Commit 39b95e6e10367375f814e7f76e7bb761c8300792
Exists in
master
and in
67 other branches
Merge branch 'firewall' into 'master'
Firewall management See merge request !13
Showing
16 changed files
with
120 additions
and
21 deletions
Show diff stats
.gitignore
Rakefile
| ... | ... | @@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local') |
| 9 | 9 | ssh_config_file = "config/#{$SPB_ENV}/ssh_config" |
| 10 | 10 | ips_file = "config/#{$SPB_ENV}/ips.yaml" |
| 11 | 11 | config_file = "config/#{$SPB_ENV}/config.yaml" |
| 12 | +iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules" | |
| 12 | 13 | |
| 13 | 14 | ENV['CHAKE_SSH_CONFIG'] = ssh_config_file |
| 14 | 15 | |
| ... | ... | @@ -20,9 +21,11 @@ end |
| 20 | 21 | |
| 21 | 22 | config = YAML.load_file(config_file) |
| 22 | 23 | ips = YAML.load_file(ips_file) |
| 24 | +firewall = File.open(iptables_file).read | |
| 23 | 25 | $nodes.each do |node| |
| 24 | 26 | node.data['config'] = config |
| 25 | 27 | node.data['peers'] = ips |
| 28 | + node.data['firewall'] = firewall | |
| 26 | 29 | end |
| 27 | 30 | |
| 28 | 31 | task :console do | ... | ... |
| ... | ... | @@ -0,0 +1,23 @@ |
| 1 | + | |
| 2 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 3 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 4 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 5 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 6 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 9 | + | |
| 10 | + | |
| 11 | +# UnB | |
| 12 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 13 | +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 14 | + | |
| 15 | + | |
| 16 | +# Sergio Oliveira | |
| 17 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 18 | + | |
| 19 | + | |
| 20 | +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 21 | +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 22 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 23 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | ... | ... |
| ... | ... | @@ -0,0 +1,14 @@ |
| 1 | + | |
| 2 | +package 'iptables-services' | |
| 3 | + | |
| 4 | +service 'iptables' do | |
| 5 | + action [:enable, :start] | |
| 6 | + supports :restart => true | |
| 7 | +end | |
| 8 | + | |
| 9 | +template '/etc/sysconfig/iptables' do | |
| 10 | + owner 'root' | |
| 11 | + group 'root' | |
| 12 | + mode 0644 | |
| 13 | + notifies :restart, 'service[iptables]' | |
| 14 | +end | ... | ... |
| ... | ... | @@ -0,0 +1,37 @@ |
| 1 | + | |
| 2 | +### FILTER RULES ### | |
| 3 | + | |
| 4 | +*filter | |
| 5 | + | |
| 6 | +:INPUT ACCEPT [0:0] | |
| 7 | +:FORWARD ACCEPT [0:0] | |
| 8 | +:OUTPUT ACCEPT [0:0] | |
| 9 | + | |
| 10 | +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 11 | + | |
| 12 | +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | |
| 13 | +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | |
| 14 | +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | |
| 15 | +-A INPUT -p icmp --icmp-type 4 -j ACCEPT | |
| 16 | +-A INPUT -p icmp --icmp-type 11 -j ACCEPT | |
| 17 | +-A INPUT -p icmp --icmp-type 12 -j ACCEPT | |
| 18 | + | |
| 19 | +-A INPUT -i lo -j ACCEPT | |
| 20 | + | |
| 21 | +# Everybody need to accept SSH from reverseproxy | |
| 22 | +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| 23 | + | |
| 24 | +<%= node['firewall'] %> | |
| 25 | +<%= render 'iptables-filter.erb' %> | |
| 26 | + | |
| 27 | +-A INPUT -j LOG --log-prefix "Firewall INPUT: " | |
| 28 | +-A INPUT -j DROP | |
| 29 | +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: " | |
| 30 | +-A FORWARD -j DROP | |
| 31 | + | |
| 32 | +COMMIT | |
| 33 | + | |
| 34 | + | |
| 35 | +*nat | |
| 36 | +<%= render 'iptables-nat.erb' %> | |
| 37 | +COMMIT | ... | ... |
cookbooks/firewall/templates/host-database/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,7 @@ |
| 1 | + | |
| 2 | +# Allow access to PostgreSQL | |
| 3 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 5432 -j ACCEPT | |
| 4 | +-A INPUT -s <%= node['peers']['social'] %> -p tcp -m state --state NEW --dport 5432 -j ACCEPT | |
| 5 | + | |
| 6 | +# Allow access to Redis | |
| 7 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 6379 -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-email/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,6 @@ |
| 1 | + | |
| 2 | +# Allow access to Postfix | |
| 3 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | |
| 4 | +-A INPUT -s <%= node['peers']['social'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | |
| 5 | +-A INPUT -s <%= node['peers']['database'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | |
| 6 | +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-integration/iptables-filter.erb
0 → 100644
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,9 @@ |
| 1 | + | |
| 2 | +# HTTP Ports | |
| 3 | +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT | |
| 4 | + | |
| 5 | +# Port redirect to gitlab host (integration) | |
| 6 | +-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +# Real SSH connection | |
| 9 | +-A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb
0 → 100644
| ... | ... | @@ -0,0 +1,6 @@ |
| 1 | + | |
| 2 | +# Forward reverseproxy:22 to integration:22 (required to enable git pushes over SSH) | |
| 3 | + | |
| 4 | +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 5 | + | |
| 6 | +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | ... | ... |
cookbooks/firewall/templates/host-social/iptables-filter.erb
0 → 100644
cookbooks/reverse_proxy/recipes/default.rb
| 1 | -package 'iptables-services' | |
| 2 | - | |
| 3 | -service 'iptables' do | |
| 4 | - action [:enable, :start] | |
| 5 | - supports :restart => true | |
| 6 | -end | |
| 7 | - | |
| 8 | -template '/etc/sysconfig/iptables' do | |
| 9 | - owner 'root' | |
| 10 | - group 'root' | |
| 11 | - mode 0644 | |
| 12 | - notifies :restart, 'service[iptables]' | |
| 13 | -end | |
| 14 | 1 | |
| 15 | 2 | cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do |
| 16 | 3 | owner 'root' | ... | ... |
cookbooks/reverse_proxy/templates/iptables.erb
| ... | ... | @@ -1,7 +0,0 @@ |
| 1 | -*nat | |
| 2 | - | |
| 3 | -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH | |
| 4 | --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 5 | --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | |
| 6 | - | |
| 7 | -COMMIT |
roles/server.rb