apply Patricks magic osbs cluster iptables rules to new cluster

Signed-off-by: Adam Miller <admiller@redhat.com>
author: Adam Miller <admiller@redhat.com> 2016-11-08 20:12:16 +0000
committer: Adam Miller <admiller@redhat.com> 2016-11-08 20:12:16 +0000
commit: f2de734e20172a9e6ed56b3c704462b02b790f51 (patch)
tree: ef31c6f8c83d452d5f890bd09c595c6bb6f9041d
parent: 83f4e964855e700fa980b791e812a5a4c83922d7 (diff)
download: ansible-f2de734e20172a9e6ed56b3c704462b02b790f51.tar.gz
ansible-f2de734e20172a9e6ed56b3c704462b02b790f51.tar.xz
ansible-f2de734e20172a9e6ed56b3c704462b02b790f51.zip
2 files changed, 81 insertions, 53 deletions
diff --git a/files/osbs/fix-docker-iptables.production b/files/osbs/fix-docker-iptables.production
index 2cf958b7f..52ee20713 100644
--- a/files/osbs/fix-docker-iptables.production
+++ b/files/osbs/fix-docker-iptables.production
@@ -3,52 +3,66 @@
 # every docker service restart.
 # And just doing an iptables-restore is going to mess up kubernetes'
 # NAT table.
+# And it gets even better with openshift! It thinks I'm stupid and need
+# to be corrected by automatically adding the "allow all" rules back at
+# the top as soon as I remove them.
+# To circumvent that, we're just adding a new chain for this, as it seems
+# that it doesn't do anything with the firewall if we keep its rules in
+# place. (it doesn't check the order of its rules, only that they exist)
+
+if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ];
+then
+    iptables -N FILTER_FORWARD
+fi
+if [ "`iptables -nL | grep 'FILTER_FORWARD  all'`" == "" ];
+then
+    iptables -I FORWARD 1 -j FILTER_FORWARD
+fi
 
 # Delete all old rules
-iptables --flush FORWARD
+iptables --flush FILTER_FORWARD
 
 # Re-insert some basic rules
-iptables -A FORWARD -o lbr0 -j DOCKER
-iptables -A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -i lbr0 -o lbr0 -j ACCEPT
+iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT
 
 # Now insert access to allowed boxes
 # docker-registry
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
 
 #koji.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
 
 # pkgs
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
 
 # DNS
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 
 # mirrors.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 
 # dl.phx2
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
 
 
 # Docker is CRAZY and forces Google DNS upon us.....
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
 
 iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
diff --git a/files/osbs/fix-docker-iptables.staging b/files/osbs/fix-docker-iptables.staging
index 8fe05b9a7..865a87ec0 100644
--- a/files/osbs/fix-docker-iptables.staging
+++ b/files/osbs/fix-docker-iptables.staging
@@ -3,52 +3,66 @@
 # every docker service restart.
 # And just doing an iptables-restore is going to mess up kubernetes'
 # NAT table.
+# And it gets even better with openshift! It thinks I'm stupid and need
+# to be corrected by automatically adding the "allow all" rules back at
+# the top as soon as I remove them.
+# To circumvent that, we're just adding a new chain for this, as it seems
+# that it doesn't do anything with the firewall if we keep its rules in
+# place. (it doesn't check the order of its rules, only that they exist)
+
+if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ];
+then
+    iptables -N FILTER_FORWARD
+fi
+if [ "`iptables -nL | grep 'FILTER_FORWARD  all'`" == "" ];
+then
+    iptables -I FORWARD 1 -j FILTER_FORWARD
+fi
 
 # Delete all old rules
-iptables --flush FORWARD
+iptables --flush FILTER_FORWARD
 
 # Re-insert some basic rules
-iptables -A FORWARD -o lbr0 -j DOCKER
-iptables -A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -i lbr0 -o lbr0 -j ACCEPT
+iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT
 
 # Now insert access to allowed boxes
 # docker-registry
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
 
 #koji.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
 
 # pkgs.stg
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
 
 # DNS
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 
 # mirrors.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 
 # dl.phx2
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
 
 
 # Docker is CRAZY and forces Google DNS upon us.....
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
 
-iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+iptables -A FILTER_FORWARD -j REJECT --reject-with icmp-host-prohibited
author	Adam Miller <admiller@redhat.com>	2016-11-08 20:12:16 +0000
committer	Adam Miller <admiller@redhat.com>	2016-11-08 20:12:16 +0000
commit	f2de734e20172a9e6ed56b3c704462b02b790f51 (patch)
tree	ef31c6f8c83d452d5f890bd09c595c6bb6f9041d
parent	83f4e964855e700fa980b791e812a5a4c83922d7 (diff)
download	ansible-f2de734e20172a9e6ed56b3c704462b02b790f51.tar.gz ansible-f2de734e20172a9e6ed56b3c704462b02b790f51.tar.xz ansible-f2de734e20172a9e6ed56b3c704462b02b790f51.zip