diff --git a/deploy-os_servers.yml b/deploy-os_servers.yml index ef89a6748..fccda4eee 100644 --- a/deploy-os_servers.yml +++ b/deploy-os_servers.yml @@ -85,6 +85,7 @@ # portip: 10.10.1.1 wait: true timeout: "{{ openstack_api_timeout }}" + when: false # # Jumphosts security group. # @@ -216,30 +217,45 @@ name: "{{ stack_prefix }}_irods" description: | Security group for iRODS machines. - Allows SSH inbound on ports 22 and 443. + Allows SSH and ICMP inbound from jumphosts. + Allows DAVRODS on port 443. Allows iRODS inbound on ports 1247 and 20000-20199. - Allows ICMP inbound. Allows all outbound traffic. wait: true timeout: "{{ openstack_api_timeout }}" when: groups['irods'] | default([]) | length >= 1 - - name: "Add rules to {{ stack_prefix }}_irods security group." + - name: "Add rules to {{ stack_prefix }}_irods security group: allow inbound traffic from {{ stack_prefix }}_jumphosts security group." openstack.cloud.security_group_rule: security_group: "{{ stack_prefix }}_irods" direction: ingress protocol: "{{ item.protocol }}" port_range_min: "{{ item.port_min }}" port_range_max: "{{ item.port_max }}" - remote_ip_prefix: 0.0.0.0/0 + remote_group: "{{ stack_prefix }}_jumphosts" wait: true timeout: "{{ openstack_api_timeout }}" with_items: - protocol: tcp port_min: 22 # SSH port_max: 22 # SSH + - protocol: icmp + port_min: -1 # ICMP protocol does not have any ports. + port_max: -1 # ICMP protocol does not have any ports. + when: groups['irods'] | default([]) | length >= 1 + - name: "Add rules to {{ stack_prefix }}_irods security group." + openstack.cloud.security_group_rule: + security_group: "{{ stack_prefix }}_irods" + direction: ingress + protocol: "{{ item.protocol }}" + port_range_min: "{{ item.port_min }}" + port_range_max: "{{ item.port_max }}" + remote_ip_prefix: 0.0.0.0/0 + wait: true + timeout: "{{ openstack_api_timeout }}" + with_items: - protocol: tcp - port_min: 443 # SSH - port_max: 443 # SSH + port_min: 443 # DAVRODS + port_max: 443 # DAVRODS - protocol: tcp port_min: 636 # LDAPS port_max: 636 # LDAPS @@ -252,9 +268,6 @@ - protocol: tcp port_min: 20000 # iRODS port_max: 20199 # iRODS - - protocol: icmp - port_min: -1 # ICMP protocol does not have any ports. - port_max: -1 # ICMP protocol does not have any ports. when: groups['irods'] | default([]) | length >= 1 - name: "Add rules to {{ stack_prefix }}_irods security group: allow inbound traffic from machines in the same security group." openstack.cloud.security_group_rule: diff --git a/group_vars/all/ip_addresses.yml b/group_vars/all/ip_addresses.yml index ed1edde53..900411c28 100644 --- a/group_vars/all/ip_addresses.yml +++ b/group_vars/all/ip_addresses.yml @@ -92,6 +92,10 @@ ip_addresses: address: '145.100.5.194' netmask: '/32' fqdn: 'ui.grid.sara.nl' + umcg-resc1: + address: '145.38.219.24' + netmask: '/32' + fqdn: 'umcg-resc1.irods.surfsara.nl' eriba: ds: address: '129.125.161.80' diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index f85ca7e3a..bdb0a090f 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -7,13 +7,6 @@ ssh_host_signer_key_types: '.*(rsa|ed25519).*' ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}{% for host in groups['jumphost'] %},{{ host }}+{{ ansible_hostname }}{% endfor %}" slurm_database_name: "{{ stack_prefix }}_slurm_accounting" ai_jumphost: "{{ lookup('env','AI_PROXY') }}" -# -# Configure allowed network ports for geerlingguy.firewall role -# -firewall_allowed_tcp_ports: - - '22' # SSH - - '9100' # Node Exporter - # # Local volume size (root partition) for all instances # diff --git a/group_vars/cluster.yml b/group_vars/cluster.yml index 5a2adf0b9..faae293fa 100644 --- a/group_vars/cluster.yml +++ b/group_vars/cluster.yml @@ -1,11 +1,3 @@ --- ansible_python_interpreter: /usr/bin/python2.7 -# -# Configure allowed network ports for geerlingguy.firewall role -# -firewall_allowed_tcp_ports: - - '22' # SSH - - '6817' # Slurm - - '6818' # Slurm - - '6819' # Slurm ... diff --git a/group_vars/data_transfer.yml b/group_vars/data_transfer.yml index 4bdb51ef2..3b68fec95 100644 --- a/group_vars/data_transfer.yml +++ b/group_vars/data_transfer.yml @@ -1,7 +1,10 @@ --- -firewall_allowed_tcp_ports: - - 22 # SSH. - - 443 # SSH. +iptables_allow_icmp_inbound: + - ANY +iptables_allow_https_inbound: + - ANY # On data_transfer servers port 443 is used for SSH too. +iptables_allow_ssh_inbound: + - ANY ssh_host_signer_hostnames: "{{ ansible_hostname }}\ {% for network_id in ip_addresses[ansible_hostname] %}\ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and diff --git a/group_vars/docs.yml b/group_vars/docs.yml index a02d4acb6..7efdbdd0e 100644 --- a/group_vars/docs.yml +++ b/group_vars/docs.yml @@ -1,11 +1,32 @@ --- # -# Configure allowed network ports for geerlingguy.firewall role +# Firewall configuration. # -firewall_allowed_tcp_ports: - - '22' # SSH - - '80' # HTTP - - '443' # HTTPS +iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_inbound: + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_http_inbound: + - ANY +iptables_allow_https_inbound: + - ANY extra_jumphosts_for_docs_server: - 'airlock' # Gearshift - 'reception' # Talos diff --git a/group_vars/gearshift_cluster/ip_addresses.yml b/group_vars/gearshift_cluster/ip_addresses.yml index 4a2b864cc..f5d28b68d 100644 --- a/group_vars/gearshift_cluster/ip_addresses.yml +++ b/group_vars/gearshift_cluster/ip_addresses.yml @@ -4,7 +4,6 @@ ip_addresses: vlan983: address: 172.23.40.36 netmask: /32 - publicly_exposed: true # This internal IP is linked to a public (floating) IP. vlan16: address: 129.125.60.196 netmask: /32 diff --git a/group_vars/irods.yml b/group_vars/irods.yml index bb7a58fed..6017caa09 100644 --- a/group_vars/irods.yml +++ b/group_vars/irods.yml @@ -1,11 +1,19 @@ --- -firewall_allowed_tcp_ports: # list of open ports on iCAT server - - "22" # SSH. - - "443" # davrods SSL - - "1247" # irods - - "1248" # Control Plane Port - - "5432" # PostgreSQL - - "20000:20199" # irods +# +# Firewall configuration. +# +iptables_allow_icmp_inbound: + - ANY +iptables_allow_ssh_inbound: + - ANY +iptables_allow_ssh_outbound: + - ANY +iptables_allow_https_inbound: + - ANY # For DAVRODS. +iptables_allow_irods: + - ANY +iptables_allow_postgres_outbound: + - ANY ir_version: '-4.2.11*' # if defined (empty): version will be installed (must start with '-' and end with '*') ir_server_type: 'icat' # iRODS Server Type diff --git a/group_vars/jenkins.yml b/group_vars/jenkins.yml index eacc89a30..f9400386d 100644 --- a/group_vars/jenkins.yml +++ b/group_vars/jenkins.yml @@ -1,11 +1,39 @@ --- # -# Configure allowed network ports for