Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

base / iptables: Adjust iptables on all vpn hosts to drop less secure traffic

Browse source 
Most of our vpn hosts are on a 192.168.1.0/24 network.
However we have a small number on a 'less secure' 'less trusted' subnet:
192.168.100.0/24. This change adds in logic to:
* on log01, allow rsyslog from 192.168.100.x hosts
* on ipa servers, allow ipa ports for 192.168.100.x hosts
* then reject everything else.
This will make sure 192.168.100.x hosts can only hit ssh and the two
above items, otherwise all vpn hosts will reject their traffic. This
should add a bit of security to having those hosts on the vpn.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2021-05-03 11:58:46 -07:00 committed by kevin
parent 6e6dbc0581
commit ee49c53f08
1 changed files with 24 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

24
roles/base/templates/iptables/iptables
View file

@ -45,6 +45,30 @@
-A INPUT -s 10.3.167.0/24 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
{% if vpn %}
#
# We want to have all vpn hosts reject most things from the 'less secure' vpn network
#
{% if inventory_hostname == 'log01.iad2.fedoraproject.org' %}
# Allow all vpn hosts to talk to the log server for rsyslog
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 514 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 25826 -j ACCEPT
{% endif %}
{% if inventory_hostname in groups['ipa'] %}
# Allow all vpn hosts to talk to the ipa servers for auth
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 88 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 389 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 464 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 636 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 88 -j ACCEPT
-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 464 -j ACCEPT
{% endif %}
# Reject all further connections from less secure vpn
-A INPUT -s 192.168.100.0/24 -j REJECT --reject-with icmp-host-prohibited
{% endif %}
# if the host declares a fedmsg-enabled wsgi app, open ports for it
{% if wsgi_fedmsg_service is defined %}
{% for i in range(wsgi_procs * wsgi_threads) %}