From f72ff64029268045dbe4530d8634dd1751cff89f Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 24 Sep 2024 10:55:20 -0700 Subject: [PATCH] bastion / iptables: Add internal RH mxes and drop global allow We want to allow internal mx'es to send us email still. We want to drop the global allow for port 25 now that we hopefully have all the legit senders listed. Signed-off-by: Kevin Fenzi --- inventory/group_vars/bastion | 2 +- roles/base/templates/iptables/iptables.bastion | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion index 7a7b67e89d..c9f08e2da2 100644 --- a/inventory/group_vars/bastion +++ b/inventory/group_vars/bastion @@ -67,5 +67,5 @@ primary_auth_source: ipa # # allow incoming openvpn and smtp # -tcp_ports: [22, 25, 1194] +tcp_ports: [22, 1194] udp_ports: [1194] diff --git a/roles/base/templates/iptables/iptables.bastion b/roles/base/templates/iptables/iptables.bastion index 6133eb17ee..05eb9720f0 100644 --- a/roles/base/templates/iptables/iptables.bastion +++ b/roles/base/templates/iptables/iptables.bastion @@ -77,6 +77,9 @@ -A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 25 -j ACCEPT -A INPUT -s 192.168.0.0/24 -m tcp -p tcp --dport 25 -j ACCEPT -A INPUT -s 10.3.160.0/19 -m tcp -p tcp --dport 25 -j ACCEPT +# redhat mxes +-A INPUT -s 10.30.177.0/24 -m tcp -p tcp --dport 25 -j ACCEPT +-A INPUT -s 10.30.29.0/24 -m tcp -p tcp --dport 25 -j ACCEPT # mimecast ips from # https://community.mimecast.com/s/article/email-security-cloud-gateway-data-centers-and-urls?r=297&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1 -A INPUT -s 170.10.132.0/24 -m tcp -p tcp --dport 25 -j ACCEPT