geerlingguy.firewall role +# Firewall configuration. # -firewall_allowed_tcp_ports: - - '22' # SSH - - '80' # HTTP - - '443' # HTTPS +iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_inbound: + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" +iptables_allow_ssh_outbound: + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ talos_cluster.ip_addresses['reception']['vlan16'] }}" +iptables_allow_https_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" extra_jumphosts_for_jenkins_server: - 'airlock' # Gearshift - 'reception' # Talos diff --git a/group_vars/jumphost.yml b/group_vars/jumphost.yml index ca2447d54..9466a38fd 100644 --- a/group_vars/jumphost.yml +++ b/group_vars/jumphost.yml @@ -1,10 +1,12 @@ --- -firewall_allowed_tcp_ports: - - 22 # SSH. - - 443 # SSH fallback when 22 is blocked. - - 3000 # Grafana server. -firewall_additional_rules: - - "iptables -A INPUT -i eth1 -p tcp -s 129.125.2.233,129.125.2.225,129.125.2.226 --dport 9090 -j ACCEPT -m comment --comment 'prometheus server'" +iptables_allow_icmp_inbound: + - ANY +iptables_allow_https_inbound: + - ANY # Port 443 is used as fallback for SSH on jumphosts. Port 443 outbound is allowed by default. +iptables_allow_ssh_inbound: + - ANY +iptables_allow_ssh_outbound: + - ANY ssh_host_signer_hostnames: "{{ ansible_hostname }}\ {% for network_id in ip_addresses[ansible_hostname] %}\ {% if ip_addresses[ansible_hostname][network_id]['fqdn'] is defined and diff --git a/group_vars/talos_cluster/ip_addresses.yml b/group_vars/talos_cluster/ip_addresses.yml index 6c980c3c8..a99e99bfe 100644 --- a/group_vars/talos_cluster/ip_addresses.yml +++ b/group_vars/talos_cluster/ip_addresses.yml @@ -4,7 +4,6 @@ ip_addresses: vlan983: address: 172.23.40.100 netmask: /32 - publicly_exposed: true # This internal IP is linked to a public (floating) IP. vlan16: address: 129.125.60.18 netmask: /32 diff --git a/group_vars/talos_cluster/vars.yml b/group_vars/talos_cluster/vars.yml index 3a4c70b08..5ae6e8053 100644 --- a/group_vars/talos_cluster/vars.yml +++ b/group_vars/talos_cluster/vars.yml @@ -175,93 +175,4 @@ ega_fuse_client_mounts: cineca: '/groups/umcg-cineca/prm08/ega-fuse-client' solve_rd: '/groups/umcg-solve-rd/prm08/ega-fuse-client' ega_fuse_client_java_home: '/etc/alternatives/jre_11_openjdk' -iptables_allow_icmp_inbound: - - 'umcg_net1' - - 'umcg_net2' - - 'umcg_net3' - - 'rug_bwp_net' - - 'rug_operator' - - 'rug_gcc_cloud_net' - - 'foyer' - - 'boxy' - - 'bender' - - 'lobby' - - 'calculon' - - 'flexo' - - 'gate' - - 'zinc_finger' - - 'coenzyme' - - 'passage' - - 'leucine_zipper' - - 'chaperone' - - 'airlock' - - 'jenkins1' - - 'jenkins2' -iptables_allow_ssh_inbound: - - 'umcg_net1' - - 'umcg_net2' - - 'umcg_net3' - - 'rug_bwp_net' - - 'rug_operator' - - 'foyer' - - 'boxy' - - 'bender' - - 'lobby' - - 'calculon' - - 'flexo' - - 'gate' - - 'zinc_finger' - - 'coenzyme' - - 'passage' - - 'leucine_zipper' - - 'chaperone' - - 'airlock' - - 'jenkins1' - - 'jenkins2' -iptables_allow_ssh_outbound: - - 'foyer' - - 'boxy' - - 'bender' - - 'lobby' - - 'calculon' - - 'flexo' - - 'gate' - - 'peregrine' - - 'gattaca01' - - 'gattaca02' - - 'cher_ami' - - 'eriba_ds' - - 'molgenis_downloads' - - 'airlock' - - 'surfsara_grid_ui' - - 'lumc_shark_ui' - - 'cnag_sftp' - - 'erasmus_mc_net' - - 'rug_f5_net' - - 'sanger_sftp' -iptables_allow_ebi_mysql_outbound: - - 'ebi_sanger_net1' - - 'ebi_sanger_net2' -iptables_allow_ftp_outbound: - - 'ebi_sanger_net1' - - 'ebi_sanger_net2' - - 'broad_ftp' - - 'ncbi_net1' - - 'ncbi_net2' -iptables_allow_aspera_outbound: - - 'ebi_sanger_net1' - - 'ebi_sanger_net2' - - 'broad_aspera_1' - - 'broad_aspera_2' - - 'broad_aspera_3' - - 'broad_aspera_4' - - 'broad_aspera_5' - - 'broad_aspera_6' - - 'broad_aspera_7' - - 'broad_aspera_8' - - 'broad_aspera_9' - - 'ncbi_net1' - - 'ncbi_net2' -iptables_allow_globus_outbound: - - 'sanger_globus' ... diff --git a/requirements.yml b/requirements.yml index 0dabc3da5..92ef86169 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,8 +3,6 @@ # --- roles: - - src: geerlingguy.firewall - version: 2.5.0 - src: geerlingguy.repo-epel version: 3.0.0 - src: geerlingguy.security diff --git a/roles/include_vars_from_other_groups/tasks/main.yml b/roles/include_vars_from_other_groups/tasks/main.yml index 089c7872e..d826439b7 100644 --- a/roles/include_vars_from_other_groups/tasks/main.yml +++ b/roles/include_vars_from_other_groups/tasks/main.yml @@ -7,6 +7,7 @@ register: ip_addresses_files_found delegate_to: localhost connection: local + run_once: true - name: Include ip_addresses per stack from ip_addresses.yml files. ansible.builtin.include_vars: @@ -16,10 +17,12 @@ register: included_ip_addresses delegate_to: localhost connection: local + run_once: true - name: Combine network info from ip_addresses per stack into one dict for all items from all stacks. ansible.builtin.set_fact: all_ip_addresses: "{{ included_ip_addresses.results | json_query('[].ansible_facts.*[].ip_addresses') | combine() }}" delegate_to: localhost connection: local + run_once: true ... diff --git a/roles/iptables/README.md b/roles/iptables/README.md index 62bde29e4..7d04c7174 100755 --- a/roles/iptables/README.md +++ b/roles/iptables/README.md @@ -1,95 +1,41 @@ -# Ansible Role: Firewall (iptables) +# Ansible Role: iptables -https://www.digitalocean.com/community/tutorials/how-to-migrate-from-firewalld-to-iptables-on-centos-7 - -[![Build Status](https://travis-ci.org/geerlingguy/ansible-role-firewall.svg?branch=master)](https://travis-ci.org/geerlingguy/ansible-role-firewall) - -Installs an iptables-based firewall for Linux. Supports both IPv4 (`iptables`) and IPv6 (`ip6tables`). - -This firewall aims for simplicity over complexity, and only opens a few specific ports for incoming traffic (configurable through Ansible variables). If you have a rudimentary knowledge of `iptables` and/or firewalls in general, this role should be a good starting point for a secure system firewall. - -After the role is run, a `firewall` init service will be available on the server. You can use `service firewall [start|stop|restart|status]` to control the firewall. - -## Requirements - -None. +This role configures host-based firewalls using iptables: both for IPv4 (`iptables`) and for IPv6 (`ip6tables`). +After deployment, `iptables` and `ip6tables` init services will be available on the server. +Use `service ip[6]tables [start|stop|restart|status]` to control the firewall. ## Role Variables -Available variables are listed below, along with default values (see `defaults/main.yml`): - - firewall_state: started - firewall_enabled_at_boot: true - -Controls the state of the firewall service; whether it should be running (`firewall_state`) and/or enabled on system boot (`firewall_enabled_at_boot`). - - firewall_allowed_tcp_ports: - - "22" - - "80" - ... - firewall_allowed_udp_ports: [] - -A list of TCP or UDP ports (respectively) to open to incoming traffic. - - firewall_forwarded_tcp_ports: - - { src: "22", dest: "2222" } - - { src: "80", dest: "8080" } - firewall_forwarded_udp_ports: [] - -Forward `src` port to `dest` port, either TCP or UDP (respectively). - - firewall_additional_rules: [] - firewall_ip6_additional_rules: [] - -Any additional (custom) rules to be added to the firewall (in the same format you would add them via command line, e.g. `iptables [rule]`/`ip6tables [rule]`). A few examples of how this could be used: - - # Allow only the IP 167.89.89.18 to access port 4949 (Munin). - firewall_additional_rules: - - "iptables -A INPUT -p tcp --dport 4949 -s 167.89.89.18 -j ACCEPT" - - # Allow only the IP 214.192.48.21 to access port 3306 (MySQL). - firewall_additional_rules: - - "iptables -A INPUT -p tcp --dport 3306 -s 214.192.48.21 -j ACCEPT" - -See [Iptables Essentials: Common Firewall Rules and Commands](https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands) for more examples. - - firewall_log_dropped_packets: true - -Whether to log dropped packets to syslog (messages will be prefixed with "Dropped by firewall: "). - - firewall_disable_firewalld: false - firewall_disable_ufw: false - -Set to `true` to disable firewalld (installed by default on RHEL/CentOS) or ufw (installed by default on Ubuntu), respectively. - -## Dependencies - -None. +See `defaults/main.yml`. All role variables are prefixed with` iptables_` -## Example Playbook +## Logic - - hosts: server - vars_files: - - vars/main.yml - roles: - - { role: geerlingguy.firewall } +#### IPv4 -*Inside `vars/main.yml`*: +We first create a list of IPv4 addresses used by a host and determine if these addresses are publicly exposed. +This role considers an IP _publicly exposed_ when it is - firewall_allowed_tcp_ports: - - "22" - - "25" - - "80" + * either a _public_ IP address + * or a private address and traffic from a _floating_, _public_ IP is routed to this private IP. -## TODO +Next we fetch the network interface names for all _publicly exposed_ IP addresses: - - Make outgoing ports more configurable. - - Make other firewall features (like logging) configurable. + * **internal** interfaces = those who do **not** use a _publicly exposed_ IP address. + * **external** interfaces = those who do use a _publicly exposed_ IP address. -## License +Finally we configure the IPv4 firewall to: -MIT / BSD + * **internal** interfaces (including loopback interfaces): Allow anything. + * **external** interfaces: + * Disable anything by default + * Allow specific services on specific ports to/from specific subnets. + * A subnet is specified with mask as [0-9].[0-9].[0-9].[0-9]/[0-9] and may contain one or more IP addresses. + E.g. 111.111.111.111/32 is the single machine 111.111.111.111 + and 111.111.111.0/24 is the range from 111.111.111.1 up to and including 111.111.111.254. + * Defaults for supported services for which this role can configure the firewall are listed in `defaults/main.yml`. -## Author Information +#### IPv6 -This role was created in 2014 by [Jeff Geerling](https://www.jeffgeerling.com/), author of [Ansible for DevOps](https://www.ansiblefordevops.com/). +We do not use IPv6 and configure the IPv6 firewall to: + * Allow anything over the loopback interface. + * Disable anything else over any other interface both internal and external. diff --git a/roles/iptables/defaults/main.yml b/roles/iptables/defaults/main.yml index c0739694f..fe3259bec 100755 --- a/roles/iptables/defaults/main.yml +++ b/roles/iptables/defaults/main.yml @@ -1,26 +1,64 @@ --- +kernel_network_tweaks: + - name: net.ipv4.conf.all.forwarding + value: 0 # Disable forwarding, which is only required on routers. + - name: net.ipv6.conf.all.forwarding + value: 0 # Disable forwarding, which is only required on routers. + - name: net.ipv4.conf.all.accept_redirects + value: 0 # Disable redirects, which are only required on routers. + - name: net.ipv6.conf.all.accept_redirects + value: 0 # Disable redirects, which are only required on routers. + - name: net.ipv4.tcp_syncookies # Confusing name, but applies to IP version 6 as well. + value: 1 # Prevent SYNC-floods. + - name: net.ipv4.icmp_echo_ignore_broadcasts + value: 1 # Limit response to ICMP packets. + - name: net.ipv4.icmp_ignore_bogus_error_responses + value: 1 # Limit response to ICMP packets. + - name: net.ipv4.conf.all.accept_source_route + value: 0 # Disable source routed packets, which should only be required for debugging network issues. + - name: net.ipv6.conf.all.accept_source_route + value: 0 # Disable source routed packets, which should only be required for debugging network issues. + - name: net.ipv4.conf.all.rp_filter + value: 1 # Enable IP spoofing protection. + - name: net.ipv4.conf.all.log_martians + value: 0 # Disable logging of spoofed, source routed and redirect packets to prevent flooding the logs. # # ICMP (only inbound; outbound ICMP is allowed without restrictions). -# -iptables_allow_icmp_inbound: [] +# +iptables_allow_icmp_inbound: + - ANY +# +# HTTP and HTTPS inbound. (HTTP and HTTPS always allowed by default to fetch packages from repos.) +# +iptables_allow_http_inbound: [] +iptables_allow_https_inbound: [] # # SSH. # -iptables_allow_ssh_inbound: [] +iptables_allow_ssh_inbound: + - ANY iptables_allow_ssh_outbound: [] # # Public MySQL databases @ EBI (only outbound). # iptables_allow_ebi_mysql_outbound: [] # +# PostgreSQL (only outbound). +# +iptables_allow_postgresql_outbound: [] +# # FTP (only outbound). # iptables_allow_ftp_outbound: [] # -# Aspera (only outbound). +# Aspera (only outbound). # iptables_allow_aspera_outbound: [] # +# iRODS: by definition both inbound and outbound. +# +iptables_allow_irods: [] +# # Globus ToolKit (only outbound). # iptables_allow_globus_outbound: [] @@ -29,8 +67,7 @@ iptables_allow_globus_outbound: [] # iptables_log_dropped_packets: false # -# Set to true to ensure other iptables management software is disabled. +# Set to true (default) to ensure other iptables management software is disabled. # -iptables_disable_firewalld: false -iptables_disable_ufw: false +iptables_disable_firewalld: true ... diff --git a/roles/iptables/handlers/main.yml b/roles/iptables/handlers/main.yml index 3c899bf12..9bc197d40 100755 --- a/roles/iptables/handlers/main.yml +++ b/roles/iptables/handlers/main.yml @@ -14,5 +14,5 @@ ansible.builtin.command: cmd: '/etc/sysconfig/iptables-init.bash' become: true - listen: initialize_iptables + listen: configure_iptables ... diff --git a/roles/iptables/meta/main.yml b/roles/iptables/meta/main.yml new file mode 100644 index 000000000..0b7ed2d93 --- /dev/null +++ b/roles/iptables/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: include_vars_from_other_groups +... diff --git a/roles/iptables/tasks/disable-other-firewalls.yml b/roles/iptables/tasks/disable-other-firewalls.yml index 29ae27419..e6a6eb9a7 100755 --- a/roles/iptables/tasks/disable-other-firewalls.yml +++ b/roles/iptables/tasks/disable-other-firewalls.yml @@ -1,34 +1,16 @@ --- -- name: Check if firewalld package is installed on RedHat. - ansible.builtin.shell: yum list installed firewalld - args: - warn: no - register: firewalld_installed - ignore_errors: true +- name: List installed packages. + ansible.builtin.yum: + list: installed + register: yum_list_installed changed_when: false - when: ansible_os_family == "RedHat" and firewall_disable_firewalld -- name: Disable the firewalld service on RedHat. - ansible.builtin.service: +- name: Disable the firewalld service if the firewalld package was installed. + ansible.builtin.systemd: name: firewalld state: stopped - enabled: no - when: ansible_os_family == "RedHat" and firewall_disable_firewalld and firewalld_installed.rc == 0 - -- name: Check if ufw package is installed (on Ubuntu). - ansible.builtin.shell: service ufw status - args: - warn: no - register: ufw_installed - ignore_errors: true - changed_when: false - when: ansible_distribution == "Ubuntu" and firewall_disable_ufw - notify: Disable ufw firewall. - -- name: Disable ufw firewall. - ansible.builtin.service: - name: ufw - state: stopped - enabled: no - when: ansible_distribution == "Ubuntu" and firewall_disable_ufw and ufw_installed.rc == 0 -... \ No newline at end of file + enabled: false + daemon_reload: true + when: yum_list_installed.results | selectattr('name', 'equalto', 'firewalld') | list | length > 0 + become: true +... diff --git a/roles/iptables/tasks/main.yml b/roles/iptables/tasks/main.yml index 39096646a..6b94b7975 100644 --- a/roles/iptables/tasks/main.yml +++ b/roles/iptables/tasks/main.yml @@ -1,128 +1,97 @@ -############################################################################################################################################### -# Query tests -#- name: 'List hostinfo 1.' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | dict2items | selectattr('value.ipv4', 'defined') | map(attribute='value.device') | list }}" -# -#- name: 'List hostinfo 2.' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | json_query(_query) }}" -# vars: -# _query: "*.ipv4.address" -# -#- name: 'List hostinfo 3.' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | dict2items | selectattr('value.ipv4', 'defined') | list }}" -# -#- name: 'List hostinfo 3.q' -# debug: -# msg: "allNetworkInterfaces: {{ ansible_facts | dict2items | selectattr('value.ipv4', 'defined') | list | json_query(_query) }}" -# vars: -# _query: '[].{Name: value.device, IPv4: value.ipv4, IPv6: value.ipv6, Type: value.type}' -############################################################################################################################################### - -# -# This role configures host-based firewalls using iptables. -# We first create a list of IPv4 addresses used by a host and determine if these addresses are public or private. -# Next we fetch the network interface names for the public and private addresses: -# * internal interfaces = those who use a private IPv4 address. -# * external interfaces = those who use a public IPv4 address. -# Finally we configure the IPv4 firewall to: -# * allow anything over the loopback interface. -# * allow anything over internal interfaces. -# * disable anything by default except for specific services on specific ports to/from specific subnets. -# A subnet is specified with mask as [0-9].[0-9].[0-9].[0-9]/[0-9] and may contain one or more IP addresses. -# E.g. 111.111.111.111/32 is the single machine 111.111.111.111 -# and 111.111.111.111/24 is the range from 111.111.111.1 up to and including 111.111.111.254. -# Finally we configure the IPv6 firewall to: -# * allow anything over the loopback interface. -# * disable anything else over any other interface both internal and external. -# - --- -#- name: 'Install iptables with yum.' -# yum: -# state: latest -# update_cache: yes -# name: -# - 'iptables' -# - 'iptables-services' -# #### ToDo: fail2ban -# notify: restart_iptables -# become: true +- name: Install iptables with yum. + ansible.builtin.yum: + state: latest + update_cache: true + name: + - 'iptables' + - 'iptables-services' + #### ToDo: fail2ban + notify: restart_iptables + become: true + +- name: Enable netfilter kernel module for FTP connection tracking. + ansible.builtin.lineinfile: + path: '/etc/sysconfig/iptables-config' + regexp: '^IPTABLES_MODULES=' + line: 'IPTABLES_MODULES="nf_conntrack_ftp"' + notify: + - restart_iptables + - configure_iptables + become: true -#- name: 'Enable netfilter kernel module for FTP connection tracking.' -# lineinfile: -# path: '/etc/sysconfig/iptables-config' -# regexp: '^IPTABLES_MODULES=' -# line: 'IPTABLES_MODULES="nf_conntrack_ftp"' -# notify: -# - restart_iptables -# - reconfigure_iptables -# become: true +- name: Add kernel network tweaks to /etc/sysctl.d/60-ansible-managed-network.conf. + ansible.posix.sysctl: + sysctl_file: '/etc/sysctl.d/60-ansible-managed-network.conf' + name: "{{ item.name }}" + value: "{{ item.value }}" + sysctl_set: true + state: present + reload: true + loop: "{{ kernel_network_tweaks }}" + become: true -- name: 'Create lists of private and of public IP addresses.' +- name: Create lists of public IP addresses. ansible.builtin.set_fact: - private_ip_addresses: "{{ ansible_facts | dict2items - | json_query('[*].value.ipv4.address') - | map('ipaddr', 'private') | list - | reject('==', None) | list }}" public_ip_addresses: "{{ ansible_facts | dict2items | json_query('[*].value.ipv4.address') - | map('ipaddr', 'public') | list + | map('ansible.utils.ipaddr', 'public') | list | reject('==', None) | list }}" -- name: 'Create lists of internal and external network interfaces.' +- name: Create lists of publicly exposed, private IP addresses. + ansible.builtin.set_fact: + publicly_exposed_internal_ip_addresses: "{{ all_ip_addresses[inventory_hostname] | dict2items + | json_query('[?value.publicly_exposed].value.address') + | list }}" + +- name: Create