kojibuilder: Break out a new set of iptables rules for iad2

Put all the rules in the kojibuilder file so we can just nuke the phx2 part later and not have to move groups around, etc. Also, nuke the old unused bkernel network template. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2020-05-28 14:35:33 -07:00 · 2020-05-28 14:35:33 -07:00 · eaf3837e58
commit eaf3837e58
parent 389f7acd64
2 changed files with 122 additions and 11 deletions
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@ -1,3 +1,4 @@
+{% if datacenter == 'phx2' %}
 # {{ ansible_managed }}
 *filter
 :INPUT DROP []
@ -137,3 +138,124 @@
 {{ rule }}
 {% endfor %}
 COMMIT
+{% elif datacenter == 'iad2' %}
+# {{ ansible_managed }}
+*filter
+:INPUT DROP []
+:FORWARD DROP []
+:OUTPUT DROP []
+
+# loopback allowed
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i virbr0 -j ACCEPT
+-A OUTPUT -o virbr0 -j ACCEPT
+-A INPUT  -d 127.0.0.0/8 -j ACCEPT
+-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
+
+# Accept ping and traceroute (needs icmp)
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+# kojipkgs
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT
+{% endif %}
+
+# DNS
+-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT
+
+# bastion smtp
+-A OUTPUT -p tcp -m tcp -d 10.3.163.31 --dport 25 -j ACCEPT
+
+# infra.fp.o
+-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 443 -j ACCEPT
+
+# rsyslog out to log01
+-A OUTPUT -p tcp -m tcp -d 10.3.163.39 --dport 514 -j ACCEPT
+
+# SSH
+-A INPUT -p tcp -m tcp -s 10.3.0.0/16 --dport 22 -j ACCEPT 
+-A OUTPUT -p tcp -m tcp -d 10.3.0.0/16 --sport 22  -j ACCEPT
+{% if inventory_hostname.startswith (('buildvm-s390x-15', 'buildvm-s390x-16','buildvm-s390x-17')) %}
+# Allow SSHFS binding to koji01
+-A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22  -j ACCEPT
+{% endif %}
+
+# http to pull sources from pkgs lookaside
+#-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT
+
+# https git on pagure,io
+-A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT
+
+# admin.fedoraproject.org  for fas (proyx(1)01 and proxy(1)10)
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT
+# for 2 facter auth
+-A OUTPUT -p tcp -m tcp -d 10.3.163.69 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.70 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.71 --dport 8443 -j ACCEPT
+
+#nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but 
+# kinda necessary
+-A INPUT -m tcp -p tcp -s 10.3.162.11 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.11 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.11 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.11 -j ACCEPT
+-A INPUT -m tcp -p tcp -s 10.3.162.12 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.12 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.12 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.12 -j ACCEPT
+-A INPUT -m tcp -p tcp -s 10.3.162.13 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.13 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.13 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.13 -j ACCEPT
+-A INPUT -m tcp -p tcp -s 10.3.162.14 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.14 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.14 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.14 -j ACCEPT
+
+# ntp
+-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.31 -j ACCEPT
+-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.32 -j ACCEPT
+
+# dhcp
+-A OUTPUT -m udp -p udp --dport 67 -d 10.3.163.10 -j ACCEPT
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+COMMIT
+{% endif %}
--- a/roles/bkernel/templates/bkernel-eth0-network
+++ b/roles/bkernel/templates/bkernel-eth0-network
@ -1,11 +0,0 @@
-DEVICE={{ ansible_eth0["device"] }}
-BOOTPROTO="static"
-DNS1="10.5.126.21"
-DNS2="10.5.126.22"
-GATEWAY="10.5.125.254"
-HWADDR={{ ansible_eth0["macaddress"] }}
-IPADDR={{ ansible_eth0["ipv4"]["address"] }}
-NETMASK={{ ansible_eth0["ipv4"]["netmask"] }}
-NM_CONTROLLED="yes"
-ONBOOT="yes"
-TYPE="Ethernet"