211 lines
8.2 KiB
Text
211 lines
8.2 KiB
Text
#
|
|
# NOTE: Chaging this template updates iptables on all hosts.
|
|
# Please check with sysadmin-main before pushing out an update here.
|
|
#
|
|
*nat
|
|
:PREROUTING ACCEPT []
|
|
:POSTROUTING ACCEPT []
|
|
:OUTPUT ACCEPT []
|
|
COMMIT
|
|
*raw
|
|
:PREROUTING ACCEPT []
|
|
:OUTPUT ACCEPT []
|
|
COMMIT
|
|
*filter
|
|
:INPUT DROP []
|
|
:FORWARD ACCEPT []
|
|
:OUTPUT ACCEPT []
|
|
|
|
# loopback allowed
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# Accept ping and traceroute (needs icmp)
|
|
-A INPUT -p icmp -j ACCEPT
|
|
|
|
# Established connections allowed
|
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
|
|
# Overwrite any global rules
|
|
|
|
# allow func through from the overlord (puppet1)
|
|
-A INPUT -p tcp -m tcp -s 209.132.181.6 --dport 51234 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.23 --dport 51234 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.127.51 --dport 51234 -j ACCEPT
|
|
|
|
# Staging separation. Do not allow stg server to hit _any_ production hosts
|
|
# exceptions being for infrastructure.fp.o (for packages) and admin.fp.o
|
|
# for accounts
|
|
|
|
|
|
# Temporary measure for ro access to nfs1
|
|
# source app1.stg
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.81 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.81 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.81 --dport 2049 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.81 --dport 2049 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.81 --dport 111 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.81 --dport 111 -j ACCEPT
|
|
|
|
# source app2.stg
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.82 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.82 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.82 --dport 2049 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.82 --dport 2049 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.82 --dport 111 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.82 --dport 111 -j ACCEPT
|
|
|
|
# source koji1.stg
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.87 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.87 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.87 --dport 2049 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.87 --dport 2049 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.87 --dport 111 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.87 --dport 111 -j ACCEPT
|
|
|
|
# source releng1.stg
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.90 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.90 --dport 48621:48624 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.90 --dport 2049 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.90 --dport 2049 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.90 --dport 111 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.90 --dport 111 -j ACCEPT
|
|
|
|
# infrastucture.fp.o
|
|
# proxy1
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.52 --dport 80 -j ACCEPT
|
|
# proxy2.stg
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.89 --dport 80 -j ACCEPT
|
|
|
|
# kojipkgs
|
|
-A INPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT
|
|
|
|
# admin.fp.o
|
|
# puppet1
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.23 --dport 8140 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.23 --dport 873 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.23 --dport 80 -j ACCEPT
|
|
#-A INPUT -p tcp -m tcp -d 10.5.126.23 --dport 51234:51235 -j ACCEPT
|
|
|
|
# DNS
|
|
-A INPUT -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
|
|
-A INPUT -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
|
|
|
|
# bastion
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.12 --dport 25 -j ACCEPT
|
|
|
|
# Func and staging bits
|
|
-A INPUT -s 10.5.126.81 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
-A INPUT -s 10.5.126.82 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
# proxy1.stg
|
|
-A INPUT -s 10.5.126.88 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
# db1.stg
|
|
-A INPUT -s 10.5.126.84 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
-A INPUT -s 10.5.126.87 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
-A INPUT -s 10.5.126.90 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
-A INPUT -s 10.5.126.91 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
-A INPUT -s 10.5.126.92 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
# cvs.stg
|
|
-A INPUT -s 10.5.126.83 -p tcp -m tcp --dport 51234:51235 -j ACCEPT
|
|
|
|
# Allow staging to talk to log02.
|
|
-A INPUT -p tcp -m tcp -d 10.5.126.29 --dport 514 -j ACCEPT
|
|
|
|
# Ban staging on non-staging hosts only.
|
|
|
|
|
|
|
|
# SSH
|
|
# ssh block against uni in .cz where problem(s) have been cited
|
|
# added by skvidal on jan 24 2011 - as per request from spot
|
|
-A INPUT -p tcp -m tcp -s 147.251.0.0/16 --dport 22 -j REJECT
|
|
# matches last rule for a service we want blocked
|
|
-A INPUT -p tcp -m tcp -s 192.168.100.0/24 --dport 22 -j REJECT --reject-with tcp-reset
|
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
|
|
# Allow all netapp traffic
|
|
-A INPUT -p udp -m udp -s 10.5.88.11 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.88.11 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.88.20 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.88.20 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.88.21 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.88.21 -j ACCEPT
|
|
|
|
# Allow other PHX-local NFS servers traffic
|
|
# secondary1 server
|
|
-A INPUT -p udp -m udp -s 10.5.126.0/24 -d 10.5.126.27 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.0/24 -d 10.5.126.27 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.127.0/24 -d 10.5.126.27 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.127.0/24 -d 10.5.126.27 -j ACCEPT
|
|
# secondary1 mounters
|
|
-A INPUT -p udp -m udp -s 10.5.126.27 -j ACCEPT
|
|
|
|
# NRPE (nagios monitoring)
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.41 --dport 5666 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.10 --dport 5666 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.20 --dport 5666 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 209.132.181.102 --dport 5666 -j ACCEPT
|
|
|
|
# SNMP allows from our monitoring systems
|
|
-A INPUT -p udp -m udp -s 10.5.126.41 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.10 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.11 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.12 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 10.5.126.23 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 209.132.181.102 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 209.132.181.102 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 192.168.0.0/24 --dport 161 -j ACCEPT
|
|
-A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 161 -j ACCEPT
|
|
|
|
# NTP servers (if any)
|
|
#-A INPUT -p udp -m udp -s ips-allowed-here --dport 123 -j ACCEPT
|
|
|
|
# Bacula Backups backup03
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.161 --dport 9102 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.64 --dport 9102 -j ACCEPT
|
|
|
|
|
|
# allow fedmsg ports through - this happens after the staging ban so
|
|
# we should be safe from evil (or what not)
|
|
# fedmsg - (tagger, bodhi, and fas) WSGI process ports
|
|
-A INPUT -p tcp -m tcp -s 10.5.124.0/24 --dport 3000:3007 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.125.0/24 --dport 3000:3007 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 3000:3007 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 3000:3007 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 3000:3007 -j ACCEPT
|
|
# fedmsg - busmon hub consumer
|
|
-A INPUT -p tcp -m tcp -s 10.5.124.0/24 --dport 3008 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.125.0/24 --dport 3008 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 3008 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 3008 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 3008 -j ACCEPT
|
|
# fedmsg - fedmsg-relay
|
|
-A INPUT -p tcp -m tcp -s 10.5.124.0/24 --dport 3998:3999 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.125.0/24 --dport 3998:3999 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 3998:3999 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 3998:3999 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 3998:3999 -j ACCEPT
|
|
# fedmsg - hub websocket server
|
|
-A INPUT -p tcp -m tcp -s 10.5.124.0/24 --dport 9919 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.125.0/24 --dport 9919 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 10.5.126.0/24 --dport 9919 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 9919 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp -s 192.168.0.0/24 --dport 9919 -j ACCEPT
|
|
|
|
# Custom Services
|
|
|
|
# Services TCP
|
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport 5666 -j ACCEPT
|
|
|
|
# Services UDP
|
|
|
|
# more services we use - ports for random services and TG listeners.
|
|
|
|
# Extra protection for 192.168.100.x vpn hosts.
|
|
-A INPUT -s 192.168.100.0/24 -j REJECT --reject-with icmp-host-prohibited
|
|
|
|
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
COMMIT
|