Commit da04baca47b7c5f431116a0c0e0051e002203b71
Exists in
master
and in
36 other branches
Merge branch 'fix_external_firewall' into 'master'
Fix external firewall The goal of this MR is to use the integration machine as SSH gateway (instead of ``reverseproxy``). See merge request !17
Showing
11 changed files
with
52 additions
and
20 deletions
Show diff stats
Rakefile
| ... | ... | @@ -114,13 +114,14 @@ $ALT_SSH_PORT = config.fetch('alt_ssh_port', 2222) |
| 114 | 114 | $nodes.find { |n| n.hostname == 'reverseproxy' }.data['ssh_port'] = $ALT_SSH_PORT |
| 115 | 115 | desc 'Makes configurations needed before the bootstrap phase' |
| 116 | 116 | task :preconfig => ssh_config_file do |
| 117 | + sh 'mkdir', '-p', 'tmp/' | |
| 117 | 118 | preconfig_file = "tmp/preconfig.#{$SPB_ENV}.stamp" |
| 118 | 119 | if File.exist?(preconfig_file) |
| 119 | 120 | puts "I: preconfig already done." |
| 120 | 121 | puts "I: delete #{preconfig_file} to force running again" |
| 121 | 122 | else |
| 122 | 123 | sh 'scp', '-F', ssh_config_file, 'utils/reverseproxy_ssh_setup', 'reverseproxy.unconfigured:/tmp' |
| 123 | - sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s | |
| 124 | + sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s, ips['reverseproxy'], ips['integration'] | |
| 124 | 125 | |
| 125 | 126 | File.open(preconfig_file, 'w') do |f| |
| 126 | 127 | f.puts($ALT_SSH_PORT) | ... | ... |
config/dev/ssh_config
| 1 | 1 | Host * |
| 2 | 2 | ForwardAgent yes |
| 3 | 3 | |
| 4 | -Host reverseproxy | |
| 4 | +Host reverseproxy.unconfigured | |
| 5 | 5 | Hostname 189.9.151.16 |
| 6 | 6 | User spb |
| 7 | 7 | |
| 8 | +Host reverseproxy | |
| 9 | + Hostname 10.18.0.15 | |
| 10 | + User spb | |
| 11 | + Port 5555 | |
| 12 | + ProxyCommand ssh spb@189.9.151.16 -p 22 nc %h 5555 | |
| 13 | + | |
| 8 | 14 | Host database |
| 9 | 15 | Hostname 10.18.0.16 |
| 10 | 16 | User spb |
| ... | ... | @@ -24,7 +30,6 @@ Host email |
| 24 | 30 | ProxyCommand ssh spb@189.9.151.16 nc %h %p |
| 25 | 31 | |
| 26 | 32 | Host integration |
| 27 | - Hostname 10.18.0.19 | |
| 33 | + Hostname 189.9.151.16 | |
| 28 | 34 | User spb |
| 29 | - # connect via reverseproxy host | |
| 30 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
| 35 | + # Porta 22 de 189.9.151.16 cai aqui entao nao precisa de ProxyCommand | ... | ... |
config/homologa/config.yaml
| ... | ... | @@ -3,6 +3,7 @@ admins: |
| 3 | 3 | - ["Marisa Souza dos Santos", "marisa.santos@planejamento.gov.br"] |
| 4 | 4 | external_hostname: homologa.softwarepublico.gov.br |
| 5 | 5 | external_ip: 189.9.151.65 |
| 6 | +alt_ssh_port: 55555 | |
| 6 | 7 | site_url: https://homologa.softwarepublico.gov.br |
| 7 | 8 | colab_from_address: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' |
| 8 | 9 | server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' | ... | ... |
config/homologa/ssh_config
| ... | ... | @@ -8,8 +8,9 @@ Host reverseproxy.unconfigured |
| 8 | 8 | Host reverseproxy |
| 9 | 9 | Hostname 10.0.13.2 |
| 10 | 10 | User spb |
| 11 | + Port 55555 | |
| 11 | 12 | # connect via reverseproxy host |
| 12 | - ProxyCommand ssh spb@189.9.151.65 nc %h %p | |
| 13 | + ProxyCommand ssh spb@189.9.151.65 -p 22 nc %h 55555 | |
| 13 | 14 | |
| 14 | 15 | Host database |
| 15 | 16 | Hostname 10.0.13.6 |
| ... | ... | @@ -30,6 +31,6 @@ Host email |
| 30 | 31 | ProxyCommand ssh spb@189.9.151.65 nc %h %p |
| 31 | 32 | |
| 32 | 33 | Host integration |
| 33 | - Hostname 10.0.13.7 | |
| 34 | + Hostname 189.9.151.65 | |
| 34 | 35 | User spb |
| 35 | 36 | # Porta 22 de 189.9.151.65 cai aqui entao nao precisa de ProxyCommand | ... | ... |
config/local/iptables-filter-rules
config/production/ssh_config
| ... | ... | @@ -2,32 +2,27 @@ Host * |
| 2 | 2 | ForwardAgent yes |
| 3 | 3 | |
| 4 | 4 | Host reverseproxy |
| 5 | - Hostname 164.41.9.49 | |
| 5 | + Hostname 10.10.40.49 | |
| 6 | 6 | Port 55555 |
| 7 | + ProxyCommand ssh 164.41.9.49 -p 22 nc %h 55555 | |
| 7 | 8 | |
| 8 | 9 | Host reverseproxy.unconfigured |
