diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder index 4492dd231d..9cedad465c 100644 --- a/roles/base/templates/iptables/iptables.kojibuilder +++ b/roles/base/templates/iptables/iptables.kojibuilder @@ -1,3 +1,4 @@ +{% if datacenter == 'phx2' %} # {{ ansible_managed }} *filter :INPUT DROP [] @@ -137,3 +138,124 @@ {{ rule }} {% endfor %} COMMIT +{% elif datacenter == 'iad2' %} +# {{ ansible_managed }} +*filter +:INPUT DROP [] +:FORWARD DROP [] +:OUTPUT DROP [] + +# loopback allowed +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +-A INPUT -i virbr0 -j ACCEPT +-A OUTPUT -o virbr0 -j ACCEPT +-A INPUT -d 127.0.0.0/8 -j ACCEPT +-A OUTPUT -d 127.0.0.0/8 -j ACCEPT + +# Accept ping and traceroute (needs icmp) +-A INPUT -p icmp -j ACCEPT +-A OUTPUT -p icmp -j ACCEPT + +# Established connections allowed +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +# if the blocked_ips is defined - drop them +{% if blocked_ips is defined %} +{% for ip in blocked_ips %} +-A INPUT -s {{ ip }} -j DROP +{% endfor %} +{% endif %} + +# kojipkgs +{% if host in groups['buildvm_s390x'] %} +-A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT +{% endif %} + +# DNS +-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT +-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT + +# bastion smtp +-A OUTPUT -p tcp -m tcp -d 10.3.163.31 --dport 25 -j ACCEPT + +# infra.fp.o +-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 443 -j ACCEPT + +# rsyslog out to log01 +-A OUTPUT -p tcp -m tcp -d 10.3.163.39 --dport 514 -j ACCEPT + +# SSH +-A INPUT -p tcp -m tcp -s 10.3.0.0/16 --dport 22 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.0.0/16 --sport 22 -j ACCEPT +{% if inventory_hostname.startswith (('buildvm-s390x-15', 'buildvm-s390x-16','buildvm-s390x-17')) %} +# Allow SSHFS binding to koji01 +-A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22 -j ACCEPT +{% endif %} + +# http to pull sources from pkgs lookaside +#-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT + +# https git on pagure,io +-A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT + +# admin.fedoraproject.org for fas (proyx(1)01 and proxy(1)10) +-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 443 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 443 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 80 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT +# for 2 facter auth +-A OUTPUT -p tcp -m tcp -d 10.3.163.69 --dport 8443 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.70 --dport 8443 -j ACCEPT +-A OUTPUT -p tcp -m tcp -d 10.3.163.71 --dport 8443 -j ACCEPT + +#nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but +# kinda necessary +-A INPUT -m tcp -p tcp -s 10.3.162.11 -j ACCEPT +-A OUTPUT -m tcp -p tcp -d 10.3.162.11 -j ACCEPT +-A INPUT -m udp -p udp -s 10.3.162.11 -j ACCEPT +-A OUTPUT -m udp -p udp -d 10.3.162.11 -j ACCEPT +-A INPUT -m tcp -p tcp -s 10.3.162.12 -j ACCEPT +-A OUTPUT -m tcp -p tcp -d 10.3.162.12 -j ACCEPT +-A INPUT -m udp -p udp -s 10.3.162.12 -j ACCEPT +-A OUTPUT -m udp -p udp -d 10.3.162.12 -j ACCEPT +-A INPUT -m tcp -p tcp -s 10.3.162.13 -j ACCEPT +-A OUTPUT -m tcp -p tcp -d 10.3.162.13 -j ACCEPT +-A INPUT -m udp -p udp -s 10.3.162.13 -j ACCEPT +-A OUTPUT -m udp -p udp -d 10.3.162.13 -j ACCEPT +-A INPUT -m tcp -p tcp -s 10.3.162.14 -j ACCEPT +-A OUTPUT -m tcp -p tcp -d 10.3.162.14 -j ACCEPT +-A INPUT -m udp -p udp -s 10.3.162.14 -j ACCEPT +-A OUTPUT -m udp -p udp -d 10.3.162.14 -j ACCEPT + +# ntp +-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.31 -j ACCEPT +-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.32 -j ACCEPT + +# dhcp +-A OUTPUT -m udp -p udp --dport 67 -d 10.3.163.10 -j ACCEPT + +# if the host/group defines incoming tcp_ports - allow them +{% for port in tcp_ports %} +-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if the host/group defines incoming udp_ports - allow them +{% for port in udp_ports %} +-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT +{% endfor %} + +# if there are custom rules - put them in as-is +{% for rule in custom_rules %} +{{ rule }} +{% endfor %} +COMMIT +{% endif %} diff --git a/roles/bkernel/templates/bkernel-eth0-network b/roles/bkernel/templates/bkernel-eth0-network deleted file mode 100644 index 3ba815a9b7..0000000000 --- a/roles/bkernel/templates/bkernel-eth0-network +++ /dev/null @@ -1,11 +0,0 @@ -DEVICE={{ ansible_eth0["device"] }} -BOOTPROTO="static" -DNS1="10.5.126.21" -DNS2="10.5.126.22" -GATEWAY="10.5.125.254" -HWADDR={{ ansible_eth0["macaddress"] }} -IPADDR={{ ansible_eth0["ipv4"]["address"] }} -NETMASK={{ ansible_eth0["ipv4"]["netmask"] }} -NM_CONTROLLED="yes" -ONBOOT="yes" -TYPE="Ethernet"