Commit ad74ff80ad44ac6a0430dcd9070772a6392bf576
1 parent
8052d0dc
Exists in
master
and in
36 other branches
Using content_dor and yield to include firewall data
Showing
8 changed files
with
83 additions
and
25 deletions
Show diff stats
| ... | ... | @@ -0,0 +1,35 @@ |
| 1 | + | |
| 2 | +<% content_for :iptables_filter do %> | |
| 3 | + | |
| 4 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT | |
| 5 | +-A INPUT -s 200.198.196.192/26 -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT | |
| 6 | +-A INPUT -s 200.198.196.192/26 -p icmp --icmp-type 8 -j ACCEPT | |
| 7 | +-A INPUT -s 200.198.196.201/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 8 | +-A INPUT -s 200.198.196.206/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT | |
| 9 | + | |
| 10 | +-A INPUT -s 189.9.150.85/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 11 | + | |
| 12 | + | |
| 13 | +# UnB | |
| 14 | +-A INPUT -s 164.41.86.12/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 15 | +-A INPUT -s 164.41.9.36/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 16 | + | |
| 17 | + | |
| 18 | +# Sergio Oliveira | |
| 19 | +-A INPUT -s 179.111.229.232/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 20 | +-A INPUT -s 189.5.248.31/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 21 | + | |
| 22 | + | |
| 23 | +#i Antonio Terceiro | |
| 24 | +-A INPUT -s 198.58.116.17/32 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 25 | +-A INPUT -s 189.4.54.241/32 -p tcp -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT | |
| 26 | + | |
| 27 | + | |
| 28 | +-A INPUT -s 10.18.0.0/16 -p tcp -m state --state NEW -m multiport --dports 22,80,5432 -j ACCEPT | |
| 29 | +-A INPUT -s 10.18.0.0/16 -p icmp --icmp-type 8 -j ACCEPT | |
| 30 | +-A INPUT -s 189.9.137.239/32 -p tcp -m state --state NEW -m tcp --dport 10050 -j ACCEPT | |
| 31 | +-A INPUT -s 189.9.137.239/32 -p icmp --icmp-type 8 -j ACCEPT | |
| 32 | + | |
| 33 | +<% end %> | |
| 34 | + | |
| 35 | +<%= render 'firewall-common.erb' %> | ... | ... |
cookbooks/firewall/templates/default/firewall-common.erb
0 → 100644
| ... | ... | @@ -0,0 +1,37 @@ |
| 1 | + | |
| 2 | +### FILTER RULES ### | |
| 3 | + | |
| 4 | +*filter | |
| 5 | + | |
| 6 | +:INPUT ACCEPT [0:0] | |
| 7 | +:FORWARD ACCEPT [0:0] | |
| 8 | +:OUTPUT ACCEPT [0:0] | |
| 9 | + | |
| 10 | +-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |
| 11 | + | |
| 12 | +-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT | |
| 13 | +-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT | |
| 14 | +-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT | |
| 15 | +-A INPUT -p icmp --icmp-type 4 -j ACCEPT | |
| 16 | +-A INPUT -p icmp --icmp-type 11 -j ACCEPT | |
| 17 | +-A INPUT -p icmp --icmp-type 12 -j ACCEPT | |
| 18 | + | |
| 19 | +-A INPUT -i lo -j ACCEPT | |
| 20 | + | |
| 21 | +<%= yield :iptables_filter %> | |
| 22 | + | |
| 23 | +-A INPUT -j LOG --log-prefix "Firewall INPUT: " | |
| 24 | +-A INPUT -j DROP | |
| 25 | +-A FORWARD -j LOG --log-prefix "Firewall FORWARD: " | |
| 26 | +-A FORWARD -j DROP | |
| 27 | + | |
| 28 | +COMMIT | |
| 29 | + | |
| 30 | + | |
| 31 | +### NAT Rules ### | |
| 32 | + | |
| 33 | +*nat | |
| 34 | + | |
| 35 | +<%= yield :iptables_nat %> | |
| 36 | + | |
| 37 | +COMMIT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables.erb
0 → 100644
| ... | ... | @@ -0,0 +1,10 @@ |
| 1 | + | |
| 2 | +<% content_for :iptables_nat do %> | |
| 3 | + | |
| 4 | +# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH | |
| 5 | +-A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 6 | +-A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | |
| 7 | + | |
| 8 | +<% end %> | |
| 9 | + | |
| 10 | +<%= render 'development.erb' %> | ... | ... |
cookbooks/reverse_proxy/recipes/default.rb
| 1 | -package 'iptables-services' | |
| 2 | - | |
| 3 | -service 'iptables' do | |
| 4 | - action [:enable, :start] | |
| 5 | - supports :restart => true | |
| 6 | -end | |
| 7 | - | |
| 8 | -template '/etc/sysconfig/iptables' do | |
| 9 | - owner 'root' | |
| 10 | - group 'root' | |
| 11 | - mode 0644 | |
| 12 | - notifies :restart, 'service[iptables]' | |
| 13 | -end | |
| 14 | 1 | |
| 15 | 2 | cookbook_file "/etc/nginx/#{node['config']['external_hostname']}.crt" do |
| 16 | 3 | owner 'root' | ... | ... |
cookbooks/reverse_proxy/templates/iptables.erb
| ... | ... | @@ -1,7 +0,0 @@ |
| 1 | -*nat | |
| 2 | - | |
| 3 | -# Forward reverseproxy:22 to integration:22. Required to enable git pushes over SSH | |
| 4 | --A PREROUTING -d <%= node['peers']['reverseproxy'] %>/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination <%= node['peers']['integration'] %>:22 | |
| 5 | --A POSTROUTING -d <%= node['peers']['integration'] %>/32 -p tcp -m tcp --dport 22 -j SNAT --to-source <%= node['peers']['reverseproxy'] %> | |
| 6 | - | |
| 7 | -COMMIT |
firewall/templates/default/firewall-common.erb
| ... | ... | @@ -1 +0,0 @@ |
| 1 | -bla bla bla |
firewall/templates/host-database/iptables.erb
roles/server.rb