lists of all publicly exposed IP addresses that need to be firewalled. + ansible.builtin.set_fact: + all_publicly_exposed_ip_addresses: "{{ public_ip_addresses | default([]) }} + {{ publicly_exposed_internal_ip_addresses | default([]) }}" + +- name: Create lists of internal and external network interfaces. ansible.builtin.set_fact: internal_interfaces: "{{ ansible_facts | dict2items | selectattr('value.ipv4.address', 'defined') - | selectattr('value.ipv4.address', 'in', private_ip_addresses) + | rejectattr('value.ipv4.address', 'in', all_publicly_exposed_ip_addresses) | map(attribute='value.device') | list }}" external_interfaces: "{{ ansible_facts | dict2items | selectattr('value.ipv4.address', 'defined') - | selectattr('value.ipv4.address', 'in', public_ip_addresses) + | selectattr('value.ipv4.address', 'in', all_publicly_exposed_ip_addresses) | map(attribute='value.device') | list }}" -- name: 'DEBUG: List discovered IP addressess and network interfaces.' +- name: List discovered IP addressess and network interfaces. ansible.builtin.debug: msg: | - Private IP addresses: {{ private_ip_addresses }}. - Public IP addresses: {{ public_ip_addresses }}. + All publicly exposed IP addresses: {{ all_publicly_exposed_ip_addresses }}. Internal interfaces: {{ internal_interfaces }}. External interfaces: {{ external_interfaces }}. -- name: 'Deploy firewall configuration script.' +- name: Deploy firewall configuration script. ansible.builtin.template: src: 'iptables-init.bash.j2' dest: '/etc/sysconfig/iptables-init.bash' owner: root group: root mode: 0700 -# notify: initialize_iptables + notify: configure_iptables become: true -# -#- name: 'Configure the firewall service.' -# service: -# name: "{{ item }}" -# state: 'started' -# enabled: 'yes' -# daemon_reload: 'yes' -# with_items: -# - 'iptables' -# - 'ip6tables' -# notify: reconfigure_iptables -# become: true - -#- import_tasks: disable-other-firewalls.yml -# when: iptables_disable_firewalld or iptables_disable_ufw -... +- name: Configure the firewall service. + ansible.builtin.service: + name: "{{ item }}" + state: 'started' + enabled: 'yes' + daemon_reload: 'yes' + with_items: + - 'iptables' + - 'ip6tables' + notify: configure_iptables + become: true +- name: Flush handlers for iptables role. + ansible.builtin.meta: flush_handlers -# systemctl disable firewalld -# yum install iptables-services -# systemctl enable iptables -# systemctl enable ip6tables -# systemctl start iptables -# systemctl start ip6tables -# /root/firewall/firewall.sh \ No newline at end of file +- name: Disable other firewalls. + ansible.builtin.import_tasks: disable-other-firewalls.yml + when: iptables_disable_firewalld +... diff --git a/roles/iptables/tasks/main.yml.disabled b/roles/iptables/tasks/main.yml.disabled deleted file mode 100755 index 462229346..000000000 --- a/roles/iptables/tasks/main.yml.disabled +++ /dev/null @@ -1,45 +0,0 @@ ---- -- name: Ensure iptables is present. - package: name=iptables state=present - -#- name: Flush iptables the first time playbook runs. -# command: > -# iptables -F -# creates=/etc/firewall.bash - -- name: Copy firewall configuration script into place. - template: - src: firewall.bash.j2 - dest: /etc/firewall.bash - owner: root - group: root - mode: 0744 - notify: restart firewall - -- name: Copy firewall init script into place (for System V init systems). - template: - src: firewall.init.j2 - dest: /etc/init.d/firewall - owner: root - group: root - mode: 0755 - when: "ansible_service_mgr != 'systemd'" - -- name: Copy firewall systemd unit file into place (for systemd systems). - template: - src: firewall.unit.j2 - dest: /etc/systemd/system/firewall.service - owner: root - group: root - mode: 0644 - when: "ansible_service_mgr == 'systemd'" - -- name: Configure the firewall service. - service: - name: firewall - state: "{{ iptables_state }}" - enabled: "{{ iptables_enabled }}" - -- import_tasks: disable-other-firewalls.yml - when: iptables_disable_firewalld or iptables_disable_ufw -... diff --git a/roles/iptables/templates/firewall.unit.j2 b/roles/iptables/templates/firewall.unit.j2 deleted file mode 100755 index ad2655806..000000000 --- a/roles/iptables/templates/firewall.unit.j2 +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Firewall -After=syslog.target network.target - -[Service] -Type=oneshot -ExecStart=/etc/sysconfig/iptables-init.bash -ExecStop=/sbin/iptables -F -RemainAfterExit=yes - -[Install] -WantedBy=multi-user.target diff --git a/roles/iptables/templates/iptables-init.bash.j2 b/roles/iptables/templates/iptables-init.bash.j2 index cd891c055..0f122636c 100755 --- a/roles/iptables/templates/iptables-init.bash.j2 +++ b/roles/iptables/templates/iptables-init.bash.j2 @@ -1,3 +1,4 @@ +#jinja2: trim_blocks:True, lstrip_blocks: True #!/bin/bash # @@ -6,12 +7,6 @@ # # This file must be located in /etc/sysconfig/iptables-init.bash # -# Common port reference: -# 22: SSH -# 25: SMTP -# 80: HTTP -# 123: NTP -# 443: HTTPS # # Bash sanity. @@ -32,50 +27,8 @@ declare -a EXTERNAL_INTERFACES=( '{{ external_interface }}' {% endfor %} ) - -# -# Network addresses and ranges. -# LOOPBACK='127.0.0.0/8' -declare -a ALLOW_ICMP_INBOUND=( -{% for ip in iptables_allow_icmp_inbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare -a ALLOW_SSH_INBOUND=( -{% for ip in iptables_allow_ssh_inbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare -a ALLOW_SSH_OUTBOUND=( -{% for ip in iptables_allow_ssh_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare -a ALLOW_EBI_MYSQL_OUTBOUND=( -{% for ip in iptables_allow_ebi_mysql_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare -a ALLOW_FTP_OUTBOUND=( -{% for ip in iptables_allow_ftp_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare -a ALLOW_ASPERA_OUTBOUND=( -{% for ip in iptables_allow_aspera_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare -a ALLOW_GLOBUS_OUTBOUND=( -{% for ip in iptables_allow_globus_outbound %} - '{{ ip_addresses[ip].addr }}' # {{ ip_addresses[ip].desc }} -{% endfor %} -) -declare GLOBUS_ORG_NET='{{ ip_addresses.globus_org_net.addr }}' # {{ ip_addresses.globus_org_net.desc }} -declare GOOGLE_STUN='{{ ip_addresses.google_stun.addr }}' # {{ ip_addresses.google_stun.desc }} - # ## ### Main. @@ -88,61 +41,18 @@ declare GOOGLE_STUN='{{ ip_addresses.google_stun.addr }}' # {{ ip_addresses.goo # * Remove any -mgmt suffixes # SERVER_NAME="$(hostname -s)" -SERVER_NAME="$(echo ${SERVER_NAME} | sed 's/-mgmt//')" # # Check if we have a config valid for this server. # -if [[ "${SERVER_NAME}" == "${TARGET_SERVER}" ]]; then +if [[ "${SERVER_NAME%-mgmt}" == "${TARGET_SERVER}" ]]; then echo "INFO: Hostname check passed. Will configure iptables firewall..." else - echo "ERROR: This config file is for \"${TARGET_SERVER}\", but this is \"${SERVER_NAME}\"." + echo "ERROR: This config file is for \"${TARGET_SERVER}\", but this is \"${SERVER_NAME%-mgmt}\"." echo 'FATAL: Cannot configure firewall on this server.' exit 1 fi -# -## -### Kernel tweaks. -## -# - -# -# Disable redirects and forwarding, which are only required on routers. -# -echo '0' > /proc/sys/net/ipv4/conf/all/forwarding -echo '0' > /proc/sys/net/ipv6/conf/all/forwarding -echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects -echo '0' > /proc/sys/net/ipv6/conf/all/accept_redirects - -# -# Prevent SYNC-floods. -# -echo '1' > /proc/sys/net/ipv4/tcp_syncookies # confusing name, but applies to IP version 6 as well. - -# -# Limit response to ICMP packets. -# -echo '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts -echo '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses - -# -# Disable logging of spoofed packets, source routed packets, -# and redirect packets to prevent flooding the logs. -# -echo '0' > /proc/sys/net/ipv4/conf/all/log_martians - -# -# Disable source routed packets, which should only be required for debugging network issues. -# -echo '0' > /proc/sys/net/ipv4/conf/all/accept_source_route -echo '0' > /proc/sys/net/ipv6/conf/all/accept_source_route - -# -# Enable IP spoofing protection. -# -echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter - # ## ### IPv6: disable all and log. @@ -155,16 +65,27 @@ echo '1' > /proc/sys/net/ipv4/conf/all/rp_filter ip6tables -F ip6tables -X +# +# Create custom chain for LOGDROP. +# +ip6tables -N LOGDROP +ip6tables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by ip6tables: ' +ip6tables -A LOGDROP -j DROP + # # Set the default policies to drop everything. # -ip6tables -P INPUT DROP +{% if iptables_log_dropped_packets %} +ip6tables -P INPUT LOGDROP +{% else %} +ip6tables -P INPUT DROP +{% endif %} ip6tables -P OUTPUT DROP ip6tables -P FORWARD DROP # # We must accept IPv6 traffic on the loopback interface to prevent tests from failing -# during installation of verious software packages with network functionality. +# during installation of various software packages with network functionality. # ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A OUTPUT -o lo -j ACCEPT @@ -194,14 +115,12 @@ iptables -Z # Create custom chain for LOGDROP. # iptables -N LOGDROP -iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by iptables firewall: ' +iptables -A LOGDROP -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix 'Dropped by iptables: ' iptables -A LOGDROP -j DROP # -# Config default policies to drop. +# Set default policies to drop everything. # -# Log EVERYTHING (ONLY for Debugging). -# iptables -A INPUT -j LOG {% if iptables_log_dropped_packets %} iptables -P INPUT LOGDROP {% else %} @@ -219,13 +138,7 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do done # -# Allow loopback. -# -iptables -A INPUT -i lo -j ACCEPT -iptables -A OUTPUT -o lo -j ACCEPT - -# -# Allow anything over internal interfaces. +# Allow anything over internal interfaces including the loopback interface. # for INT_INTERFACE in "${INTERNAL_INTERFACES[@]:-}"; do [[ -z "${INT_INTERFACE}" ]] && continue @@ -240,6 +153,11 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do [[ -z "${EXT_INTERFACE}" ]] && continue # # Allow all outbound ICMP. + # + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT +{% if iptables_allow_icmp_inbound is defined and iptables_allow_icmp_inbound | length > 0 %} + # # Allow limited inbound ICMP: # Type 0 Echo Reply (a.k.a. pong) must be RELATED. # Type 8 Echo Request (a.k.a. ping) @@ -251,60 +169,164 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # The Time To Live (TTL) for the datagram has been exceeded. # Required for traceroute. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT - for IP_ADDRESS in ${ALLOW_ICMP_INBOUND[@]}; do - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 3 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 8 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p icmp --icmp-type 11 -s ${IP_ADDRESS} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + declare -a ALLOW_ICMP_INBOUND=( + {% for ip in iptables_allow_icmp_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_ICMP_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 3 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 8 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p icmp --icmp-type 11 -s "${IP_ADDRESS}" -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT done +{% endif%} # # Allow outbound NTP. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp --sport 123 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound SMTP. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -m multiport --dport 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sport 25,587 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -m multiport --dports 25,587 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 25,587 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound DNS. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT + # + # Allow outbound LDAPS. + # + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 636 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 636 -m state --state ESTABLISHED -j ACCEPT # # Allow outbound HTTP. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +{% if iptables_allow_http_inbound is defined and iptables_allow_http_inbound | length > 0 %} + # + # Allow inbound HTTP. + # + declare -a ALLOW_HTTP_INBOUND=( + {% for ip in iptables_allow_http_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_HTTP_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + done + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT +{% endif%} # # Allow outbound HTTPS. