Commit f1a4facfb49f4f99cbf619d29b98c7ef8fd329b4
1 parent
e6a4c887
Exists in
master
and in
85 other branches
monitoring: manage firewall
Showing
6 changed files
with
21 additions
and
0 deletions
Show diff stats
cookbooks/firewall/templates/default/iptables.erb
@@ -16,10 +16,12 @@ | @@ -16,10 +16,12 @@ | ||
16 | -A INPUT -p icmp --icmp-type 11 -j ACCEPT | 16 | -A INPUT -p icmp --icmp-type 11 -j ACCEPT |
17 | -A INPUT -p icmp --icmp-type 12 -j ACCEPT | 17 | -A INPUT -p icmp --icmp-type 12 -j ACCEPT |
18 | 18 | ||
19 | +<% if node['config'] && node['config']['munin_master'] %> | ||
19 | # allow ping between the peers | 20 | # allow ping between the peers |
20 | <% node['peers'].each do |hostname,ip| %> | 21 | <% node['peers'].each do |hostname,ip| %> |
21 | -A INPUT -s <%= ip %> -p icmp --icmp-type 8 -j ACCEPT | 22 | -A INPUT -s <%= ip %> -p icmp --icmp-type 8 -j ACCEPT |
22 | <% end %> | 23 | <% end %> |
24 | +<% end %> | ||
23 | 25 | ||
24 | -A INPUT -i lo -j ACCEPT | 26 | -A INPUT -i lo -j ACCEPT |
25 | 27 | ||
@@ -27,7 +29,9 @@ | @@ -27,7 +29,9 @@ | ||
27 | -A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | 29 | -A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT |
28 | 30 | ||
29 | # Everybody needs to accept munin connections from munin master | 31 | # Everybody needs to accept munin connections from munin master |
32 | +<% if node['config'] && node['config']['munin_master'] %> | ||
30 | -A INPUT -s <%= node['config']['munin_master'] %> -p tcp -m state --state NEW --dport 4949 -j ACCEPT | 33 | -A INPUT -s <%= node['config']['munin_master'] %> -p tcp -m state --state NEW --dport 4949 -j ACCEPT |
34 | +<% end %> | ||
31 | 35 | ||
32 | <%= node['firewall'] %> | 36 | <%= node['firewall'] %> |
33 | <%= render 'iptables-filter.erb' %> | 37 | <%= render 'iptables-filter.erb' %> |
cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-filter.erb
0 → 100644
cookbooks/firewall/templates/host-status.softwarepublico.gov.br/iptables-nat.erb
0 → 100644
monitoring/Rakefile
@@ -10,7 +10,9 @@ ENV['CHAKE_SSH_CONFIG'] = File.join(basedir, 'ssh_config') | @@ -10,7 +10,9 @@ ENV['CHAKE_SSH_CONFIG'] = File.join(basedir, 'ssh_config') | ||
10 | require 'chake' | 10 | require 'chake' |
11 | 11 | ||
12 | ips = YAML.load_file('config/prod/ips.yaml') | 12 | ips = YAML.load_file('config/prod/ips.yaml') |
13 | +firewall = File.read('monitoring/iptables-filter-rules') | ||
13 | $nodes.each do |node| | 14 | $nodes.each do |node| |
14 | node.data['environment'] = 'prod' | 15 | node.data['environment'] = 'prod' |
15 | node.data['peers'] = ips | 16 | node.data['peers'] = ips |
17 | + node.data['firewall'] = firewall | ||
16 | end | 18 | end |
@@ -0,0 +1,11 @@ | @@ -0,0 +1,11 @@ | ||
1 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | ||
2 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | ||
3 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
4 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
5 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
6 | +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
7 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | ||
8 | +-A INPUT -s 10.21.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80 -j ACCEPT | ||
9 | +-A INPUT -s 10.21.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | ||
10 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | ||
11 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT |