diff --git a/cookbooks/firewall/templates/default/development.erb b/cookbooks/firewall/templates/default/development.erb new file mode 100644 index 0000000..defa4ba --- /dev/null +++ b/cookbooks/firewall/templates/default/development.erb @@ -0,0 +1,35 @@ + +<% content_for :iptables_filter do %> + +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT + +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT + + +# UnB +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT + + +# Sergio Oliveira +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT + + +#i Antonio Terceiro +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT + + +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT + +<% end %> + +<%= render 'firewall-common.erb' %> diff --git a/cookbooks/firewall/templates/default/firewall-common.erb b/cookbooks/firewall/templates/default/firewall-common.erb new file mode 100644 index 0000000..f422758 --- /dev/null +++ b/cookbooks/firewall/templates/default/firewall-common.erb @@ -0,0 +1,37 @@ + +### FILTER RULES ### + +*filter + +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT +-A INPUT -p icmp --icmp-type 4 -j ACCEPT +-A INPUT -p icmp --icmp-type 11 -j ACCEPT +-A INPUT -p icmp --icmp-type 12 -j ACCEPT + +-A INPUT -i lo -j ACCEPT + +<%= yield :iptables_filter %> + +-A INPUT -j LOG --log-prefix "Firewall INPUT: " +-A INPUT -j DROP +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: " +-A FORWARD -j DROP + +COMMIT + + +### NAT Rules ### + +*nat + +<%= yield :iptables_nat %> + +COMMIT diff --git a/cookbooks/firewall/templates/host-reverseproxy/iptables.erb b/cookbooks/firewall/templates/host-reverseproxy/iptables.erb new file mode 100644 index 0000000..6f1ab55 --- /dev/null +++ b/cookbooks/firewall/templates/host-reverseproxy/iptables.erb @@ -0,0 +1,10 @@ + +<% content_for :iptables_nat do %> + +# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> + +<% end %> + +<%= render 'development.erb' %> diff --git a/cookbooks/reverse_proxy/recipes/default.rb b/cookbooks/reverse_proxy/recipes/default.rb index 0349ce2..97b38b3 100644 --- a/cookbooks/reverse_proxy/recipes/default.rb +++ b/cookbooks/reverse_proxy/recipes/default.rb @@ -1,16 +1,3 @@ -package 'iptables-services' - -service 'iptables' do - action [:enable, :start] - supports :restart => true -end - -template '/etc/sysconfig/iptables' do - owner 'root' - group 'root' - mode 0644 - notifies :restart, 'service[iptables]' -end cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do owner 'root' diff --git a/cookbooks/reverse_proxy/templates/iptables.erb b/cookbooks/reverse_proxy/templates/iptables.erb deleted file mode 100644 index a660bef..0000000 --- a/cookbooks/reverse_proxy/templates/iptables.erb +++ /dev/null @@ -1,7 +0,0 @@ -*nat - -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> - -COMMIT diff --git a/firewall/templates/default/firewall-common.erb b/firewall/templates/default/firewall-common.erb deleted file mode 100644 index cd591db..0000000 --- a/firewall/templates/default/firewall-common.erb +++ /dev/null @@ -1 +0,0 @@ -bla bla bla diff --git a/firewall/templates/host-database/iptables.erb b/firewall/templates/host-database/iptables.erb deleted file mode 100644 index f793b15..0000000 --- a/firewall/templates/host-database/iptables.erb +++ /dev/null @@ -1,3 +0,0 @@ -<%= render 'firewall-common.erb' %> - -# regra specificas ... diff --git a/roles/server.rb b/roles/server.rb index 42fcec6..e6aa725 100644 --- a/roles/server.rb +++ b/roles/server.rb @@ -1,3 +1,3 @@ name 'server' description 'Common configuration for all servers' -run_list 'recipe[basics]', 'recipe[email::client]' +run_list 'recipe[basics]', 'recipe[firewall]', 'recipe[email::client]' -- libgit2 0.21.2