Download as
Browse Code »

Commit ad74ff80ad44ac6a0430dcd9070772a6392bf576

Authored by Sergio Oliveira
1 parent 8052d0dc
Exists in master and in 90 other branches 3.x, add_sisp_to_chef, add_super_archives_plugin, api_for_colab, automates_core_packing, backup, backup_not_prod, cdtc_configuration, changes_in_buttons_on_content_panel, colab_automated_login, colab_spb_plugin_recipe, colab_widgets_settings, design_validation, dev-lappis, dev_env_minimal, disable_email_dev, docs, fix_breadcrumbs_position, fix_categories_software_link, fix_edit_institution, fix_edit_software_with_another_license, fix_get_license_info, fix_gitlab_assets_permission, fix_list_style_inside_article, fix_list_style_on_folder_elements, fix_members_pagination, fix_merge_request_url, fix_models_translations, fix_no_license, fix_software_api, fix_software_block_migration, fix_software_communities_translations, fix_software_communities_unit_test, fix_style_create_institution_admin_panel, fix_superarchives_imports, fix_sym_links_noosfero, focus_search_field_theme, gov-user-refactoring, gov-user-refactoring-rails4, header_fix, institution_modal_on_rating, kalibro-conf-refactoring, kalibro-processor-package, lxc_settings, margin_fix, mezuro_cookbook, performance, prezento, r3, refactor_download_block, refactor_software_communities, refactor_software_for_sisp, register_page, release-process, release-process-v2, remove-unused-images, remove_backup_emails, remove_broken_theme, remove_secondary_email_from_user, remove_sisp_buttons, removing_super_archives_email, review_message, scope2method, signals_user_noosfero, sisp_catalog_header, sisp_colab_config, sisp_dev, sisp_dev_master, sisp_simple_version, software_as_organization, software_catalog_style_fix, software_communities_html_refactor, software_infos_api, spb_minimal_env, spb_to_rails4, spec_refactor, stable-4.1, stable-4.2, stable-4.x, stable-devel, support_docs, syslog, temp_soft_comm_refactoring, theme_header, theme_javascript_refactory, thread_dropdown, thread_page, update_search_by_categories, update_software_api, update_softwares_boxes

Using content_dor and yield to include firewall data

Showing 8 changed files with 83 additions and 25 deletions   Show diff stats
cookbooks/firewall/templates/default/development.erb 0 → 100644
  Diff comments   View file @ad74ff8
@@ -0,0 +1,35 @@ @@ -0,0 +1,35 @@
  1 +
  2 +<% content_for :iptables_filter do %>
  3 +
  4 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
  5 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
  6 +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
  7 +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  8 +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  9 +
  10 +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  11 +
  12 +
  13 +# UnB
  14 +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  15 +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  16 +
  17 +
  18 +# Sergio Oliveira
  19 +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  20 +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  21 +
  22 +
  23 +#i Antonio Terceiro
  24 +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  25 +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  26 +
  27 +
  28 +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  29 +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
  30 +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
  31 +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
  32 +
  33 +<% end %>
  34 +
  35 +<%= render 'firewall-common.erb' %>
cookbooks/firewall/templates/default/firewall-common.erb 0 → 100644
  Diff comments   View file @ad74ff8
@@ -0,0 +1,37 @@ @@ -0,0 +1,37 @@
  1 +
  2 +### FILTER RULES ###
  3 +
  4 +*filter
  5 +
  6 +:INPUT ACCEPT [0:0]
  7 +:FORWARD ACCEPT [0:0]
  8 +:OUTPUT ACCEPT [0:0]
  9 +
  10 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  11 +
  12 +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
  13 +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
  14 +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
  15 +-A INPUT -p icmp --icmp-type 4 -j ACCEPT
  16 +-A INPUT -p icmp --icmp-type 11 -j ACCEPT
  17 +-A INPUT -p icmp --icmp-type 12 -j ACCEPT
  18 +
  19 +-A INPUT -i lo -j ACCEPT
  20 +
  21 +<%= yield :iptables_filter %>
  22 +
  23 +-A INPUT -j LOG --log-prefix "Firewall INPUT: "
  24 +-A INPUT -j DROP
  25 +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
  26 +-A FORWARD -j DROP
  27 +
  28 +COMMIT
  29 +
  30 +
  31 +### NAT Rules ###
  32 +
  33 +*nat
  34 +
  35 +<%= yield :iptables_nat %>
  36 +
  37 +COMMIT
cookbooks/firewall/templates/host-reverseproxy/iptables.erb 0 → 100644
  Diff comments   View file @ad74ff8
@@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
  1 +
  2 +<% content_for :iptables_nat do %>
  3 +
  4 +# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH
  5 +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
  6 +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
  7 +
  8 +<% end %>
  9 +
  10 +<%= render 'development.erb' %>
cookbooks/reverse_proxy/recipes/default.rb
  Diff comments   View file @ad74ff8
1 -package 'iptables-services'  
2 -  
3 -service 'iptables' do  
4 - action [:enable, :start]  
5 - supports :restart => true  
6 -end  
7 -  
8 -template '/etc/sysconfig/iptables' do  
9 - owner 'root'  
10 - group 'root'  
11 - mode 0644  
12 - notifies :restart, 'service[iptables]'  
13 -end  
14 1
15 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do 2 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do
16 owner 'root' 3 owner 'root'
cookbooks/reverse_proxy/templates/iptables.erb
View file @8052d0d
@@ -1,7 +0,0 @@ @@ -1,7 +0,0 @@
1 -*nat  
2 -  
3 -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH  
4 --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22  
5 --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>  
6 -  
7 -COMMIT  
firewall/templates/default/firewall-common.erb
View file @8052d0d
@@ -1 +0,0 @@ @@ -1 +0,0 @@
1 -bla bla bla  
firewall/templates/host-database/iptables.erb
View file @8052d0d
@@ -1,3 +0,0 @@ @@ -1,3 +0,0 @@
1 -<%= render 'firewall-common.erb' %>  
2 -  
3 -# regra specificas ...  
roles/server.rb
  Diff comments   View file @ad74ff8
1 name 'server' 1 name 'server'
2 description 'Common configuration for all servers' 2 description 'Common configuration for all servers'
3 -run_list 'recipe[basics]', 'recipe[email::client]' 3 +run_list 'recipe[basics]', 'recipe[firewall]', 'recipe[email::client]'