Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

bastion / iptables: Add internal RH mxes and drop global allow

Browse source 
We want to allow internal mx'es to send us email still.
We want to drop the global allow for port 25 now that we hopefully have
all the legit senders listed.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2024-09-24 10:55:20 -07:00
parent 06a28bf516
commit f72ff64029
2 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
inventory/group_vars/bastion
View file

@ -67,5 +67,5 @@ primary_auth_source: ipa
#
# allow incoming openvpn and smtp
#
tcp_ports: [22, 25, 1194]
tcp_ports: [22, 1194]
udp_ports: [1194]

3
roles/base/templates/iptables/iptables.bastion
View file

@ -77,6 +77,9 @@
-A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -s 192.168.0.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -s 10.3.160.0/19 -m tcp -p tcp --dport 25 -j ACCEPT
# redhat mxes
-A INPUT -s 10.30.177.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -s 10.30.29.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
# mimecast ips from
# https://community.mimecast.com/s/article/email-security-cloud-gateway-data-centers-and-urls?r=297&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
-A INPUT -s 170.10.132.0/24 -m tcp -p tcp --dport 25 -j ACCEPT