Download as
Browse Code »

Commit 39b95e6e10367375f814e7f76e7bb761c8300792

Authored by Antonio Terceiro
2 parents d5c736f2 c2a84f0f
Exists in master and in 90 other branches 3.x, add_sisp_to_chef, add_super_archives_plugin, api_for_colab, automates_core_packing, backup, backup_not_prod, cdtc_configuration, changes_in_buttons_on_content_panel, colab_automated_login, colab_spb_plugin_recipe, colab_widgets_settings, design_validation, dev-lappis, dev_env_minimal, disable_email_dev, docs, fix_breadcrumbs_position, fix_categories_software_link, fix_edit_institution, fix_edit_software_with_another_license, fix_get_license_info, fix_gitlab_assets_permission, fix_list_style_inside_article, fix_list_style_on_folder_elements, fix_members_pagination, fix_merge_request_url, fix_models_translations, fix_no_license, fix_software_api, fix_software_block_migration, fix_software_communities_translations, fix_software_communities_unit_test, fix_style_create_institution_admin_panel, fix_superarchives_imports, fix_sym_links_noosfero, focus_search_field_theme, gov-user-refactoring, gov-user-refactoring-rails4, header_fix, institution_modal_on_rating, kalibro-conf-refactoring, kalibro-processor-package, lxc_settings, margin_fix, mezuro_cookbook, performance, prezento, r3, refactor_download_block, refactor_software_communities, refactor_software_for_sisp, register_page, release-process, release-process-v2, remove-unused-images, remove_backup_emails, remove_broken_theme, remove_secondary_email_from_user, remove_sisp_buttons, removing_super_archives_email, review_message, scope2method, signals_user_noosfero, sisp_catalog_header, sisp_colab_config, sisp_dev, sisp_dev_master, sisp_simple_version, software_as_organization, software_catalog_style_fix, software_communities_html_refactor, software_infos_api, spb_minimal_env, spb_to_rails4, spec_refactor, stable-4.1, stable-4.2, stable-4.x, stable-devel, support_docs, syslog, temp_soft_comm_refactoring, theme_header, theme_javascript_refactory, thread_dropdown, thread_page, update_search_by_categories, update_software_api, update_softwares_boxes

Merge branch 'firewall' into 'master' 

