From f8c4957c95fdb345cf866f9f6b8ae16a8d7dfce9 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Tue, 30 Jun 2020 14:24:09 -0700 Subject: [PATCH] iptables: adjust for new noc01 ip, drop some iptables files no longer used. Signed-off-by: Kevin Fenzi --- roles/base/templates/iptables/iptables | 4 +- roles/base/templates/iptables/iptables.osuosl | 4 +- ...ptables.pgbdr01.stg.phx2.fedoraproject.org | 88 ------------------- ...ptables.pgbdr02.stg.phx2.fedoraproject.org | 88 ------------------- roles/base/templates/iptables/iptables.releng | 4 +- .../base/templates/iptables/iptables.staging | 4 +- ...iptables.storinator01.fedorainfracloud.org | 4 +- .../iptables.torrent02.fedoraproject.org | 4 +- 8 files changed, 12 insertions(+), 188 deletions(-) delete mode 100644 roles/base/templates/iptables/iptables.pgbdr01.stg.phx2.fedoraproject.org delete mode 100644 roles/base/templates/iptables/iptables.pgbdr02.stg.phx2.fedoraproject.org diff --git a/roles/base/templates/iptables/iptables b/roles/base/templates/iptables/iptables index 1693c0f34a..8b879523c3 100644 --- a/roles/base/templates/iptables/iptables +++ b/roles/base/templates/iptables/iptables @@ -28,8 +28,8 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.16 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.15 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.3.163.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.3.166.10 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.osuosl b/roles/base/templates/iptables/iptables.osuosl index 9741d1a6ef..460da51356 100644 --- a/roles/base/templates/iptables/iptables.osuosl +++ b/roles/base/templates/iptables/iptables.osuosl @@ -31,8 +31,8 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.16 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.15 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.pgbdr01.stg.phx2.fedoraproject.org b/roles/base/templates/iptables/iptables.pgbdr01.stg.phx2.fedoraproject.org deleted file mode 100644 index eeaecfee23..0000000000 --- a/roles/base/templates/iptables/iptables.pgbdr01.stg.phx2.fedoraproject.org +++ /dev/null @@ -1,88 +0,0 @@ -# {{ ansible_managed }} -*nat -:PREROUTING ACCEPT [] -:POSTROUTING ACCEPT [] -:OUTPUT ACCEPT [] - -# Redirect staging attempts to talk to the external proxy to an internal ip. -# This is primarily for openid in staging which needs to get around proxy -# redirects. --A OUTPUT -d 209.132.181.5 -j DNAT --to-destination 10.5.128.177 - -COMMIT - -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] - -# allow ping and traceroute --A INPUT -p icmp -j ACCEPT - -# localhost is fine --A INPUT -i lo -j ACCEPT - -# Established connections allowed --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -# if the blocked_ips is defined - drop them -{% if blocked_ips is defined %} -{% for ip in blocked_ips %} --A INPUT -s {{ ip }} -j DROP -{% endfor %} -{% endif %} - -# allow ssh - always --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT - -# for nrpe - allow it from nocs --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT -# FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.128.38 -j ACCEPT - -# if the host declares a fedmsg-enabled wsgi app, open ports for it -{% if wsgi_fedmsg_service is defined %} -{% for i in range(wsgi_procs * wsgi_threads) %} --A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT -{% endfor %} -{% endif %} - -# if the host/group defines incoming tcp_ports - allow them -{% for port in tcp_ports %} --A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT -{% endfor %} - -# if the host/group defines incoming udp_ports - allow them -{% for port in udp_ports %} --A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT -{% endfor %} - -# if there are custom rules - put them in as-is -{% for rule in custom_rules %} -{{ rule }} -{% endfor %} - -# This is a replicating postgresql server, allow db connections from clients -{% for host in groups['postgres_clients']|sort %} -{% if 'eth0_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['eth0_ip'] }} -p tcp -m tcp --dport 5432 -j ACCEPT -{% else %}# {{ host }} has no 'eth0_ip' listed -{% endif %} -{% endfor %} -{% for host in groups['postgres_clients_stg']|sort %} -{% if 'eth0_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['eth0_ip'] }} -p tcp -m tcp --dport 5432 -j ACCEPT -{% else %}# {{ host }} has no 'eth0_ip' listed -{% endif %} -{% endfor %} - -# otherwise kick everything out --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT diff --git a/roles/base/templates/iptables/iptables.pgbdr02.stg.phx2.fedoraproject.org b/roles/base/templates/iptables/iptables.pgbdr02.stg.phx2.fedoraproject.org deleted file mode 100644 index eeaecfee23..0000000000 --- a/roles/base/templates/iptables/iptables.pgbdr02.stg.phx2.fedoraproject.org +++ /dev/null @@ -1,88 +0,0 @@ -# {{ ansible_managed }} -*nat -:PREROUTING ACCEPT [] -:POSTROUTING ACCEPT [] -:OUTPUT ACCEPT [] - -# Redirect staging attempts to talk to the external proxy to an internal ip. -# This is primarily for openid in staging which needs to get around proxy -# redirects. --A OUTPUT -d 209.132.181.5 -j DNAT --to-destination 10.5.128.177 - -COMMIT - -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] - -# allow ping and traceroute --A INPUT -p icmp -j ACCEPT - -# localhost is fine --A INPUT -i lo -j ACCEPT - -# Established connections allowed --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -# if the blocked_ips is defined - drop them -{% if blocked_ips is defined %} -{% for ip in blocked_ips %} --A INPUT -s {{ ip }} -j DROP -{% endfor %} -{% endif %} - -# allow ssh - always --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT - -# for nrpe - allow it from nocs --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT -# FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.128.38 -j ACCEPT - -# if the host declares a fedmsg-enabled wsgi app, open ports for it -{% if wsgi_fedmsg_service is defined %} -{% for i in range(wsgi_procs * wsgi_threads) %} --A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT -{% endfor %} -{% endif %} - -# if the host/group defines incoming tcp_ports - allow them -{% for port in tcp_ports %} --A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT -{% endfor %} - -# if the host/group defines incoming udp_ports - allow them -{% for port in udp_ports %} --A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT -{% endfor %} - -# if there are custom rules - put them in as-is -{% for rule in custom_rules %} -{{ rule }} -{% endfor %} - -# This is a replicating postgresql server, allow db connections from clients -{% for host in groups['postgres_clients']|sort %} -{% if 'eth0_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['eth0_ip'] }} -p tcp -m tcp --dport 5432 -j ACCEPT -{% else %}# {{ host }} has no 'eth0_ip' listed -{% endif %} -{% endfor %} -{% for host in groups['postgres_clients_stg']|sort %} -{% if 'eth0_ip' in hostvars[host] %}# {{ host }} --A INPUT -s {{ hostvars[host]['eth0_ip'] }} -p tcp -m tcp --dport 5432 -j ACCEPT -{% else %}# {{ host }} has no 'eth0_ip' listed -{% endif %} -{% endfor %} - -# otherwise kick everything out --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT diff --git a/roles/base/templates/iptables/iptables.releng b/roles/base/templates/iptables/iptables.releng index 18b369927d..0f8a9cdce0 100644 --- a/roles/base/templates/iptables/iptables.releng +++ b/roles/base/templates/iptables/iptables.releng @@ -22,8 +22,8 @@ -A INPUT -p tcp -m tcp -s 192.168.1.10 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 192.168.1.166 --dport 5666 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT --A INPUT -p tcp -m tcp -s 209.132.181.35 --dport 5666 -j ACCEPT +-A INPUT -p tcp -m tcp -s 38.145.60.16 --dport 5666 -j ACCEPT +-A INPUT -p tcp -m tcp -s 38.145.60.15 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.3.163.10 --dport 5666 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.3.166.10 --dport 5666 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.staging b/roles/base/templates/iptables/iptables.staging index db84ccb307..4ed85ae762 100644 --- a/roles/base/templates/iptables/iptables.staging +++ b/roles/base/templates/iptables/iptables.staging @@ -42,8 +42,8 @@ COMMIT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.16 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.15 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.128.38 -j ACCEPT diff --git a/roles/base/templates/iptables/iptables.storinator01.fedorainfracloud.org b/roles/base/templates/iptables/iptables.storinator01.fedorainfracloud.org index 020ff51122..b22b8311f0 100644 --- a/roles/base/templates/iptables/iptables.storinator01.fedorainfracloud.org +++ b/roles/base/templates/iptables/iptables.storinator01.fedorainfracloud.org @@ -28,8 +28,8 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.16 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.15 -j ACCEPT # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports_eth0 is defined %} diff --git a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org index 0fd6380748..60dcbd3e29 100644 --- a/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org +++ b/roles/base/templates/iptables/iptables.torrent02.fedoraproject.org @@ -28,8 +28,8 @@ -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.16 -j ACCEPT +-A INPUT -p tcp -m tcp --dport 5666 -s 38.145.60.15 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT