Commit f1a4facfb49f4f99cbf619d29b98c7ef8fd329b4

Authored by Antonio Terceiro
1 parent e6a4c887
Exists in master and in 85 other branches 3.x, add_sisp_to_chef, add_super_archives_plugin, api_for_colab, automates_core_packing, backup_not_prod, changes_in_buttons_on_content_panel, colab_automated_login, colab_spb_plugin_recipe, colab_widgets_settings, design_validation, dev_env_minimal, disable_email_dev, fix_breadcrumbs_position, fix_categories_software_link, fix_edit_institution, fix_edit_software_with_another_license, fix_get_license_info, fix_gitlab_assets_permission, fix_list_style_inside_article, fix_list_style_on_folder_elements, fix_members_pagination, fix_merge_request_url, fix_models_translations, fix_no_license, fix_software_api, fix_software_block_migration, fix_software_communities_translations, fix_software_communities_unit_test, fix_style_create_institution_admin_panel, fix_superarchives_imports, fix_sym_links_noosfero, focus_search_field_theme, gov-user-refactoring, gov-user-refactoring-rails4, header_fix, institution_modal_on_rating, kalibro-conf-refactoring, kalibro-processor-package, lxc_settings, margin_fix, mezuro_cookbook, performance, prezento, r3, refactor_download_block, refactor_software_communities, refactor_software_for_sisp, register_page, release-process, release-process-v2, remove-unused-images, remove_backup_emails, remove_broken_theme, remove_secondary_email_from_user, remove_sisp_buttons, removing_super_archives_email, review_message, scope2method, signals_user_noosfero, sisp_catalog_header, sisp_colab_config, sisp_dev, sisp_dev_master, sisp_simple_version, software_as_organization, software_catalog_style_fix, software_communities_html_refactor, software_infos_api, spb_minimal_env, spb_to_rails4, spec_refactor, stable-4.1, stable-4.2, stable-4.x, stable-devel, syslog, temp_soft_comm_refactoring, theme_header, theme_javascript_refactory, thread_dropdown, thread_page, update_search_by_categories, update_software_api, update_softwares_boxes

monitoring: manage firewall

cookbooks/firewall/templates/default/iptables.erb
... ... @@ -16,10 +16,12 @@
16 16 -A INPUT -p icmp --icmp-type 11 -j ACCEPT
17 17 -A INPUT -p icmp --icmp-type 12 -j ACCEPT
18 18  
  19 +<% if node['config'] && node['config']['munin_master'] %>
19 20 # allow ping between the peers
20 21 <% node['peers'].each do |hostname,ip| %>
21 22 -A INPUT -s <%= ip %> -p icmp --icmp-type 8 -j ACCEPT
22 23 <% end %>
  24 +<% end %>
23 25  
24 26 -A INPUT -i lo -j ACCEPT
25 27  
... ... @@ -27,7 +29,9 @@
27 29 -A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT
28 30  
29 31 # Everybody needs to accept munin connections from munin master
  32 +<% if node['config'] && node['config']['munin_master'] %>
30 33 -A INPUT -s <%= node['config']['munin_master'] %> -p tcp -m state --state NEW --dport 4949 -j ACCEPT
  34 +<% end %>
31 35  
32 36 <%= node['firewall'] %>
33 37 <%= render 'iptables-filter.erb' %>
... ...
cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb 0 → 100644
... ... @@ -0,0 +1,3 @@
  1 +# HTTP ports
  2 +
  3 +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT
... ...
cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb 0 → 100644
monitoring/Rakefile
... ... @@ -10,7 +10,9 @@ ENV[&#39;CHAKE_SSH_CONFIG&#39;] = File.join(basedir, &#39;ssh_config&#39;)
10 10 require 'chake'
11 11  
12 12 ips = YAML.load_file('config/prod/ips.yaml')
  13 +firewall = File.read('monitoring/iptables-filter-rules')
13 14 $nodes.each do |node|
14 15 node.data['environment'] = 'prod'
15 16 node.data['peers'] = ips
  17 + node.data['firewall'] = firewall
16 18 end
... ...
monitoring/iptables-filter-rules 0 → 100644
... ... @@ -0,0 +1,11 @@
  1 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
  2 +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
  3 +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  4 +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  5 +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  6 +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  7 +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  8 +-A INPUT -s 10.21.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80 -j ACCEPT
  9 +-A INPUT -s 10.21.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
  10 +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
  11 +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
... ...
monitoring/nodes.yaml
1 1 status.softwarepublico.gov.br:
2 2 run_list:
3 3 - recipe[basics]
  4 + - recipe[firewall]
4 5 - role[monitoring_server]
... ...