From d2a7099392bc4cea31332e4c278ffc60483ee5da Mon Sep 17 00:00:00 2001 From: toby Date: Fri, 29 Mar 2019 22:40:03 +0000 Subject: [PATCH] pulling out all the bastion related rules and moving them to tha bastion ansible... this may break shit... --- files/firewall | 38 +++++++------------------------------- 1 file changed, 7 insertions(+), 31 deletions(-) diff --git a/files/firewall b/files/firewall index 21eb184..6c4f95a 100755 --- a/files/firewall +++ b/files/firewall @@ -56,30 +56,18 @@ case $1 in iptables -P INPUT DROP - ## some rules for bastion boxes to protect the mgmt networks - iptables -F FORWARD - iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts" - iptables -A FORWARD -o mgmtgw1 -j DROP -m comment --comment "only for bastion hosts" - iptables -A FORWARD -o ipmigw1 -j DROP -m comment --comment "only for bastion hosts" - iptables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts" - iptables -A FORWARD -i ipmigw1 -j DROP -m comment --comment "only for bastion hosts" - - ## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions #iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436 #special tables + iptables -F FORWARD + iptables -F OUTPUT iptables -t mangle -F iptables -t nat -F iptables -t raw -F - # this matters only on bastion boxes - iptables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" - iptables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" - iptables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" - iptables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" # this matters on all boxes iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf" iptables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf" @@ -139,31 +127,19 @@ case $1 in ip6tables -P INPUT DROP - ## some rules for bastion boxes to protect the mgmt networks - ip6tables -F FORWARD - ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts" - ip6tables -A FORWARD -o mgmtgw1 -j DROP -m comment --comment "only for bastion hosts" - ip6tables -A FORWARD -o ipmigw1 -j DROP -m comment --comment "only for bastion hosts" - ip6tables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts" - ip6tables -A FORWARD -i ipmigw1 -j DROP -m comment --comment "only for bastion hosts" - - #special tables + ip6tables -F FORWARD + ip6tables -F OUTPUT ip6tables -t mangle -F ip6tables -t nat -F ip6tables -t raw -F - # this matters only on bastion boxes - ip6tables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" - ip6tables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" - ip6tables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" - ip6tables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" - # this matters on all boxes + # manage conntrack ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf" ip6tables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf" - ip6tables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track mgmt vrf" - ip6tables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track mgmt vrf" + ip6tables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track default vrf" + ip6tables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track default vrf" #some boxes get special addon rules