open ports for it {% if wsgi_fedmsg_service is defined %} {% for i in range(wsgi_procs * wsgi_threads) %}