iptables: clean up osbuild and add a external block set scaffolding

Setup osbuild so it only needs to exist on the specific builders in the
osbuild channel, not all builders.
Also, setup things so we can add a blocklist that will block external
subnets/ip's if we need to do so. Currently it should just be an empty
set, but we can implement it as needed/desired starting with the ips we
already were blocking on just some hosts.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

inventory/group_vars/bastion

@@ -18,6 +18,10 @@ csi_security_category: High
 #
 custom_rules: ['-A INPUT -s 192.168.100/24 -j REJECT --reject-with icmp-host-prohibited', '-A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 123 -j ACCEPT']
 #
+# This host is externally reachable
+#
+external: true
+#
 # Set this to get fasclient cron to make the aliases file
 #
 fas_aliases: true

inventory/group_vars/batcave

@@ -20,6 +20,10 @@ csi_relationship: |
 csi_security_category: High
 # Neeed for rsync from log01 for logs.
 custom_rules: ['-A INPUT -p tcp -m tcp -s 10.3.163.39 --dport 873 -j ACCEPT', '-A INPUT -p tcp -m tcp -s 192.168.1.59 --dport 873 -j ACCEPT']
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_certs:
   - can_send:
       - ansible.playbook.complete

inventory/group_vars/download_iad2

@@ -2,6 +2,10 @@
 blocked_ips: []
 datacenter: iad2
 dns: 10.3.163.33
+#
+# This host is externally reachable
+#
+external: true
 host_group: download-iad2
 # nfs mount options, overrides the all/default
 nfs_mount_opts: "ro,hard,bg,intr,noatime,nodev,nosuid,actimeo=600,nfsvers=4"

inventory/group_vars/iad2

@@ -0,0 +1,4 @@
+---
+# boolean to determine if a host is publically reachable via nat in iad2
+# by default, hosts are not, only specific hosts/groups are.
+external: False

inventory/group_vars/pkgs

@@ -20,6 +20,10 @@ clamscan_paths:
   - /srv/cache/lookaside/pkgs
 # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_active: True
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:

inventory/group_vars/pkgs_stg

@@ -16,6 +16,10 @@ clamscan_paths:
   - /srv/cache/lookaside/pkgs
 # We have both celery (pagure_worker) and web thread wanting to send out fedmsg's.
 # To make things easy on the listening side (so avoid contention of binding ports), let's set the pkgs boxes to active fedmsg.
+#
+# This host is externally reachable
+#
+external: true
 fedmsg_active: True
 # These are consumed by a task in roles/fedmsg/base/main.yml
 fedmsg_certs:

inventory/host_vars/ns01.iad2.fedoraproject.org

@@ -2,6 +2,10 @@
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.33
+#
+# This host is externally reachable
+#
+external: true
 ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
 ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
 vmhost: vmhost-x86-01.iad2.fedoraproject.org

inventory/host_vars/ns02.iad2.fedoraproject.org

@@ -2,6 +2,10 @@
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.34
+#
+# This host is externally reachable
+#
+external: true
 ks_repo: http://38.145.60.16/repo/rhel/RHEL9-x86_64/
 ks_url: http://38.145.60.16/repo/rhel/ks/kvm-rhel
 vmhost: vmhost-x86-02.iad2.fedoraproject.org

inventory/host_vars/proxy01.iad2.fedoraproject.org

@@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
 dns_search3: "fedoraproject.org"
 eth0_ipv4: 10.3.163.74
 eth0_ipv4_gw: 10.3.163.254
+#
+# This host is externally reachable
+#
+external: true
 freezes: true
 has_ipv4: yes
 ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/

inventory/host_vars/proxy10.iad2.fedoraproject.org

@@ -7,6 +7,10 @@ dns_search2: "vpn.fedoraproject.org"
 dns_search3: "fedoraproject.org"
 eth0_ipv4: 10.3.163.75
 eth0_ipv4_gw: 10.3.163.254
+#
+# This host is externally reachable
+#
+external: true
 freezes: true
 has_ipv4: yes
 ks_repo: http://10.3.163.35/pub/fedora/linux/releases/38/Server/x86_64/os/

inventory/host_vars/secondary01.iad2.fedoraproject.org

@@ -2,6 +2,10 @@
 datacenter: iad2
 eth0_ipv4_gw: 10.3.163.254
 eth0_ipv4_ip: 10.3.163.86
+#
+# This host is externally reachable
+#
+external: true
 ks_repo: http://10.3.163.35/repo/rhel/RHEL8-x86_64/
 ks_url: http://10.3.163.35/repo/rhel/ks/kvm-rhel-8-iad2
 lvm_size: 40000

roles/base/tasks/main.yml

@@ -152,9 +152,41 @@
   command: /usr/sbin/ipset create osbuildapi hash:ip
   ignore_errors: true
   changed_when: false
-  when: inventory_hostname.startswith('build')
+  when: "'osbuild' in group_names"
+  tags:
+    - base
+    - iptables
+
+- name: install blocklist update script
+  copy:
+    src: "{{ private }}/files/blocklist/blocklist-update.sh"
+    dest: /usr/local/bin/blocklist-update.sh
+    owner: root
+    group: root
+    mode: "0700"
+  tags:
+    - base
+    - iptables
+  when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
+
+- name: setup blocklist ipset if this is a new install
+  command: /usr/sbin/ipset create blocklist hash:ip
+  ignore_errors: true
+  changed_when: false
+  when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
+  tags:
+    - base
+    - iptables
+
+- name: setup blocklist update cron job
+  cron:
+    name: blocklist-update
+    user: root
+    minute: 15
+    hour: "*/2"
+    job: /usr/local/bin/blocklist-update.sh
+  when: "datacenter != 'iad2' or ( datacenter == 'iad2' and external == 'true')"
   tags:
-    - packages
     - base
     - iptables
 

roles/base/templates/iptables/iptables

@@ -14,11 +14,9 @@
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
-# if the blocked_ips is defined - drop them
+# if the host is external, block some ips
-{% if blocked_ips is defined %}
+{% if datacenter != 'iad2' or ( datacenter == 'iad2' and hostvars[inventory_hostname].external == 'true' ) %}
-{% for ip in blocked_ips %}
+-A INPUT -p any -m set --match-set blocklist src -j REJECT
--A INPUT -s {{ ip }} -j DROP
-{% endfor %}
 {% endif %}
 
 # allow ssh - always