Commit df683687f3bf6d33443509a62d87679062dbf51e
1 parent
ad74ff80
Exists in
master
and in
90 other branches
Manage firewall rules using templates and envs
Showing
13 changed files
with
99 additions
and
82 deletions
Show diff stats
Rakefile
| ... | ... | @@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local') |
| 9 | 9 | ssh_config_file = "config/#{$SPB_ENV}/ssh_config" |
| 10 | 10 | ips_file = "config/#{$SPB_ENV}/ips.yaml" |
| 11 | 11 | config_file = "config/#{$SPB_ENV}/config.yaml" |
| 12 | +iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules" | |
| 12 | 13 | |
| 13 | 14 | ENV['CHAKE_SSH_CONFIG'] = ssh_config_file |
| 14 | 15 | |
| ... | ... | @@ -20,9 +21,11 @@ end |
| 20 | 21 | |
| 21 | 22 | config = YAML.load_file(config_file) |
| 22 | 23 | ips = YAML.load_file(ips_file) |
| 24 | +firewall = File.open(iptables_file).read | |
| 23 | 25 | $nodes.each do |node| |
| 24 | 26 | node.data['config'] = config |
| 25 | 27 | node.data['peers'] = ips |
| 28 | + node.data['firewall'] = firewall | |
| 26 | 29 | end |
| 27 | 30 | |
| 28 | 31 | task :console do | ... | ... |
| ... | ... | @@ -0,0 +1,29 @@ |
| 1 | + | |
| 2 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 3 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 4 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 5 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 6 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 9 | + | |
| 10 | + | |
| 11 | +# UnB | |
| 12 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 13 | +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 14 | + | |
| 15 | + | |
| 16 | +# Sergio Oliveira | |
| 17 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 18 | +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 19 | + | |
| 20 | + | |
| 21 | +# Antonio Terceiro | |
| 22 | +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 23 | +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 24 | + | |
| 25 | + | |
| 26 | +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 27 | +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 28 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 29 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | ... | ... |
| ... | ... | @@ -0,0 +1,14 @@ |
| 1 | + | |
| 2 | +package 'iptables-services' | |
| 3 | + | |
| 4 | +service 'iptables' do | |
| 5 | + action [:enable, :start] | |
| 6 | + supports :restart => true | |
| 7 | +end | |
| 8 | + | |
| 9 | +template '/etc/sysconfig/iptables' do | |
| 10 | + owner 'root' | |
| 11 | + group 'root' | |
| 12 | + mode 0644 | |
| 13 | + notifies :restart, 'service[iptables]' | |
| 14 | +end | ... | ... |
cookbooks/firewall/templates/default/development.erb
| ... | ... | @@ -1,35 +0,0 @@ |
| 1 | - | |
| 2 | -<% content_for :iptables_filter do %> | |
| 3 | - | |
| 4 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 5 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 6 | --A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 7 | --A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 8 | --A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 9 | - | |
| 10 | --A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 11 | - | |
| 12 | - | |
| 13 | -# UnB | |
| 14 | --A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 15 | --A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 16 | - | |
| 17 | - | |
| 18 | -# Sergio Oliveira | |
| 19 | --A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 20 | --A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 21 | - | |
| 22 | - | |
| 23 | -#i Antonio Terceiro | |
| 24 | --A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 25 | --A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 26 | - | |
| 27 | - | |
