Commit da04baca47b7c5f431116a0c0e0051e002203b71
Exists in
master
and in
36 other branches
Merge branch 'fix_external_firewall' into 'master'
Fix external firewall The goal of this MR is to use the integration machine as SSH gateway (instead of ``reverseproxy``). See merge request !17
Showing
11 changed files
with
52 additions
and
20 deletions
Show diff stats
Rakefile
... | ... | @@ -114,13 +114,14 @@ $ALT_SSH_PORT = config.fetch('alt_ssh_port', 2222) |
114 | 114 | $nodes.find { |n| n.hostname == 'reverseproxy' }.data['ssh_port'] = $ALT_SSH_PORT |
115 | 115 | desc 'Makes configurations needed before the bootstrap phase' |
116 | 116 | task :preconfig => ssh_config_file do |
117 | + sh 'mkdir', '-p', 'tmp/' | |
117 | 118 | preconfig_file = "tmp/preconfig.#{$SPB_ENV}.stamp" |
118 | 119 | if File.exist?(preconfig_file) |
119 | 120 | puts "I: preconfig already done." |
120 | 121 | puts "I: delete #{preconfig_file} to force running again" |
121 | 122 | else |
122 | 123 | sh 'scp', '-F', ssh_config_file, 'utils/reverseproxy_ssh_setup', 'reverseproxy.unconfigured:/tmp' |
123 | - sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s | |
124 | + sh 'ssh', '-F', ssh_config_file, 'reverseproxy.unconfigured', 'sudo', '/tmp/reverseproxy_ssh_setup', $ALT_SSH_PORT.to_s, ips['reverseproxy'], ips['integration'] | |
124 | 125 | |
125 | 126 | File.open(preconfig_file, 'w') do |f| |
126 | 127 | f.puts($ALT_SSH_PORT) | ... | ... |
config/dev/ssh_config
1 | 1 | Host * |
2 | 2 | ForwardAgent yes |
3 | 3 | |
4 | -Host reverseproxy | |
4 | +Host reverseproxy.unconfigured | |
5 | 5 | Hostname 189.9.151.16 |
6 | 6 | User spb |
7 | 7 | |
8 | +Host reverseproxy | |
9 | + Hostname 10.18.0.15 | |
10 | + User spb | |
11 | + Port 5555 | |
12 | + ProxyCommand ssh spb@189.9.151.16 -p 22 nc %h 5555 | |
13 | + | |
8 | 14 | Host database |
9 | 15 | Hostname 10.18.0.16 |
10 | 16 | User spb |
... | ... | @@ -24,7 +30,6 @@ Host email |
24 | 30 | ProxyCommand ssh spb@189.9.151.16 nc %h %p |
25 | 31 | |
26 | 32 | Host integration |
27 | - Hostname 10.18.0.19 | |
33 | + Hostname 189.9.151.16 | |
28 | 34 | User spb |
29 | - # connect via reverseproxy host | |
30 | - ProxyCommand ssh spb@189.9.151.16 nc %h %p | |
35 | + # Porta 22 de 189.9.151.16 cai aqui entao nao precisa de ProxyCommand | ... | ... |
config/homologa/config.yaml
... | ... | @@ -3,6 +3,7 @@ admins: |
3 | 3 | - ["Marisa Souza dos Santos", "marisa.santos@planejamento.gov.br"] |
4 | 4 | external_hostname: homologa.softwarepublico.gov.br |
5 | 5 | external_ip: 189.9.151.65 |
6 | +alt_ssh_port: 55555 | |
6 | 7 | site_url: https://homologa.softwarepublico.gov.br |
7 | 8 | colab_from_address: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' |
8 | 9 | server_email: '"Portal do Software Publico (homologação)" <noreply@homologa.softwarepublico.gov.br>' | ... | ... |
config/homologa/ssh_config
... | ... | @@ -8,8 +8,9 @@ Host reverseproxy.unconfigured |
8 | 8 | Host reverseproxy |
9 | 9 | Hostname 10.0.13.2 |
10 | 10 | User spb |
11 | + Port 55555 | |
11 | 12 | # connect via reverseproxy host |
12 | - ProxyCommand ssh spb@189.9.151.65 nc %h %p | |
13 | + ProxyCommand ssh spb@189.9.151.65 -p 22 nc %h 55555 | |
13 | 14 | |
14 | 15 | Host database |
15 | 16 | Hostname 10.0.13.6 |
... | ... | @@ -30,6 +31,6 @@ Host email |
30 | 31 | ProxyCommand ssh spb@189.9.151.65 nc %h %p |
31 | 32 | |
32 | 33 | Host integration |
33 | - Hostname 10.0.13.7 | |
34 | + Hostname 189.9.151.65 | |
34 | 35 | User spb |
35 | 36 | # Porta 22 de 189.9.151.65 cai aqui entao nao precisa de ProxyCommand | ... | ... |
config/local/iptables-filter-rules
config/production/ssh_config
... | ... | @@ -2,32 +2,27 @@ Host * |
2 | 2 | ForwardAgent yes |
3 | 3 | |
4 | 4 | Host reverseproxy |
5 | - Hostname 164.41.9.49 | |
5 | + Hostname 10.10.40.49 | |
6 | 6 | Port 55555 |
7 | + ProxyCommand ssh 164.41.9.49 -p 22 nc %h 55555 | |
7 | 8 | |
8 | 9 | Host reverseproxy.unconfigured |
9 | 10 | Hostname 164.41.9.49 |
10 | 11 | |
