openqa: update iptables NAT rule implementation
Since we set this up, @puiterwijk added a nice `nat_rules` thing that lets us add NAT rules without forking the iptables template, and I just set up the `openqa_tap_iface` variable to avoid the stupid thing where I hardcoded all the possible interface names for different arches. So let's use those two together FOR GREAT JUSTICE! Or possibly just to break everything, you know, we'll find out shortly. Signed-off-by: Adam Williamson <awilliam@redhat.com>
This commit is contained in:
Adam Williamson
Pierre-Yves Chibon
parent
7d7ef7f4fe
commit
ee006a8d3e
2 changed files with 4 additions and 130 deletions
|
|
@ -11,3 +11,7 @@ custom_rules: [
|
|||
'-A FORWARD -m state -i {{ openqa_tap_iface }} -o br0 --state RELATED,ESTABLISHED -j ACCEPT',
|
||||
'-A INPUT -i br0 -j ACCEPT'
|
||||
]
|
||||
nat_rules: [
|
||||
# masquerade for openQA openvswitch workers to reach the outside
|
||||
'-A POSTROUTING -o {{ openqa_tap_iface }} -j MASQUERADE'
|
||||
]
|
||||
|
|
|
|||
|
|
@ -1,130 +0,0 @@
|
|||
# {{ ansible_managed }}
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
|
||||
# allow ping and traceroute
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
|
||||
# localhost is fine
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
|
||||
# Established connections allowed
|
||||
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
|
||||
# if the blocked_ips is defined - drop them
|
||||
{% if blocked_ips is defined %}
|
||||
{% for ip in blocked_ips %}
|
||||
-A INPUT -s {{ ip }} -j DROP
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# allow ssh - always
|
||||
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
|
||||
# for nrpe - allow it from nocs
|
||||
-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
|
||||
# FIXME - this is the global nat-ip and we need the noc01-specific ip
|
||||
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
|
||||
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
|
||||
|
||||
{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %}
|
||||
#
|
||||
# In the phx2 datacenter, both production and staging hosts are in the same
|
||||
# subnet/vlan. We want production hosts to reject connectons from staging group hosts
|
||||
# to prevent them from interfering with production. There are however a few hosts in
|
||||
# production we have marked 'staging-friendly' that we do allow staging to talk to for
|
||||
# mostly read-only data they need.
|
||||
#
|
||||
{% for host in groups['staging']|sort %}
|
||||
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
|
||||
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% elif 'em3_ip' in hostvars[host] %}# {{ host }}
|
||||
-A INPUT -s {{ hostvars[host]['em3_ip'] }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}# {{ host }} has no 'eth0_ip' listed
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
|
||||
#
|
||||
# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group
|
||||
# to block all access from that group. This is to protect them from any possible attack
|
||||
# vectors from qa-isolated machines.
|
||||
#
|
||||
# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible.
|
||||
-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited
|
||||
-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited
|
||||
{% for host in groups['qa_isolated']|sort %}
|
||||
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
|
||||
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% elif 'em3_ip' in hostvars[host] %}# {{ host }}
|
||||
-A INPUT -s {{ hostvars[host]['em3_ip'] }} -j REJECT --reject-with icmp-host-prohibited
|
||||
{% else %}# {{ host }} has no 'eth0_ip' listed
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
# if the host declares a fedmsg-enabled wsgi app, open ports for it
|
||||
{% if wsgi_fedmsg_service is defined %}
|
||||
{% for i in range(wsgi_procs * wsgi_threads) %}
|
||||
-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
|
||||
# if the host/group defines incoming tcp_ports - allow them
|
||||
{% if tcp_ports is defined %}
|
||||
{% for port in tcp_ports %}
|
||||
-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# if the host/group defines incoming udp_ports - allow them
|
||||
{% if udp_ports is defined %}
|
||||
{% for port in udp_ports %}
|
||||
-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# if there are custom rules - put them in as-is
|
||||
{% if custom_rules is defined %}
|
||||
{% for rule in custom_rules %}
|
||||
{{ rule }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
# otherwise kick everything out
|
||||
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
||||
COMMIT
|
||||
|
||||
*nat
|
||||
# masquerade for openQA openvswitch workers to reach the outside
|
||||
# eth0 is the active interface on the x86_64 tap worker hosts,
|
||||
# eth2 is the active interface on the ppc64 tap worker host
|
||||
-A POSTROUTING -o eth0 -j MASQUERADE
|
||||
-A POSTROUTING -o em3 -j MASQUERADE
|
||||
-A POSTROUTING -o eth2 -j MASQUERADE
|
||||
COMMIT
|
||||
Loading…
Add table
Add a link
Reference in a new issue