From eaf3837e58542c05a2bf2df472e06159dd4089fc Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 28 May 2020 14:35:33 -0700
Subject: [PATCH] kojibuilder: Break out a new set of iptables rules for iad2

Put all the rules in the kojibuilder file so we can just nuke the phx2
part later and not have to move groups around, etc.

Also, nuke the old unused bkernel network template.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../templates/iptables/iptables.kojibuilder   | 122 ++++++++++++++++++
 roles/bkernel/templates/bkernel-eth0-network  |  11 --
 2 files changed, 122 insertions(+), 11 deletions(-)
 delete mode 100644 roles/bkernel/templates/bkernel-eth0-network

diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder
index 4492dd231d..9cedad465c 100644
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@@ -1,3 +1,4 @@
+{% if datacenter == 'phx2' %}
 # {{ ansible_managed }}
 *filter
 :INPUT DROP []
@@ -137,3 +138,124 @@
 {{ rule }}
 {% endfor %}
 COMMIT
+{% elif datacenter == 'iad2' %}
+# {{ ansible_managed }}
+*filter
+:INPUT DROP []
+:FORWARD DROP []
+:OUTPUT DROP []
+
+# loopback allowed
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+-A INPUT -i virbr0 -j ACCEPT
+-A OUTPUT -o virbr0 -j ACCEPT
+-A INPUT  -d 127.0.0.0/8 -j ACCEPT
+-A OUTPUT -d 127.0.0.0/8 -j ACCEPT
+
+# Accept ping and traceroute (needs icmp)
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+# kojipkgs
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT
+{% endif %}
+
+# DNS
+-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT
+
+# bastion smtp
+-A OUTPUT -p tcp -m tcp -d 10.3.163.31 --dport 25 -j ACCEPT
+
+# infra.fp.o
+-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 443 -j ACCEPT
+
+# rsyslog out to log01
+-A OUTPUT -p tcp -m tcp -d 10.3.163.39 --dport 514 -j ACCEPT
+
+# SSH
+-A INPUT -p tcp -m tcp -s 10.3.0.0/16 --dport 22 -j ACCEPT 
+-A OUTPUT -p tcp -m tcp -d 10.3.0.0/16 --sport 22  -j ACCEPT
+{% if inventory_hostname.startswith (('buildvm-s390x-15', 'buildvm-s390x-16','buildvm-s390x-17')) %}
+# Allow SSHFS binding to koji01
+-A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 22  -j ACCEPT
+{% endif %}
+
+# http to pull sources from pkgs lookaside
+#-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT
+
+# https git on pagure,io
+-A OUTPUT -p tcp -m tcp -d 8.43.85.75 --dport 443 -j ACCEPT
+
+# admin.fedoraproject.org  for fas (proyx(1)01 and proxy(1)10)
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT
+# for 2 facter auth
+-A OUTPUT -p tcp -m tcp -d 10.3.163.69 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.70 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.71 --dport 8443 -j ACCEPT
+
+#nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but 
+# kinda necessary
+-A INPUT -m tcp -p tcp -s 10.3.162.11 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.11 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.11 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.11 -j ACCEPT
+-A INPUT -m tcp -p tcp -s 10.3.162.12 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.12 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.12 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.12 -j ACCEPT
+-A INPUT -m tcp -p tcp -s 10.3.162.13 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.13 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.13 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.13 -j ACCEPT
+-A INPUT -m tcp -p tcp -s 10.3.162.14 -j ACCEPT
+-A OUTPUT -m tcp -p tcp -d 10.3.162.14 -j ACCEPT
+-A INPUT -m udp -p udp -s 10.3.162.14 -j ACCEPT
+-A OUTPUT -m udp -p udp -d 10.3.162.14 -j ACCEPT
+
+# ntp
+-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.31 -j ACCEPT
+-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.32 -j ACCEPT
+
+# dhcp
+-A OUTPUT -m udp -p udp --dport 67 -d 10.3.163.10 -j ACCEPT
+
+# if the host/group defines incoming tcp_ports - allow them
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+
+# if there are custom rules - put them in as-is
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+COMMIT
+{% endif %}
diff --git a/roles/bkernel/templates/bkernel-eth0-network b/roles/bkernel/templates/bkernel-eth0-network
deleted file mode 100644
index 3ba815a9b7..0000000000
--- a/roles/bkernel/templates/bkernel-eth0-network
+++ /dev/null
@@ -1,11 +0,0 @@
-DEVICE={{ ansible_eth0["device"] }}
-BOOTPROTO="static"
-DNS1="10.5.126.21"
-DNS2="10.5.126.22"
-GATEWAY="10.5.125.254"
-HWADDR={{ ansible_eth0["macaddress"] }}
-IPADDR={{ ansible_eth0["ipv4"]["address"] }}
-NETMASK={{ ansible_eth0["ipv4"]["netmask"] }}
-NM_CONTROLLED="yes"
-ONBOOT="yes"
-TYPE="Ethernet"