12 | +Host integration | |
13 | + Hostname 164.41.9.49 | |
14 | + | |
11 | 15 | Host database |
12 | 16 | Hostname 10.10.40.47 |
13 | - Port 55555 | |
14 | 17 | # connect via reverseproxy host |
15 | 18 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
16 | 19 | |
17 | 20 | Host social |
18 | 21 | Hostname 10.10.40.46 |
19 | - Port 55555 | |
20 | 22 | # connect via reverseproxy host |
21 | 23 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 |
22 | 24 | |
23 | 25 | Host email |
24 | 26 | Hostname 10.10.40.48 |
25 | - Port 55555 | |
26 | - # connect via reverseproxy host | |
27 | - ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | |
28 | - | |
29 | -Host integration | |
30 | - Hostname 10.10.40.45 | |
31 | - Port 55555 | |
32 | 27 | # connect via reverseproxy host |
33 | 28 | ProxyCommand ssh 164.41.9.49 -p %p nc %h 22 | ... | ... |
cookbooks/basics/recipes/default.rb
... | ... | @@ -73,7 +73,17 @@ if node['platform'] == 'centos' |
73 | 73 | end |
74 | 74 | end |
75 | 75 | |
76 | +# reload node[:fqdn] to make sure it reflects the contents of /etc/hosts | |
77 | +# without that the variable :fqdn would not be available on first run | |
78 | +ruby_block 'fqdn:update' do | |
79 | + block do | |
80 | + node.default[:fqdn] = `hostname --fqdn`.strip | |
81 | + end | |
82 | + action :nothing | |
83 | +end | |
84 | + | |
76 | 85 | template '/etc/hosts' do |
77 | 86 | owner 'root' |
78 | 87 | mode 0644 |
88 | + notifies :run, 'ruby_block[fqdn:update]', :immediately | |
79 | 89 | end | ... | ... |
cookbooks/firewall/templates/default/iptables.erb
... | ... | @@ -18,8 +18,8 @@ |
18 | 18 | |
19 | 19 | -A INPUT -i lo -j ACCEPT |
20 | 20 | |
21 | -# Everybody need to accept SSH from reverseproxy | |
22 | --A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
21 | +# Everybody need to accept SSH from integration | |
22 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
23 | 23 | |
24 | 24 | <%= node['firewall'] %> |
25 | 25 | <%= render 'iptables-filter.erb' %> | ... | ... |
cookbooks/firewall/templates/host-integration/iptables-filter.erb
1 | 1 | |
2 | +# Allow SMTP connections | |
3 | +-A INPUT -s <%= node['peers']['email'] %> -p tcp -m state --state NEW --dport 25 -j ACCEPT | |
4 | + | |
2 | 5 | # Allow HTTP access |
3 | 6 | -A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW -m multiport --dports 80,443 -j ACCEPT |
7 | + | |
8 | +# Allow SSH connections redirected from integration | |
9 | +-A INPUT -s <%= node['peers']['reverseproxy'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT | ... | ... |
cookbooks/firewall/templates/host-reverseproxy/iptables-filter.erb
... | ... | @@ -6,4 +6,8 @@ |
6 | 6 | -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT |
7 | 7 | |
8 | 8 | # Real SSH connection |
9 | --A INPUT -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | |
9 | +-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport <%= node['config']['alt_ssh_port'] %> -j ACCEPT | |
10 | + | |
11 | +# Allow forwarding to integration on port 22 | |
12 | +-A FORWARD -p tcp -d <%= node['peers']['integration'] %> --dport 22 -j ACCEPT | |
13 | +-A FORWARD -s <%= node['peers']['integration'] %> -p tcp --sport 22 -j ACCEPT | ... | ... |
utils/reverseproxy_ssh_setup
1 | 1 | #!/bin/sh |
2 | 2 | |
3 | 3 | set -e |
4 | +set -x | |
4 | 5 | |
5 | 6 | port="$1" |
7 | +reverseproxy_ip="$2" | |
8 | +integration_ip="$3" | |
6 | 9 | |
7 | 10 | # switch SSH to port $port |
8 | 11 | sed -i -e 's/^#\?\s*Port\s*[0-9]\+\s*$/Port '$port'/g' /etc/ssh/sshd_config |
... | ... | @@ -23,3 +26,8 @@ fi |
23 | 26 | |
24 | 27 | # Restart SSH |
25 | 28 | systemctl restart sshd |
29 | + | |
30 | +# Setup port redirect | |
31 | +iptables -t nat -A PREROUTING -d $reverseproxy_ip/32 -p tcp -m tcp --dport 22 -j DNAT --to-destination $integration_ip:22 | |
32 | +iptables -t nat -A POSTROUTING -d $integration_ip/32 -p tcp -m tcp --dport 22 -j SNAT --to-source $reverseproxy_ip | |
33 | +sysctl -w net.ipv4.ip_forward=1 | ... | ... |