From 1ea699c9c19bbd00bc9dab95f6719a0e1ded6d2c Mon Sep 17 00:00:00 2001 From: Sergio Oliveira Date: Thu, 14 May 2015 17:05:36 -0300 Subject: [PATCH] Use integration as SSH gateway --- cookbooks/firewall/templates/default/iptables.erb | 4 ++-- cookbooks/firewall/templates/host-integration/iptables-filter.erb | 3 +++ cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cookbooks/firewall/templates/default/iptables.erb b/cookbooks/firewall/templates/default/iptables.erb index ce3f229..8cffd6e 100644 --- a/cookbooks/firewall/templates/default/iptables.erb +++ b/cookbooks/firewall/templates/default/iptables.erb @@ -18,8 +18,8 @@ -A INPUT -i lo -j ACCEPT -# Everybody need to accept SSH from reverseproxy --A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT +# Everybody need to accept SSH from integration +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT <%= node['firewall'] %> <%= render 'iptables-filter.erb' %> diff --git a/cookbooks/firewall/templates/host-integration/iptables-filter.erb b/cookbooks/firewall/templates/host-integration/iptables-filter.erb index 2c9e5ea..d662a62 100644 --- a/cookbooks/firewall/templates/host-integration/iptables-filter.erb +++ b/cookbooks/firewall/templates/host-integration/iptables-filter.erb @@ -1,3 +1,6 @@ # Allow HTTP access -A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT + +# Allow SSH connections redirected from integration +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT diff --git a/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb b/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb index 209abce..269f4f7 100644 --- a/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb +++ b/cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb @@ -6,4 +6,4 @@ -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT # Real SSH connection --A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT -- libgit2 0.21.2