Commit df683687f3bf6d33443509a62d87679062dbf51e
1 parent
ad74ff80
Exists in
r5_design
and in
1 other branch
Manage firewall rules using templates and envs
Showing
13 changed files
with
99 additions
and
82 deletions
Show diff stats
Rakefile
| ... | ... | @@ -9,6 +9,7 @@ $SPB_ENV = ENV.fetch('SPB_ENV', 'local') |
| 9 | 9 | ssh_config_file = "config/#{$SPB_ENV}/ssh_config" |
| 10 | 10 | ips_file = "config/#{$SPB_ENV}/ips.yaml" |
| 11 | 11 | config_file = "config/#{$SPB_ENV}/config.yaml" |
| 12 | +iptables_file = "config/#{$SPB_ENV}/iptables-filter-rules" | |
| 12 | 13 | |
| 13 | 14 | ENV['CHAKE_SSH_CONFIG'] = ssh_config_file |
| 14 | 15 | |
| ... | ... | @@ -20,9 +21,11 @@ end |
| 20 | 21 | |
| 21 | 22 | config = YAML.load_file(config_file) |
| 22 | 23 | ips = YAML.load_file(ips_file) |
| 24 | +firewall = File.open(iptables_file).read | |
| 23 | 25 | $nodes.each do |node| |
| 24 | 26 | node.data['config'] = config |
| 25 | 27 | node.data['peers'] = ips |
| 28 | + node.data['firewall'] = firewall | |
| 26 | 29 | end |
| 27 | 30 | |
| 28 | 31 | task :console do | ... | ... |
| ... | ... | @@ -0,0 +1,29 @@ |
| 1 | + | |
| 2 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 3 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 4 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 5 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 6 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 9 | + | |
| 10 | + | |
| 11 | +# UnB | |
| 12 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 13 | +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 14 | + | |
| 15 | + | |
| 16 | +# Sergio Oliveira | |
| 17 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 18 | +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 19 | + | |
| 20 | + | |
| 21 | +# Antonio Terceiro | |
| 22 | +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 23 | +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 24 | + | |
| 25 | + | |
| 26 | +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 27 | +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 28 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 29 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | ... | ... |
| ... | ... | @@ -0,0 +1,14 @@ |
| 1 | + | |
| 2 | +package 'iptables-services' | |
| 3 | + | |
| 4 | +service 'iptables' do | |
| 5 | + action [:enable, :start] | |
| 6 | + supports :restart => true | |
| 7 | +end | |
| 8 | + | |
| 9 | +template '/etc/sysconfig/iptables' do | |
| 10 | + owner 'root' | |
| 11 | + group 'root' | |
| 12 | + mode 0644 | |
| 13 | + notifies :restart, 'service[iptables]' | |
| 14 | +end | ... | ... |
cookbooks/firewall/templates/default/development.erb
| ... | ... | @@ -1,35 +0,0 @@ |
| 1 | - | |
| 2 | -<% content_for :iptables_filter do %> | |
| 3 | - | |
| 4 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 5 | --A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 6 | --A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 7 | --A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 8 | --A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 9 | - | |
| 10 | --A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 11 | - | |
| 12 | - | |
| 13 | -# UnB | |
| 14 | --A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 15 | --A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 16 | - | |
| 17 | - | |
| 18 | -# Sergio Oliveira | |
| 19 | --A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 20 | --A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 21 | - | |
| 22 | - | |
| 23 | -#i Antonio Terceiro | |
| 24 | --A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 25 | --A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 26 | - | |
| 27 | - | |
