From ee49c53f084ea418491addc2d031d916f38e7776 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Mon, 3 May 2021 11:58:46 -0700 Subject: [PATCH] base / iptables: Adjust iptables on all vpn hosts to drop less secure traffic Most of our vpn hosts are on a 192.168.1.0/24 network. However we have a small number on a 'less secure' 'less trusted' subnet: 192.168.100.0/24. This change adds in logic to: * on log01, allow rsyslog from 192.168.100.x hosts * on ipa servers, allow ipa ports for 192.168.100.x hosts * then reject everything else. This will make sure 192.168.100.x hosts can only hit ssh and the two above items, otherwise all vpn hosts will reject their traffic. This should add a bit of security to having those hosts on the vpn. Signed-off-by: Kevin Fenzi --- roles/base/templates/iptables/iptables | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index c0b7b73b69..057e368bdb 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -45,6 +45,30 @@ -A INPUT -s 10.3.167.0/24 -j REJECT --reject-with icmp-host-prohibited {% endif %} +{% if vpn %} +# +# We want to have all vpn hosts reject most things from the 'less secure' vpn network +# +{% if inventory_hostname == 'log01.iad2.fedoraproject.org' %} +# Allow all vpn hosts to talk to the log server for rsyslog +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 514 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 25826 -j ACCEPT +{% endif %} +{% if inventory_hostname in groups['ipa'] %} +# Allow all vpn hosts to talk to the ipa servers for auth +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 80 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 88 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 389 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 443 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 464 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m tcp -p tcp --dport 636 -j ACCEPT + +-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 88 -j ACCEPT +-A INPUT -s 192.168.100.0/24 -m udp -p udp --dport 464 -j ACCEPT +{% endif %} +# Reject all further connections from less secure vpn +-A INPUT -s 192.168.100.0/24 -j REJECT --reject-with icmp-host-prohibited +{% endif %} # if the host declares a fedmsg-enabled wsgi app, open ports for it {% if wsgi_fedmsg_service is defined %} {% for i in range(wsgi_procs * wsgi_threads) %}