diff --git a/inventory/group_vars/openqa_tap_workers b/inventory/group_vars/openqa_tap_workers index ce47cd9e0b..95e1cde731 100644 --- a/inventory/group_vars/openqa_tap_workers +++ b/inventory/group_vars/openqa_tap_workers @@ -11,3 +11,7 @@ custom_rules: [ '-A FORWARD -m state -i {{ openqa_tap_iface }} -o br0 --state RELATED,ESTABLISHED -j ACCEPT', '-A INPUT -i br0 -j ACCEPT' ] +nat_rules: [ + # masquerade for openQA openvswitch workers to reach the outside + '-A POSTROUTING -o {{ openqa_tap_iface }} -j MASQUERADE' + ] diff --git a/roles/base/templates/iptables/iptables.openqa-tap-workers b/roles/base/templates/iptables/iptables.openqa-tap-workers deleted file mode 100644 index dbf5b21958..0000000000 --- a/roles/base/templates/iptables/iptables.openqa-tap-workers +++ /dev/null @@ -1,130 +0,0 @@ -# {{ ansible_managed }} -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] - -# allow ping and traceroute --A INPUT -p icmp -j ACCEPT - -# localhost is fine --A INPUT -i lo -j ACCEPT - -# Established connections allowed --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -# if the blocked_ips is defined - drop them -{% if blocked_ips is defined %} -{% for ip in blocked_ips %} --A INPUT -s {{ ip }} -j DROP -{% endfor %} -{% endif %} - -# allow ssh - always --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT - -# for nrpe - allow it from nocs --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT -# FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT - -{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %} -# -# In the phx2 datacenter, both production and staging hosts are in the same -# subnet/vlan. We want production hosts to reject connectons from staging group hosts -# to prevent them from interfering with production. There are however a few hosts in -# production we have marked 'staging-friendly' that we do allow staging to talk to for -# mostly read-only data they need. -# -{% for host in groups['staging']|sort %} -{% if 'eth0_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited -{% elif 'em3_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['em3_ip'] }} -j REJECT --reject-with icmp-host-prohibited -{% else %}# {{ host }} has no 'eth0_ip' listed -{% endif %} -{% endfor %} -{% endif %} - -{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %} -# -# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group -# to block all access from that group. This is to protect them from any possible attack -# vectors from qa-isolated machines. -# -# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible. --A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited --A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited -{% for host in groups['qa_isolated']|sort %} -{% if 'eth0_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited -{% elif 'em3_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['em3_ip'] }} -j REJECT --reject-with icmp-host-prohibited -{% else %}# {{ host }} has no 'eth0_ip' listed -{% endif %} -{% endfor %} -{% endif %} -# if the host declares a fedmsg-enabled wsgi app, open ports for it -{% if wsgi_fedmsg_service is defined %} -{% for i in range(wsgi_procs * wsgi_threads) %} --A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT -{% endfor %} -{% endif %} - - -# if the host/group defines incoming tcp_ports - allow them -{% if tcp_ports is defined %} -{% for port in tcp_ports %} --A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT -{% endfor %} -{% endif %} - -# if the host/group defines incoming udp_ports - allow them -{% if udp_ports is defined %} -{% for port in udp_ports %} --A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT -{% endfor %} -{% endif %} - -# if there are custom rules - put them in as-is -{% if custom_rules is defined %} -{% for rule in custom_rules %} -{{ rule }} -{% endfor %} -{% endif %} - -# otherwise kick everything out --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT - -*nat -# masquerade for openQA openvswitch workers to reach the outside -# eth0 is the active interface on the x86_64 tap worker hosts, -# eth2 is the active interface on the ppc64 tap worker host --A POSTROUTING -o eth0 -j MASQUERADE --A POSTROUTING -o em3 -j MASQUERADE --A POSTROUTING -o eth2 -j MASQUERADE -COMMIT