| 28 | --A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 29 | --A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 30 | --A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 31 | --A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | |
| 32 | - | |
| 33 | -<% end %> | |
| 34 | - | |
| 35 | -<%= render 'firewall-common.erb' %> |
cookbooks/firewall/templates/default/firewall-common.erb
| ... | ... | @@ -1,37 +0,0 @@ |
| 1 | - | |
| 2 | -### FILTER RULES ### | |
| 3 | - | |
| 4 | -*filter | |
| 5 | - | |
| 6 | -:INPUT ACCEPT [0:0] | |
| 7 | -:FORWARD ACCEPT [0:0] | |
| 8 | -:OUTPUT ACCEPT [0:0] | |
| 9 | - | |
| 10 | --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 11 | - | |
| 12 | --A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | |
| 13 | --A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | |
| 14 | --A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | |
| 15 | --A INPUT -p icmp --icmp-type 4 -j ACCEPT | |
| 16 | --A INPUT -p icmp --icmp-type 11 -j ACCEPT | |
| 17 | --A INPUT -p icmp --icmp-type 12 -j ACCEPT | |
| 18 | - | |
| 19 | --A INPUT -i lo -j ACCEPT | |
| 20 | - | |
| 21 | -<%= yield :iptables_filter %> | |
| 22 | - | |
| 23 | --A INPUT -j LOG --log-prefix "Firewall INPUT: " | |
| 24 | --A INPUT -j DROP | |
| 25 | --A FORWARD -j LOG --log-prefix "Firewall FORWARD: " | |
| 26 | --A FORWARD -j DROP | |
| 27 | - | |
| 28 | -COMMIT | |
| 29 | - | |
| 30 | - | |
| 31 | -### NAT Rules ### | |
| 32 | - | |
| 33 | -*nat | |
| 34 | - | |
| 35 | -<%= yield :iptables_nat %> | |
| 36 | - | |
| 37 | -COMMIT |
cookbooks/firewall/templates/default/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,34 @@ |
| 1 | + | |
| 2 | +### FILTER RULES ### | |
| 3 | + | |
| 4 | +*filter | |
| 5 | + | |
| 6 | +:INPUT ACCEPT [0:0] | |
| 7 | +:FORWARD ACCEPT [0:0] | |
| 8 | +:OUTPUT ACCEPT [0:0] | |
| 9 | + | |
| 10 | +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 11 | + | |
| 12 | +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | |
| 13 | +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | |
| 14 | +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | |
| 15 | +-A INPUT -p icmp --icmp-type 4 -j ACCEPT | |
| 16 | +-A INPUT -p icmp --icmp-type 11 -j ACCEPT | |
| 17 | +-A INPUT -p icmp --icmp-type 12 -j ACCEPT | |
| 18 | + | |
| 19 | +-A INPUT -i lo -j ACCEPT | |
| 20 | + | |
| 21 | +<%= node['firewall'] %> | |
| 22 | +<%= render 'iptables-filter.erb' %> | |
| 23 | + | |
| 24 | +-A INPUT -j LOG --log-prefix "Firewall INPUT: " | |
| 25 | +-A INPUT -j DROP | |
| 26 | +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: " | |
| 27 | +-A FORWARD -j DROP | |
| 28 | + | |
| 29 | +COMMIT | |
| 30 | + | |
| 31 | + | |
| 32 | +*nat | |
| 33 | +<%= render 'iptables-nat.erb' %> | |
| 34 | +COMMIT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
0 → 100644
| ... | ... | @@ -0,0 +1,9 @@ |
| 1 | + | |
| 2 | +# HTTP Ports | |
| 3 | +-A INPUT -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT | |
| 4 | + | |
| 5 | +# Port redirect to gitlab host (integration) | |
| 6 | +-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| 7 | + | |
| 8 | +# Real SSH connection | |
| 9 | +-A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-nat.erb
0 → 100644
| ... | ... | @@ -0,0 +1,6 @@ |
| 1 | + | |
| 2 | +# Forward reverseproxy:22 to integration:22 (required to enable git pushes over SSH) | |
| 3 | + | |
| 4 | +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 5 | + | |
| 6 | +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables.erb
| ... | ... | @@ -1,10 +0,0 @@ |
| 1 | - | |
| 2 | -<% content_for :iptables_nat do %> | |
| 3 | - | |
| 4 | -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH | |
| 5 | --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 6 | --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | |
| 7 | - | |
| 8 | -<% end %> | |
| 9 | - | |
| 10 | -<%= render 'development.erb' %> |