Commit ad74ff80ad44ac6a0430dcd9070772a6392bf576

Authored by Sergio Oliveira
1 parent 8052d0dc

Using content_dor and yield to include firewall data

cookbooks/firewall/templates/default/development.erb 0 → 100644
... ... @@ -0,0 +1,35 @@
  1 +
  2 +<% content_for :iptables_filter do %>
  3 +
  4 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
  5 +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
  6 +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT
  7 +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  8 +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
  9 +
  10 +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  11 +
  12 +
  13 +# UnB
  14 +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  15 +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  16 +
  17 +
  18 +# Sergio Oliveira
  19 +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  20 +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  21 +
  22 +
  23 +#i Antonio Terceiro
  24 +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  25 +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT
  26 +
  27 +
  28 +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT
  29 +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT
  30 +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT
  31 +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT
  32 +
  33 +<% end %>
  34 +
  35 +<%= render 'firewall-common.erb' %>
... ...
cookbooks/firewall/templates/default/firewall-common.erb 0 → 100644
... ... @@ -0,0 +1,37 @@
  1 +
  2 +### FILTER RULES ###
  3 +
  4 +*filter
  5 +
  6 +:INPUT ACCEPT [0:0]
  7 +:FORWARD ACCEPT [0:0]
  8 +:OUTPUT ACCEPT [0:0]
  9 +
  10 +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  11 +
  12 +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
  13 +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
  14 +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
  15 +-A INPUT -p icmp --icmp-type 4 -j ACCEPT
  16 +-A INPUT -p icmp --icmp-type 11 -j ACCEPT
  17 +-A INPUT -p icmp --icmp-type 12 -j ACCEPT
  18 +
  19 +-A INPUT -i lo -j ACCEPT
  20 +
  21 +<%= yield :iptables_filter %>
  22 +
  23 +-A INPUT -j LOG --log-prefix "Firewall INPUT: "
  24 +-A INPUT -j DROP
  25 +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
  26 +-A FORWARD -j DROP
  27 +
  28 +COMMIT
  29 +
  30 +
  31 +### NAT Rules ###
  32 +
  33 +*nat
  34 +
  35 +<%= yield :iptables_nat %>
  36 +
  37 +COMMIT
... ...
cookbooks/firewall/templates/host-reverseproxy/iptables.erb 0 → 100644
... ... @@ -0,0 +1,10 @@
  1 +
  2 +<% content_for :iptables_nat do %>
  3 +
  4 +# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH
  5 +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
  6 +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
  7 +
  8 +<% end %>
  9 +
  10 +<%= render 'development.erb' %>
... ...
cookbooks/reverse_proxy/recipes/default.rb
1   -package 'iptables-services'
2   -
3   -service 'iptables' do
4   - action [:enable, :start]
5   - supports :restart => true
6   -end
7   -
8   -template '/etc/sysconfig/iptables' do
9   - owner 'root'
10   - group 'root'
11   - mode 0644
12   - notifies :restart, 'service[iptables]'
13   -end
14 1  
15 2 cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do
16 3 owner 'root'
... ...
cookbooks/reverse_proxy/templates/iptables.erb
... ... @@ -1,7 +0,0 @@
1   -*nat
2   -
3   -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH
4   --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22
5   --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %>
6   -
7   -COMMIT
firewall/templates/default/firewall-common.erb
... ... @@ -1 +0,0 @@
1   -bla bla bla
firewall/templates/host-database/iptables.erb
... ... @@ -1,3 +0,0 @@
1   -<%= render 'firewall-common.erb' %>
2   -
3   -# regra specificas ...
roles/server.rb
1 1 name 'server'
2 2 description 'Common configuration for all servers'
3   -run_list 'recipe[basics]', 'recipe[email::client]'
  3 +run_list 'recipe[basics]', 'recipe[firewall]', 'recipe[email::client]'
... ...