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT +{% if iptables_allow_https_inbound is defined and iptables_allow_https_inbound | length > 0 %} # - # Allow SSH inbound and outbound. + # Allow inbound HTTPS. # - for IP_ADDRESS in ${ALLOW_SSH_INBOUND[@]}; do - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -s ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT + declare -a ALLOW_HTTPS_INBOUND=( + {% for ip in iptables_allow_https_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_HTTPS_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT done - for IP_ADDRESS in ${ALLOW_SSH_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ssh_inbound is defined and iptables_allow_ssh_inbound | length > 0 %} + # + # Allow SSH inbound. + # + declare -a ALLOW_SSH_INBOUND=( + {% for ip in iptables_allow_ssh_inbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_SSH_INBOUND[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ssh_outbound is defined and iptables_allow_ssh_outbound | length > 0 %} + # + # Allow SSH outbound. + # + declare -a ALLOW_SSH_OUTBOUND=( + {% for ip in iptables_allow_ssh_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_SSH_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT + done + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ebi_mysql_outbound is defined and iptables_allow_ebi_mysql_outbound | length > 0 %} # # Allow MySQL outbound. # - # Required a.o. for conncections to the public Ensembl databases via the Ensembl Perl API + # Required a.o. for connections to the public Ensembl databases via the Ensembl Perl API + # + declare -a ALLOW_EBI_MYSQL_OUTBOUND=( + {% for ip in iptables_allow_ebi_mysql_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_EBI_MYSQL_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT + done + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_postgresql_outbound is defined and iptables_allow_postgresql_outbound | length > 0 %} + # + # Allow PostgreSQL outbound. # - for IP_ADDRESS in ${ALLOW_EBI_MYSQL_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 3306,5306,5316 -m state --state NEW,ESTABLISHED -j ACCEPT + declare -a ALLOW_POSTGRESQL_OUTBOUND=( + {% for ip in iptables_allow_postgresql_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_POSTGRESQL_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sports 3306,5306,5316 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 5432 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_ftp_outbound is defined and iptables_allow_ftp_outbound | length > 0 %} # # Allow FTP outbound. # @@ -313,28 +335,39 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # The extra module must be added to /etc/sysconfig/iptables-config # IPTABLES_MODULES="nf_conntrack_ftp" # + declare -a ALLOW_FTP_OUTBOUND=( + {% for ip in iptables_allow_ftp_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) /sbin/modprobe nf_conntrack # Default module: should already be present, just checking here. /sbin/modprobe nf_conntrack_ftp # Extra module: should be added to /etc/sysconfig/iptables-config, just checking here. # # Firstly, allow FTP control initiated by the client. # - for IP_ADDRESS in ${ALLOW_FTP_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_FTP_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT # # Secondly, allow FTP data connections. - # * For Active Mode FTP the client must accept RELATED connections from the server on port 20 + # * For Active Mode FTP the client must accept RELATED connections from the server on port 20 # to the client on a port number negotiated in the FTP control connection. - # * For Passive Mode FTP the client starts a RELATED connection from a random own high port number + # * For Passive Mode FTP the client starts a RELATED connection from a random own high port number # to the server's fixed high port number negotiated in the FTP control connection. - # * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client + # * For both Active and Passive Mode FTP, the nf_conntrack_ftp kernel module is required at the FTP client # to pick up the negotiated port number from the FTP control packet payloads. # - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive Mode - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT # Active Mode + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Active Mode + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT # Passive Mode + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT # Passive Mode +{% endif%} +{% if iptables_allow_aspera_outbound is defined and iptables_allow_aspera_outbound | length > 0 %} # # Allow Aspera outbound. # @@ -344,12 +377,23 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # In case the server OS doesn't allow UDP port sharing a range of UDP ports is used # where the number of ports determines the max number of concurrent connections/clients. # - for IP_ADDRESS in ${ALLOW_ASPERA_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${IP_ADDRESS} -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT + declare -a ALLOW_ASPERA_OUTBOUND=( + {% for ip in iptables_allow_aspera_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_ASPERA_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 22,33001 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${IP_ADDRESS}" -m multiport --dports 33001:33100 -m state --state NEW,ESTABLISHED -j ACCEPT done - iptables -A INPUT -i ${EXT_INTERFACE} -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT - iptables -A INPUT -i ${EXT_INTERFACE} -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -m multiport --sports 22,33001 -m state --state ESTABLISHED -j ACCEPT + iptables -A INPUT -i "${EXT_INTERFACE}" -p udp -m multiport --sports 33001:33100 -m state --state ESTABLISHED -j ACCEPT +{% endif%} +{% if iptables_allow_globus_outbound is defined and iptables_allow_globus_outbound | length > 0 %} # # Allow Globus outbound. # @@ -362,12 +406,48 @@ for EXT_INTERFACE in "${EXTERNAL_INTERFACES[@]:-}"; do # * TCP ports 50000-51000 outbound for data channel for transfers with Globus Connect Server endpoints. # * UDP ports 32768-65535 outbound for data channel for transfers with other Globus Connect Personal endpoints. # - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${GLOBUS_ORG_NET} --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${GOOGLE_STUN} --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT - for IP_ADDRESS in ${ALLOW_GLOBUS_OUTBOUND[@]}; do - iptables -A OUTPUT -o ${EXT_INTERFACE} -p tcp -d ${IP_ADDRESS} -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT - iptables -A OUTPUT -o ${EXT_INTERFACE} -p udp -d ${IP_ADDRESS} -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + declare -a ALLOW_GLOBUS_OUTBOUND=( + {% for ip in iptables_allow_globus_outbound %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + declare GLOBUS_ORG_NET='{{ all.ip_addresses['globus_org']['net']['address'] }}{{ all.ip_addresses['globus_org']['net']['netmask'] }}' # {{ all.ip_addresses['globus_org']['net']['desc'] }} + declare GOOGLE_STUN='{{ all.ip_addresses['google']['stun']['address'] }}{{ all.ip_addresses['google']['stun']['netmask'] }}' # {{ all.ip_addresses['google']['stun']['desc'] }} + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${GLOBUS_ORG_NET}" --dport 2223 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${GOOGLE_STUN}" --dport 19302 -m state --state NEW,ESTABLISHED -j ACCEPT + for IP_ADDRESS in "${ALLOW_GLOBUS_OUTBOUND[@]}"; do + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --dports 50000:51000 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p udp -d "${IP_ADDRESS}" -m multiport --dports 32678:65535 -m state --state NEW,ESTABLISHED -j ACCEPT + done +{% endif%} +{% if iptables_allow_irods is defined and iptables_allow_irods | length > 0 %} + # + # Allow iRODS both inbound and outbound. + # + # iRODS requires: + # * TCP port 1247: Handshakes and data transfers. + # * TCP port 1248: Control Plane. + # * TCP ports 20000-20199: Dynamically allocated for direct machine to machine connections for large data transfers. + # * The iCAT requires a DataBase too, which is usually a PostgreSQL DB. Do not forget to open the corresponding port too. + # + declare -a ALLOW_IRODS=( + {% for ip in iptables_allow_irods %} + {% if ip == 'ANY'%} + '0.0.0.0/0' + {% else %} + '{{ ip.address }}{{ ip.netmask }}'{% if ip.desc is defined %} # {{ ip.desc }}{% endif +%} + {% endif %} + {% endfor %} + ) + for IP_ADDRESS in "${ALLOW_IRODS[@]}"; do + iptables -A INPUT -i "${EXT_INTERFACE}" -p tcp -s "${IP_ADDRESS}" -m multiport --ports 1247,1248,20000:20199 -m state --state NEW,ESTABLISHED -j ACCEPT + iptables -A OUTPUT -o "${EXT_INTERFACE}" -p tcp -d "${IP_ADDRESS}" -m multiport --ports 1247,1248,20000:20199 -m state --state NEW,ESTABLISHED -j ACCEPT done +{% endif%} done # diff --git a/single_group_playbooks/cluster_part1.yml b/single_group_playbooks/cluster_part1.yml index 8b1d6b3b9..66f2b54bc 100644 --- a/single_group_playbooks/cluster_part1.yml +++ b/single_group_playbooks/cluster_part1.yml @@ -7,6 +7,7 @@ roles: - admin_users - ssh_host_signer + - iptables - ssh_known_hosts - swap - {role: spacewalk_client, when: repo_manager == 'spacewalk'} diff --git a/single_group_playbooks/data_transfer.yml b/single_group_playbooks/data_transfer.yml index db06cabb2..aa8d8409e 100644 --- a/single_group_playbooks/data_transfer.yml +++ b/single_group_playbooks/data_transfer.yml @@ -7,11 +7,11 @@ roles: - admin_users - ssh_host_signer + - iptables - logrotate - remove - update - {role: geerlingguy.repo-epel, become: true} - - {role: geerlingguy.firewall, become: true} - logins - role: ldap when: diff --git a/single_group_playbooks/docs.yml b/single_group_playbooks/docs.yml index d53b76111..6453c6cee 100644 --- a/single_group_playbooks/docs.yml +++ b/single_group_playbooks/docs.yml @@ -7,6 +7,7 @@ roles: - admin_users - ssh_host_signer + - iptables - logrotate - remove - update diff --git a/single_group_playbooks/irods.yml b/single_group_playbooks/irods.yml index 5546ab709..6505c9c0c 100644 --- a/single_group_playbooks/irods.yml +++ b/single_group_playbooks/irods.yml @@ -6,6 +6,7 @@ roles: - admin_users - ssh_host_signer + - iptables - ssh_known_hosts - pulp_client - static_hostname_lookup @@ -13,7 +14,6 @@ - logins - sshd - {role: geerlingguy.security, become: true} - - {role: geerlingguy.firewall, become: true} - remove - update - docker diff --git a/single_group_playbooks/jenkins.yml b/single_group_playbooks/jenkins.yml index 70118d5ce..159efb76e 100644 --- a/single_group_playbooks/jenkins.yml +++ b/single_group_playbooks/jenkins.yml @@ -7,6 +7,7 @@ roles: - admin_users - ssh_host_signer + - iptables - logrotate - remove - update diff --git a/single_group_playbooks/jumphost.yml b/single_group_playbooks/jumphost.yml index 2fb71b6c4..a441a8864 100644 --- a/single_group_playbooks/jumphost.yml +++ b/single_group_playbooks/jumphost.yml @@ -7,13 +7,13 @@ roles: - admin_users - ssh_host_signer + - iptables - ssh_known_hosts - {role: yum_local, when: local_yum_repository is defined} - logrotate - remove - update - {role: geerlingguy.repo-epel, become: true} - - {role: geerlingguy.firewall, become: true} - logins - role: ldap when: diff --git a/single_role_playbooks/firewall.yml b/single_role_playbooks/firewall.yml deleted file mode 100644 index f74c00ecb..000000000 --- a/single_role_playbooks/firewall.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- name: Deploy the geerlingguy.firewall role. - hosts: - - jumphost - - cluster - - docs - - jenkins - roles: - - { role: geerlingguy.firewall, become: true } -... diff --git a/single_role_playbooks/iptables.yml b/single_role_playbooks/iptables.yml index f707cf52d..0d397b679 100644 --- a/single_role_playbooks/iptables.yml +++ b/single_role_playbooks/iptables.yml @@ -1,5 +1,5 @@ --- -- hosts: jumphost +- hosts: all,!openstack_api roles: - 'iptables' ... \ No newline at end of file diff --git a/static_inventories/nibbler_cluster.yml b/static_inventories/nibbler_cluster.yml index 537fa651c..4c59afc1e 100644 --- a/static_inventories/nibbler_cluster.yml +++ b/static_inventories/nibbler_cluster.yml @@ -57,6 +57,9 @@ all: local_volume_size_extra: 20 fqdn: umcg-icat01.hpc.rug.nl davrods_icat_ip: "{{ ip_addresses[inventory_hostname][network_private_management_id]['address'] }}" + iptables_allow_ssh_outbound: [] + iptables_allow_irods: + - "{{ all.ip_addresses['surfsara']['umcg-resc1'] }}" docs: hosts: docs_on_merlin: diff --git a/static_inventories/talos_cluster.yml b/static_inventories/talos_cluster.yml index 9349977d0..8c78d15ef 100644 --- a/static_inventories/talos_cluster.yml +++ b/static_inventories/talos_cluster.yml @@ -8,6 +8,20 @@ all: hosts: reception: cloud_flavor: 2C-4GB + iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" + - "{{ all.ip_addresses['gcc']['cloud_net'] }}" + - "{{ calculon_cluster.ip_addresses['lobby']['vlan16'] }}" + - "{{ fender_cluster.ip_addresses['corridor']['public'] }}" + - "{{ gearshift_cluster.ip_addresses['airlock']['vlan16'] }}" + - "{{ hyperchicken_cluster.ip_addresses['portal']['public'] }}" + - "{{ nibbler_cluster.ip_addresses['tunnel']['vlan16'] }}" + - "{{ wingedhelix_cluster.ip_addresses['porch']['vlan16'] }}" repo: hosts: tl-repo: diff --git a/static_inventories/wingedhelix_cluster.yml b/static_inventories/wingedhelix_cluster.yml index 2e50ab56e..5514f84d9 100644 --- a/static_inventories/wingedhelix_cluster.yml +++ b/static_inventories/wingedhelix_cluster.yml @@ -9,6 +9,13 @@ all: porch: cloud_flavor: m1.small security_ssh_challenge_response_auth: 'yes' # geerlingguy.security fix sshd_config 2FA + iptables_allow_icmp_inbound: + - "{{ all.ip_addresses['umcg']['net1'] }}" + - "{{ all.ip_addresses['umcg']['net2'] }}" + - "{{ all.ip_addresses['umcg']['net3'] }}" + - "{{ all.ip_addresses['umcg']['net4'] }}" + - "{{ all.ip_addresses['rug']['bwp_net'] }}" + - "{{ all.ip_addresses['rug']['operator'] }}" repo: hosts: wh-repo: