summaryrefslogtreecommitdiffstats
path: root/roles/base/templates/iptables/iptables.kojibuilder
blob: 2a88ac806b1181e66683b57b962623edb82c29b6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

# {{ ansible_managed }}
*filter
:INPUT DROP []
:FORWARD DROP []
:OUTPUT DROP []

# loopback allowed
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i virbr0 -j ACCEPT
-A OUTPUT -o virbr0 -j ACCEPT
-A INPUT  -d 127.0.0.0/8 -j ACCEPT
-A OUTPUT -d 127.0.0.0/8 -j ACCEPT

# Accept ping and traceroute (needs icmp)
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT

# Established connections allowed
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# if the blocked_ips is defined - drop them
{% if blocked_ips is defined %}
{% for ip in blocked_ips %}
-A INPUT -s {{ ip }} -j DROP
{% endfor %}
{% endif %}

# kojipkgs
-A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.125.36 --dport 443 -j ACCEPT
{% if host in groups['buildvm-s390x'] %}
-A OUTPUT -p tcp -m tcp -d 10.16.0.17 --dport 80 -j ACCEPT
{% endif %}

#koji.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.125.63 --dport 443 -j ACCEPT

#arm.koji.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.124.138 --dport 443 -j ACCEPT

#ppc.koji.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.129.240 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.129.240 --dport 443 -j ACCEPT

#s390.koji.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.129.180 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.129.180 --dport 443 -j ACCEPT

# compose-x86-02.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.125.42 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.125.42 --dport 443 -j ACCEPT

# compose-x86-01.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.125.41 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.125.41 --dport 443 -j ACCEPT

# DNS
-A OUTPUT -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
-A OUTPUT -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.21 --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.22 --dport 53 -j ACCEPT

# bastion smtp
-A OUTPUT -p tcp -m tcp -d 10.5.126.12 --dport 25 -j ACCEPT

# infra.fp.o
-A OUTPUT -p tcp -m tcp -d 10.5.126.23 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.23 --dport 443 -j ACCEPT

# rsyslog out to log01
-A OUTPUT -p tcp -m tcp -d 10.5.126.13 --dport 514 -j ACCEPT

# SSH
-A INPUT -p tcp -m tcp -s 10.5.0.0/16 --dport 22 -j ACCEPT 
-A OUTPUT -p tcp -m tcp -d 10.5.0.0/16 --sport 22  -j ACCEPT
{% if inventory_hostname == "buildvm-s390x-01.s390.fedoraproject.org" %}
# Allow SSHFS binding to koji01
-A OUTPUT -p tcp -m tcp -d 10.5.125.61 --dport 22  -j ACCEPT
{% endif %}

# git to pkgs
-A OUTPUT -m tcp -p tcp --dport 9418 -d 10.5.125.44 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 9418 -d 10.5.125.44 -j ACCEPT

# http to pull sources from pkgs lookaside
-A OUTPUT -m tcp -p tcp --dport 80 -d 10.5.125.44 -j ACCEPT

# git to fedorahosted
-A OUTPUT -m tcp -p tcp --dport 9418 -d 140.211.169.199 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 9418 -d 140.211.169.199 -j ACCEPT

# git on pagure,io
-A OUTPUT -p tcp -m tcp -d 140.211.169.204 --dport 443 -j ACCEPT

# admin.fedoraproject.org  for fas (proyx01 and proxy10)
-A OUTPUT -p tcp -m tcp -d 10.5.126.51 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.52 --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
# for 2 facter auth
-A OUTPUT -p tcp -m tcp -d 10.5.126.30 --dport 8443 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.25 --dport 8443 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 10.5.126.26 --dport 8443 -j ACCEPT

#nfs to vtap-fedora-nfs01.storage.phx2.redhat.com - a little to wide-open - but 
# kinda necessary
-A INPUT -m tcp -p tcp -s 10.5.88.36 -j ACCEPT
-A OUTPUT -m tcp -p tcp -d 10.5.88.36 -j ACCEPT
-A INPUT -m udp -p udp -s 10.5.88.36 -j ACCEPT
-A OUTPUT -m udp -p udp -d 10.5.88.36 -j ACCEPT
# also new c-mode filer (remove above after switch)
-A INPUT -m tcp -p tcp -s 10.5.88.41 -j ACCEPT
-A OUTPUT -m tcp -p tcp -d 10.5.88.41 -j ACCEPT
-A INPUT -m udp -p udp -s 10.5.88.41 -j ACCEPT
-A OUTPUT -m udp -p udp -d 10.5.88.41 -j ACCEPT

# ntp
-A OUTPUT -m udp -p udp --dport 123 -d 10.5.126.11 -j ACCEPT
-A OUTPUT -m udp -p udp --dport 123 -d 10.5.126.12 -j ACCEPT

# dhcp
-A OUTPUT -m udp -p udp --dport 67 -d 10.5.126.41 -j ACCEPT

# if the host/group defines incoming tcp_ports - allow them
{% for port in tcp_ports %}
-A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT
{% endfor %}

# if the host/group defines incoming udp_ports - allow them
{% for port in udp_ports %}
-A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT
{% endfor %}

# if there are custom rules - put them in as-is
{% for rule in custom_rules %}
{{ rule }}
{% endfor %}
COMMIT
generated by cgit (git 2.34.1) at 2026-03-24 00:07:46 +0000