From f1a4facfb49f4f99cbf619d29b98c7ef8fd329b4 Mon Sep 17 00:00:00 2001 From: Antonio Terceiro Date: Thu, 13 Aug 2015 17:27:20 -0300 Subject: [PATCH] monitoring: manage firewall --- cookbooks/firewall/templates/default/iptables.erb | 4 ++++ cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb | 3 +++ cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb | 0 monitoring/Rakefile | 2 ++ monitoring/iptables-filter-rules | 11 +++++++++++ monitoring/nodes.yaml | 1 + 6 files changed, 21 insertions(+), 0 deletions(-) create mode 100644 cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb create mode 100644 cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb create mode 100644 monitoring/iptables-filter-rules diff --git a/cookbooks/firewall/templates/default/iptables.erb b/cookbooks/firewall/templates/default/iptables.erb index ca2a20a..5167f5a 100644 --- a/cookbooks/firewall/templates/default/iptables.erb +++ b/cookbooks/firewall/templates/default/iptables.erb @@ -16,10 +16,12 @@ -A INPUT -p icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp --icmp-type 12 -j ACCEPT +<% if node['config'] && node['config']['munin_master'] %> # allow ping between the peers <% node['peers'].each do |hostname,ip| %> -A INPUT -s <%= ip %> -p icmp --icmp-type 8 -j ACCEPT <% end %> +<% end %> -A INPUT -i lo -j ACCEPT @@ -27,7 +29,9 @@ -A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT # Everybody needs to accept munin connections from munin master +<% if node['config'] && node['config']['munin_master'] %> -A INPUT -s <%= node['config']['munin_master'] %> -p tcp -m state --state NEW --dport 4949 -j ACCEPT +<% end %> <%= node['firewall'] %> <%= render 'iptables-filter.erb' %> diff --git a/cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb b/cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb new file mode 100644 index 0000000..f53384d --- /dev/null +++ b/cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb @@ -0,0 +1,3 @@ +# HTTP ports + +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT diff --git a/cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb b/cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb diff --git a/monitoring/Rakefile b/monitoring/Rakefile index a20de46..ce6b1a2 100644 --- a/monitoring/Rakefile +++ b/monitoring/Rakefile @@ -10,7 +10,9 @@ ENV['CHAKE_SSH_CONFIG'] = File.join(basedir, 'ssh_config') require 'chake' ips = YAML.load_file('config/prod/ips.yaml') +firewall = File.read('monitoring/iptables-filter-rules') $nodes.each do |node| node.data['environment'] = 'prod' node.data['peers'] = ips + node.data['firewall'] = firewall end diff --git a/monitoring/iptables-filter-rules b/monitoring/iptables-filter-rules new file mode 100644 index 0000000..a49dd2f --- /dev/null +++ b/monitoring/iptables-filter-rules @@ -0,0 +1,11 @@ +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT +-A INPUT -s 10.21.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80 -j ACCEPT +-A INPUT -s 10.21.0.0/16 -p icmp --icmp-type 8 -j ACCEPT +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT diff --git a/monitoring/nodes.yaml b/monitoring/nodes.yaml index d21cc6f..7147e0b 100644 --- a/monitoring/nodes.yaml +++ b/monitoring/nodes.yaml @@ -1,4 +1,5 @@ status.softwarepublico.gov.br: run_list: - recipe[basics] + - recipe[firewall] - role[monitoring_server] -- libgit2 0.21.2