| 28 | --A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 29 | --A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 30 | --A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 31 | --A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | |
| 32 | - | |
| 33 | -<% end %> | |
| 34 | - | |
| 35 | -<%= render 'firewall-common.erb' %> |
cookbooks/firewall/templates/default/firewall-common.erb
| ... | ... | @@ -1,37 +0,0 @@ |
| 1 | - | |
| 2 | -### FILTER RULES ### | |
| 3 | - | |
| 4 | -*filter | |
| 5 | - | |
| 6 | -:INPUT ACCEPT [0:0] | |
| 7 | -:FORWARD ACCEPT [0:0] | |
| 8 | -:OUTPUT ACCEPT [0:0] | |
| 9 | - | |
| 10 | --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 11 | - | |
| 12 | --A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | |
| 13 | --A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | |
| 14 | --A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | |
| 15 | --A INPUT -p icmp --icmp-type 4 -j ACCEPT | |
| 16 | --A INPUT -p icmp --icmp-type 11 -j ACCEPT | |
| 17 | --A INPUT -p icmp --icmp-type 12 -j ACCEPT | |
| 18 | - | |
| 19 | --A INPUT -i lo -j ACCEPT | |
| 20 | - | |
| 21 | -<%= yield :iptables_filter %> | |
| 22 | - | |
| 23 | --A INPUT -j LOG --log-prefix "Firewall INPUT: " | |
| 24 | --A INPUT -j DROP | |
| 25 | --A FORWARD -j LOG --log-prefix "Firewall FORWARD: " | |
| 26 | --A FORWARD -j DROP | |
| 27 | - | |
| 28 | -COMMIT | |
| 29 | - | |
| 30 | - | |
| 31 | -### NAT Rules ### | |
| 32 | - | |
| 33 | -*nat | |
| 34 | - | |
| 35 | -<%= yield :iptables_nat %> | |
| 36 | - | |
| 37 | -COMMIT |
cookbooks/firewall/templates/default/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,34 @@ |
| 1 | + | |
| 2 | +### FILTER RULES ### | |
| 3 | + | |
| 4 | +*filter | |
| 5 | + | |
| 6 | +:INPUT ACCEPT [0:0] | |
| 7 | +:FORWARD ACCEPT [0:0] | |
| 8 | +:OUTPUT ACCEPT [0:0] | |
| 9 | + | |
| 10 | +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 11 | + | |
| 12 | +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | |
| 13 | +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | |
| 14 | +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | |
| 15 | +-A INPUT -p icmp --icmp-type 4 -j ACCEPT | |
| 16 | +-A INPUT -p icmp --icmp-type 11 -j ACCEPT | |
| 17 | +-A INPUT -p icmp --icmp-type 12 -j ACCEPT | |
| 18 | + | |
| 19 | +-A INPUT -i lo -j ACCEPT | |
| 20 | + | |
| 21 | +<%= node['firewall'] %> | |
| 22 | +<%= render 'iptables-filter.erb' %> | |
| 23 | + | |
| 24 | +-A INPUT -j LOG --log-prefix "Firewall INPUT: " | |
| 25 | +-A INPUT -j DROP | |
| 26 | +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: " | |
| 27 | +-A FORWARD -j DROP | |
| 28 | + | |
| 29 | +COMMIT | |
| 30 | + | |
| 31 | + | |
| 32 | +*nat | |
| 33 | +<%= render 'iptables-nat.erb' %> | |
| 34 | +COMMIT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,9 @@ |
| 1 | + | |
| 2 | +# HTTP Ports | |
| 3 | +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT | |
| 4 | + | |
| 5 | +# Port redirect to gitlab host (integration) | |
| 6 | +-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +# Real SSH connection | |
| 9 | +-A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb
0 → 100644
| ... | ... | @@ -0,0 +1,6 @@ |
| 1 | + | |
| 2 | +# Forward reverseproxy:22 to integration:22 (required to enable git pushes over SSH) | |
| 3 | + | |
| 4 | +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 5 | + | |
| 6 | +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables.erb
| ... | ... | @@ -1,10 +0,0 @@ |
| 1 | - | |
| 2 | -<% content_for :iptables_nat do %> | |
| 3 | - | |
| 4 | -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH | |
| 5 | --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 6 | --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | |
| 7 | - | |
| 8 | -<% end %> | |
| 9 | - | |
| 10 | -<%= render 'development.erb' %> |