Until I can figure out this nameserver thing, don't track dns requests to keep conntrack tables not full

2016-06-30 16:19:38 +00:00 · 2016-06-30 16:19:38 +00:00 · bca365bbf4
commit bca365bbf4
parent 7f5d1823dc
2 changed files with 248 additions and 0 deletions
--- a/roles/base/templates/iptables/iptables.ns03.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.ns03.phx2.fedoraproject.org
@ -0,0 +1,124 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+
+{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
+#
+# In the phx2 datacenter, both production and staging hosts are in the same 
+# subnet/vlan. We want production hosts to reject connectons from staging group hosts
+# to prevent them from interfering with production. There are however a few hosts in 
+# production we have marked 'staging-friendly' that we do allow staging to talk to for 
+# mostly read-only data they need.
+#
+{% for host in groups['staging']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %}
+#
+# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group 
+# to block all access from that group. This is to protect them from any possible attack 
+# vectors from qa-isolated machines.
+#
+# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible.
+-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited
+{% for host in groups['qa-isolated']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if custom_rules is defined %}
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+#
+# We don't want to track all the dns query connections, there's too many.
+#
+-A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
+-A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
+COMMIT
--- a/roles/base/templates/iptables/iptables.ns04.phx2.fedoraproject.org
+++ b/roles/base/templates/iptables/iptables.ns04.phx2.fedoraproject.org
@ -0,0 +1,124 @@
+# {{ ansible_managed }}
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+# allow ping and traceroute
+-A INPUT -p icmp -j ACCEPT
+
+# localhost is fine
+-A INPUT -i lo -j ACCEPT
+
+# Established connections allowed
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+# if the blocked_ips is defined - drop them
+{% if blocked_ips is defined %}
+{% for ip in blocked_ips %}
+-A INPUT -s {{ ip }} -j DROP
+{% endfor %}
+{% endif %}
+
+# allow ssh - always
+-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
+
+# for nrpe - allow it from nocs
+-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
+# FIXME - this is the global nat-ip and we need the noc01-specific ip
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.102 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666  -s 209.132.181.35 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
+
+{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging-friendly'] %}
+#
+# In the phx2 datacenter, both production and staging hosts are in the same 
+# subnet/vlan. We want production hosts to reject connectons from staging group hosts
+# to prevent them from interfering with production. There are however a few hosts in 
+# production we have marked 'staging-friendly' that we do allow staging to talk to for 
+# mostly read-only data they need.
+#
+{% for host in groups['staging']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+
+{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa-isolated'] %}
+#
+# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group 
+# to block all access from that group. This is to protect them from any possible attack 
+# vectors from qa-isolated machines.
+#
+# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible.
+-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited
+-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited
+{% for host in groups['qa-isolated']|sort %}
+{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
+-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
+{% else %}# {{ host }} has no 'eth0_ip' listed
+{% endif %}
+{% endfor %}
+{% endif %}
+# if the host declares a fedmsg-enabled wsgi app, open ports for it
+{% if wsgi_fedmsg_service is defined %}
+{% for i in range(wsgi_procs * wsgi_threads) %}
+-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+
+# if the host/group defines incoming tcp_ports - allow them
+{% if tcp_ports is defined %}
+{% for port in tcp_ports %}
+-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if the host/group defines incoming udp_ports - allow them
+{% if udp_ports is defined %}
+{% for port in udp_ports %}
+-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
+{% endfor %}
+{% endif %}
+
+# if there are custom rules - put them in as-is
+{% if custom_rules is defined %}
+{% for rule in custom_rules %}
+{{ rule }}
+{% endfor %}
+{% endif %}
+
+# otherwise kick everything out
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -j REJECT --reject-with icmp-host-prohibited
+COMMIT
+*raw
+:PREROUTING ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+#
+# We don't want to track all the dns query connections, there's too many.
+#
+-A PREROUTING -p udp -m udp --dport 53 -j NOTRACK
+-A OUTPUT -p udp -m udp --sport 53 -j NOTRACK
+COMMIT