| 9 | 10 | Hostname 164.41.9.49 |
| 10 | 11 | |
| 12 | +Host integration | |
| 13 | + Hostname 164.41.9.49 | |
| 14 | + | |
| 11 | 15 | Host database |
| 12 | 16 | Hostname 10.10.40.47 |
| 13 | - Port 55555 | |
| 14 | 17 | # connect via reverseproxy host |
| 15 | 18 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
| 16 | 19 | |
| 17 | 20 | Host social |
| 18 | 21 | Hostname 10.10.40.46 |
| 19 | - Port 55555 | |
| 20 | 22 | # connect via reverseproxy host |
| 21 | 23 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
| 22 | 24 | |
| 23 | 25 | Host email |
| 24 | 26 | Hostname 10.10.40.48 |
| 25 | - Port 55555 | |
| 26 | - # connect via reverseproxy host | |
| 27 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | |
| 28 | - | |
| 29 | -Host integration | |
| 30 | - Hostname 10.10.40.45 | |
| 31 | - Port 55555 | |
| 32 | 27 | # connect via reverseproxy host |
| 33 | 28 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | ... | ... |
cookbooks/basics/recipes/default.rb
| ... | ... | @@ -73,7 +73,17 @@ if node['platform'] == 'centos' |
| 73 | 73 | end |
| 74 | 74 | end |
| 75 | 75 | |
| 76 | +# reload node[:fqdn] to make sure it reflects the contents of /etc/hosts | |
| 77 | +# without that the variable :fqdn would not be available on first run | |
| 78 | +ruby_block 'fqdn:update' do | |
| 79 | + block do | |
| 80 | + node.default[:fqdn] = `hostname --fqdn`.strip | |
| 81 | + end | |
| 82 | + action :nothing | |
| 83 | +end | |
| 84 | + | |
| 76 | 85 | template '/etc/hosts' do |
| 77 | 86 | owner 'root' |
| 78 | 87 | mode 0644 |
| 88 | + notifies :run, 'ruby_block[fqdn:update]', :immediately | |
| 79 | 89 | end | ... | ... |
cookbooks/firewall/templates/default/iptables.erb
| ... | ... | @@ -18,8 +18,8 @@ |
| 18 | 18 | |
| 19 | 19 | -A INPUT -i lo -j ACCEPT |
| 20 | 20 | |
| 21 | -# Everybody need to accept SSH from reverseproxy | |
| 22 | --A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| 21 | +# Everybody need to accept SSH from integration | |
| 22 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| 23 | 23 | |
| 24 | 24 | <%= node['firewall'] %> |
| 25 | 25 | <%= render 'iptables-filter.erb' %> | ... | ... |
cookbooks/firewall/templates/host-integration/iptables-filter.erb
| 1 | 1 | |
| 2 | +# Allow SMTP connections | |
| 3 | +-A INPUT -s <%= node['peers']['email'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | |
| 4 | + | |
| 2 | 5 | # Allow HTTP access |
| 3 | 6 | -A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT |
| 7 | + | |
| 8 | +# Allow SSH connections redirected from integration | |
| 9 | +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
| ... | ... | @@ -6,4 +6,8 @@ |
| 6 | 6 | -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT |
| 7 | 7 | |
| 8 | 8 | # Real SSH connection |
| 9 | --A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | |
| 9 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | |
| 10 | + | |
| 11 | +# Allow forwarding to integration on port 22 | |
| 12 | +-A FORWARD -p tcp -d <%= node['peers']['integration'] %> --dport 22 -j ACCEPT | |
| 13 | +-A FORWARD -s <%= node['peers']['integration'] %> -p tcp --sport 22 -j ACCEPT | ... | ... |
utils/reverseproxy_ssh_setup
| 1 | 1 | #!/bin/sh |
| 2 | 2 | |
| 3 | 3 | set -e |
| 4 | +set -x | |
| 4 | 5 | |
| 5 | 6 | port="$1" |
| 7 | +reverseproxy_ip="$2" | |
| 8 | +integration_ip="$3" | |
| 6 | 9 | |
| 7 | 10 | # switch SSH to port $port |
| 8 | 11 | sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config |
| ... | ... | @@ -23,3 +26,8 @@ fi |
| 23 | 26 | |
| 24 | 27 | # Restart SSH |
| 25 | 28 | systemctl restart sshd |
| 29 | + | |
| 30 | +# Setup port redirect | |
| 31 | +iptables -t nat -A PREROUTING -d $reverseproxy_ip/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination $integration_ip:22 | |
| 32 | +iptables -t nat -A POSTROUTING -d $integration_ip/32 -p tcp -m tcp --dport 22 -j SNAT --to-source $reverseproxy_ip | |
| 33 | +sysctl -w net.ipv4.ip_forward=1 | ... | ... |