Firewall management

See merge request !13
Showing 16 changed files with 120 additions and 21 deletions   Show diff stats
@@ -6,3 +6,5 @@ @@ -6,3 +6,5 @@
6 /docs/_build 6 /docs/_build
7 /.*.html 7 /.*.html
8 /local.rake 8 /local.rake
  9 +*.swp
  10 +*.swo
@@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local') @@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local')
9 ssh_config_file = "config/#{$SPB_ENV}/ssh_config" 9 ssh_config_file = "config/#{$SPB_ENV}/ssh_config"
10 ips_file = "config/#{$SPB_ENV}/ips.yaml" 10 ips_file = "config/#{$SPB_ENV}/ips.yaml"
11 config_file = "config/#{$SPB_ENV}/config.yaml" 11 config_file = "config/#{$SPB_ENV}/config.yaml"
  12 +iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules"
12 13
13 ENV['CHAKE_SSH_CONFIG'] = ssh_config_file 14 ENV['CHAKE_SSH_CONFIG'] = ssh_config_file
14 15
@@ -20,9 +21,11 @@ end @@ -20,9 +21,11 @@ end
20 21
21 config = YAML.load_file(config_file) 22 config = YAML.load_file(config_file)
22 ips = YAML.load_file(ips_file) 23 ips = YAML.load_file(ips_file)
  24 +firewall = File.open(iptables_file).read
23 $nodes.each do |node| 25 $nodes.each do |node|
24 node.data['config'] = config 26 node.data['config'] = config
25 node.data['peers'] = ips 27 node.data['peers'] = ips
  28 + node.data['firewall'] = firewall
26 end 29 end
27 30
28 task :console do 31 task :console do
config/development/iptables-filter-rules 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,23 @@ @@ -0,0 +1,23 @@
  1 +
  2 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
  3 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
  4 +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
  5 +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  6 +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  7 +
  8 +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  9 +
  10 +
  11 +# UnB
  12 +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  13 +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  14 +
  15 +
  16 +# Sergio Oliveira
  17 +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  18 +
  19 +
  20 +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  21 +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
  22 +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
  23 +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
config/local/iptables-filter-rules 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,4 @@ @@ -0,0 +1,4 @@
  1 +
  2 +# Accept SSH connection from virtualbox host
  3 +-A INPUT -s 10.10.10.1 -p tcp -m state --state NEW --dport 22 -j ACCEPT
  4 +-A INPUT -s 10.0.2.2 -p tcp -m state --state NEW --dport 22 -j ACCEPT
config/production/iptables-filter-rules 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,2 @@ @@ -0,0 +1,2 @@
  1 +
  2 +# No environment rules
cookbooks/firewall/recipes/default.rb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
  1 +
  2 +package 'iptables-services'
  3 +
  4 +service 'iptables' do
  5 + action [:enable, :start]
  6 + supports :restart => true
  7 +end
  8 +
  9 +template '/etc/sysconfig/iptables' do
  10 + owner 'root'
  11 + group 'root'
  12 + mode 0644
  13 + notifies :restart, 'service[iptables]'
  14 +end
cookbooks/firewall/templates/default/iptables.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
  1 +
  2 +### FILTER RULES ###
  3 +
  4 +*filter
  5 +
  6 +:INPUT ACCEPT [0:0]
  7 +:FORWARD ACCEPT [0:0]
  8 +:OUTPUT ACCEPT [0:0]
  9 +
  10 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  11 +
  12 +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
  13 +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
  14 +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
  15 +-A INPUT -p icmp --icmp-type 4 -j ACCEPT
  16 +-A INPUT -p icmp --icmp-type 11 -j ACCEPT
  17 +-A INPUT -p icmp --icmp-type 12 -j ACCEPT
  18 +
  19 +-A INPUT -i lo -j ACCEPT
  20 +
  21 +# Everybody need to accept SSH from reverseproxy
  22 +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT
  23 +
  24 +<%= node['firewall'] %>
  25 +<%= render 'iptables-filter.erb' %>
  26 +
  27 +-A INPUT -j LOG --log-prefix "Firewall INPUT: "
  28 +-A INPUT -j DROP
  29 +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
  30 +-A FORWARD -j DROP
  31 +
  32 +COMMIT
  33 +
  34 +
  35 +*nat
  36 +<%= render 'iptables-nat.erb' %>
  37 +COMMIT
cookbooks/firewall/templates/host-database/iptables-filter.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,7 @@ @@ -0,0 +1,7 @@
  1 +
  2 +# Allow access to PostgreSQL
  3 +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 5432 -j ACCEPT
  4 +-A INPUT -s <%= node['peers']['social'] %> -p tcp -m state --state NEW --dport 5432 -j ACCEPT
  5 +
  6 +# Allow access to Redis
  7 +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 6379 -j ACCEPT
cookbooks/firewall/templates/host-email/iptables-filter.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
  1 +
  2 +# Allow access to Postfix
  3 +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT
  4 +-A INPUT -s <%= node['peers']['social'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT
  5 +-A INPUT -s <%= node['peers']['database'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT
  6 +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT
cookbooks/firewall/templates/host-integration/iptables-filter.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,3 @@ @@ -0,0 +1,3 @@
  1 +
  2 +# Allow HTTP access
  3 +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,9 @@ @@ -0,0 +1,9 @@
  1 +
  2 +# HTTP Ports
  3 +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
  4 +
  5 +# Port redirect to gitlab host (integration)
  6 +-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
  7 +
  8 +# Real SSH connection
  9 +-A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT
cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,6 @@ @@ -0,0 +1,6 @@
  1 +
  2 +# Forward reverseproxy:22 to integration:22 (required to enable git pushes over SSH)
  3 +
  4 +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
  5 +
  6 +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
cookbooks/firewall/templates/host-social/iptables-filter.erb 0 → 100644
  Diff comments   View file @39b95e6
@@ -0,0 +1,3 @@ @@ -0,0 +1,3 @@
  1 +
  2 +# Allow integration connect to HTTP
  3 +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
cookbooks/reverse_proxy/recipes/default.rb
  Diff comments   View file @39b95e6
1 -package 'iptables-services'  
2 -  
3 -service 'iptables' do  
4 - action [:enable, :start]  
5 - supports :restart => true  
6 -end  
7 -  
8 -template '/etc/sysconfig/iptables' do  
9 - owner 'root'  
10 - group 'root'  
11 - mode 0644  
12 - notifies :restart, 'service[iptables]'  
13 -end  
14 1
15 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do 2 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do
16 owner 'root' 3 owner 'root'
cookbooks/reverse_proxy/templates/iptables.erb
View file @d5c736f
@@ -1,7 +0,0 @@ @@ -1,7 +0,0 @@
1 -*nat  
2 -  
3 -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH  
4 --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22  
5 --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>  
6 -  
7 -COMMIT  
roles/server.rb
  Diff comments   View file @39b95e6
1 name 'server' 1 name 'server'
2 description 'Common configuration for all servers' 2 description 'Common configuration for all servers'
3 -run_list 'recipe[basics]', 'recipe[email::client]' 3 +run_list 'recipe[basics]', 'recipe[firewall]', 'recipe[email::client]'