Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/base/templates/iptables/iptables.download-phx2
Kevin Fenzi 4b31ac5152 ansible: Change all our group names from foo-bar to foo_bar or foo-bar-baz to foo_bar_baz 
In ansible 2.8 the - character isn't supposed to be valid in group names.
While we could override this, might has well just bite the bullet and change it.
So, just switch all group names to use _ instead of -

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2019-05-20 17:38:09 +00:00

116 lines
4.6 KiB
Text
Raw Blame History

# {{ ansible_managed }}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# allow ping and traceroute
-A INPUT -p icmp -j ACCEPT
# localhost is fine
-A INPUT -i lo -j ACCEPT
# Established connections allowed
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allow ssh - always
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
# for nrpe - allow it from nocs
-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT
# FIXME - this is the global nat-ip and we need the noc01-specific ip
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT
{% if env != 'staging' and datacenter == 'phx2' and inventory_hostname not in groups['staging_friendly'] %}
#
# In the phx2 datacenter, both production and staging hosts are in the same
# subnet/vlan. We want production hosts to reject connectons from staging group hosts
# to prevent them from interfering with production. There are however a few hosts in
# production we have marked 'staging-friendly' that we do allow staging to talk to for
# mostly read-only data they need.
#
{% for host in groups['staging']|sort %}
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
{% else %}# {{ host }} has no 'eth0_ip' listed
{% endif %}
{% endfor %}
{% endif %}
{% if ansible_domain == 'qa.fedoraproject.org' and inventory_hostname not in groups['qa_isolated'] %}
#
# In the qa.fedoraproject.org network, we want machines not in the qa-isolated group
# to block all access from that group. This is to protect them from any possible attack
# vectors from qa-isolated machines.
#
# Here we hard code beaker client nodes. They are managed by beaker and are not in ansible.
-A INPUT -s 10.5.131.31 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.32 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.33 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.34 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.35 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.36 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.37 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.38 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.39 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.40 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.41 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.42 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.43 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.44 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.45 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.46 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.47 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.48 -j REJECT --reject-with icmp-host-prohibited
-A INPUT -s 10.5.131.49 -j REJECT --reject-with icmp-host-prohibited
{% for host in groups['qa_isolated']|sort %}
{% if 'eth0_ip' in hostvars[host] %}# {{ host }}
-A INPUT -s {{ hostvars[host]['eth0_ip'] }} -j REJECT --reject-with icmp-host-prohibited
{% else %}# {{ host }} has no 'eth0_ip' listed
{% endif %}
{% endfor %}
{% endif %}
# if the host declares a fedmsg-enabled wsgi app, open ports for it
{% if wsgi_fedmsg_service is defined %}
{% for i in range(wsgi_procs * wsgi_threads) %}
-A INPUT -p tcp -m tcp --dport 30{{ '%02d' % i }} -j ACCEPT
{% endfor %}
{% endif %}
# if the blocked_ips is defined - drop them
{% if blocked_ips is defined %}
{% for ip in blocked_ips %}
-A INPUT -s {{ ip }} -j DROP
{% endfor %}
{% endif %}
# if the host/group defines incoming tcp_ports - allow them
{% if tcp_ports is defined %}
{% for port in tcp_ports %}
-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}
# if the host/group defines incoming udp_ports - allow them
{% if udp_ports is defined %}
{% for port in udp_ports %}
-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
{% endfor %}
{% endif %}
# if there are custom rules - put them in as-is
{% if custom_rules is defined %}
{% for rule in custom_rules %}
{{ rule }}
{% endfor %}
{% endif %}
# otherwise kick everything out
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Reference in a new issue View git blame Copy permalink