Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/base/templates/iptables/iptables
Kevin Fenzi b467a264b2 Drop a extra line that causes a change
2016-01-08 16:32:47 +00:00

107 lines
4.4 KiB
Text
Raw Blame History

# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# allow ping and traceroute
-A INPUT -p icmp -j ACCEPT
# localhost is fine
-A INPUT -i lo -j ACCEPT
# Established connections allowed
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
# for nrpe - allow it from nocs
-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
# FIXME - this is the global nat-ip and we need the noc01-specific ip
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
#
# In the phx2 datacenter, both production and staging hosts are in the same
# subnet/vlan. We want production hosts to reject connectons from staging group hosts
# to prevent them from interfering with production. There are however a few hosts in
# production we have marked 'staging-friendly' that we do allow staging to talk to for
# mostly read-only data they need.
#
{% for host in groups['staging']|sort %}
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
{% else %}# {{ host }} has no 'eth0_ip' listed
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %}
#
# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group
# to block all access from that group. This is to protect them from any possible attack
# vectors from qa-isolated machines.
#
# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible.
-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited
{% for host in groups['qa-isolated']|sort %}
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
{% else %}# {{ host }} has no 'eth0_ip' listed
{% endif %}
{% endfor %}
{% endif %}
# if the host declares a fedmsg-enabled wsgi app, open ports for it
{% if wsgi_fedmsg_service is defined %}
{% for i in range(wsgi_procs * wsgi_threads) %}
-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
{% endfor %}
{% endif %}
# if the host/group defines incoming tcp_ports - allow them
{% if tcp_ports is defined %}
{% for port in tcp_ports %}
-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}
# if the host/group defines incoming udp_ports - allow them
{% if udp_ports is defined %}
{% for port in udp_ports %}
-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}
# if there are custom rules - put them in as-is
{% if custom_rules is defined %}
{% for rule in custom_rules %}
{{ rule }}
{% endfor %}
{% endif %}
# otherwise kick everything out
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Reference in a new issue View git blame Copy permalink