From fff697a7077a589cf657484e9e28b4f0501f69d5 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sat, 6 Jun 2020 17:28:37 -0700
Subject: [PATCH] base / iptables: add iad2 ips to kojibuilder (phx2) section

We need to add this for s390x machines so they can talk to and be
managed by iad2 stuff. phx2 builders should not be affected, and
s390 builders only get the new rules added, so they should keep working
with phx2. We will need to clean this up after the move and remove all
the phx2 stuff.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 .../templates/iptables/iptables.kojibuilder   | 42 +++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/roles/base/templates/iptables/iptables.kojibuilder b/roles/base/templates/iptables/iptables.kojibuilder
index 9cedad465c..5c20676310 100644
--- a/roles/base/templates/iptables/iptables.kojibuilder
+++ b/roles/base/templates/iptables/iptables.kojibuilder
@@ -33,12 +33,18 @@
 -A OUTPUT -p tcp -m tcp -d 10.5.125.35 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT
 {% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.3.169.106 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.169.107 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT
 {% endif %}
 
 #koji.fp.o
 -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 443 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.3.169.104 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.169.105 --dport 443 -j ACCEPT
+{% endif %}
 
 #arm.koji.fp.o
 -A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 80 -j ACCEPT
@@ -61,21 +67,38 @@
 -A OUTPUT -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.126.21 --dport 53 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.126.22 --dport 53 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
+-A OUTPUT -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.34 --dport 53 -j ACCEPT
+{% endif %}
 
 # bastion smtp
 -A OUTPUT -p tcp -m tcp -d 10.5.126.12 --dport 25 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.3.163.31 --dport 25 -j ACCEPT
+{% endif %}
 
 # infra.fp.o
 -A OUTPUT -p tcp -m tcp -d 10.5.126.23 --dport 80 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.126.23 --dport 443 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.35 --dport 443 -j ACCEPT
+{% endif %}
 
 # rsyslog out to log01
 -A OUTPUT -p tcp -m tcp -d 10.5.126.13 --dport 514 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.3.163.39 --dport 514 -j ACCEPT
+{% endif %}
 
 # SSH
 -A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT 
 -A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22  -j ACCEPT
 {% if inventory_hostname.startswith (('buildvm-s390x-15', 'buildvm-s390x-16','buildvm-s390x-17')) %}
+-A INPUT -p tcp -m tcp -s 10.3.0.0/16 --dport 22 -j ACCEPT 
 # Allow SSHFS binding to koji01
 -A OUTPUT -p tcp -m tcp -d 10.5.125.61 --dport 22  -j ACCEPT
 {% endif %}
@@ -103,6 +126,21 @@
 -A OUTPUT -p tcp -m tcp -d 10.5.126.30 --dport 8443 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.126.25 --dport 8443 -j ACCEPT
 -A OUTPUT -p tcp -m tcp -d 10.5.126.26 --dport 8443 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 80 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT
+# for 2 facter auth
+-A OUTPUT -p tcp -m tcp -d 10.3.163.74 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.75 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.76 --dport 8443 -j ACCEPT
+-A OUTPUT -p tcp -m tcp -d 10.3.163.77 --dport 8443 -j ACCEPT
+{% endif %}
 
 #nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but 
 # kinda necessary
@@ -119,6 +157,10 @@
 # ntp
 -A OUTPUT -m udp -p udp --dport 123 -d 10.5.126.11 -j ACCEPT
 -A OUTPUT -m udp -p udp --dport 123 -d 10.5.126.12 -j ACCEPT
+{% if host in groups['buildvm_s390x'] %}
+-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.31 -j ACCEPT
+-A OUTPUT -m udp -p udp --dport 123 -d 10.3.163.32 -j ACCEPT
+{% endif %}
 
 # dhcp
 -A OUTPUT -m udp -p udp --dport 67 -d 10.5.126.41 -j ACCEPT