adding bastion firewall rules to all firewalls. this is precausion so that we have the blocking rules in any event. the rest of bastion gets deployed through ansible but since if ansible gets forgotton or other things happen this will make sure the most critical things are there

2018-11-04 21:13:13 +01:00 · 2018-11-04 21:13:13 +01:00 · 1855169a42
parent 0868dd4df3
commit 1855169a42
1 changed files with 34 additions and 4 deletions
--- a/files/firewall
+++ b/files/firewall
@ -46,11 +46,26 @@ case $1 in
        iptables -P INPUT DROP


+       ## some rules for bastion boxes to protect the mgmt networks
+        iptables -F FORWARD
+        iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED      -j ACCEPT
+        iptables -A FORWARD -o mgmtgw1 -j DROP
+        iptables -A FORWARD -i ipmigw1 -j DROP
+        iptables -A FORWARD -o ipmigw1 -j DROP
+
+
       #special tables
        iptables -t mangle -F
        iptables -t nat -F
        iptables -t raw -F

+
+       # this matters only on bastion boxes
+        iptables -t raw -A PREROUTING -i mgmtgw1  -j ACCEPT
+        iptables -t raw -A OUTPUT     -o mgmtgw1  -j ACCEPT
+        iptables -t raw -A PREROUTING -i ipmigw1  -j ACCEPT
+        iptables -t raw -A OUTPUT     -o ipmigw1  -j ACCEPT
+       # this matters on all boxes
        iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
        iptables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
        iptables -t raw -A PREROUTING          -j NOTRACK
@ -85,15 +100,30 @@ case $1 in
        ip6tables -P INPUT DROP


+       ## some rules for bastion boxes to protect the mgmt networks
+        ip6tables -F FORWARD
+        ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED      -j ACCEPT
+        ip6tables -A FORWARD -o mgmtgw1 -j DROP
+        ip6tables -A FORWARD -i ipmigw1 -j DROP
+        ip6tables -A FORWARD -o ipmigw1 -j DROP
+
+
       #special tables
        ip6tables -t mangle -F
        ip6tables -t nat -F
        ip6tables -t raw -F

-        ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
-        ip6tables -t raw -A OUTPUT     -o mgmt  -j ACCEPT
-        ip6tables -t raw -A PREROUTING          -j NOTRACK
-        ip6tables -t raw -A OUTPUT              -j NOTRACK
+
+       # this matters only on bastion boxes
+        ip6tables -t raw -A PREROUTING -i mgmtgw1  -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmtgw1  -j ACCEPT
+        ip6tables -t raw -A PREROUTING -i ipmigw1  -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o ipmigw1  -j ACCEPT
+       # this matters on all boxes
+        ip6tables -t raw -A PREROUTING -i mgmt1    -j ACCEPT
+        ip6tables -t raw -A OUTPUT     -o mgmt     -j ACCEPT
+        ip6tables -t raw -A PREROUTING             -j NOTRACK
+        ip6tables -t raw -A OUTPUT                 -j NOTRACK


       #some boxes get special addon rules