Skip to content
Permalink
Browse files

Simplify iptables deployment

Restrict outgoing traffic to the internet only and remove now unused rules for internal,
vlan based communication between nodes.
  • Loading branch information...
FlorianSW committed Aug 25, 2019
1 parent b88a61e commit 41bd7803aa0d5c14d97d19ad2c13b19122dcd86a
@@ -5,6 +5,19 @@ admin::groups:
droidwiki::default::isnfsserver: true
redis::bind: '172.16.0.1'

docker::worker_token: >
ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEw
DQYJKoZIhvcNAQEBBQAEggEAK+71u6EZKjcVzV8CxR9fCN9n5HgTAAKI9MOU
n+Av+fHzPx5prO6CtWPYApcH1CtKEQKzDpBqNx8Ro7+jGpL2mDsF4evkCZ6t
aGHQyICjakR+tABoruXpnfMPcmC2r+Lm67blmPQ91uF4Cqe5aHA+pt8lgWim
2QPCDy2aoUNmlFi4qkKNfrlRW+lzz0YJ4vHhBNLJtQJ2JVXsLpCbnHzDV/g2
RdXdXPfHYECZyhsi9s5GvqYMUpuKzrAhCX6JmTkuxpwWoj/UZs4ZDpfyh5DL
vpTjwH7r3jRE/dthhES4JDbU5PTaDzX21GmT11VZZv9X+p9a6uW0/1+gwUyg
tSurwzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQKZIZuF7GgR19zgIN
KvKkI4Bga0vVlaSTSSAkvBf792tJaqBCYhoRggdsmmnnEmK31MVc4H0wV4VV
RbPRWGt94gLnFCj5Bpet3qWwijroQDlgYmrczLQJX3XN2AIojL8vtUq8Ke2Z
clclIPQ+ZzPKAo/p]

nginx::tls::fullchain: /etc/letsencrypt/live/droidwiki.org/fullchain.pem
nginx::tls::privkey: /etc/letsencrypt/live/droidwiki.org/privkey.pem
nginx::nginx_upstreams:
@@ -19,7 +19,6 @@
manager => true,
}
include role::concourse
include role::elasticsearch

include role::puppetboard

@@ -72,19 +72,6 @@
provider => 'ip6tables',
}

firewall { '997 drop all input':
proto => 'all',
action => 'drop',
before => undef,
}

firewall { '997 drop all input IPv6':
proto => 'all',
action => 'drop',
before => undef,
provider => 'ip6tables',
}

firewall { '998 drop all forward':
proto => 'all',
chain => 'FORWARD',
@@ -101,14 +88,16 @@
}

firewall { '999 drop all output':
proto => 'all',
chain => 'OUTPUT',
action => 'drop',
before => undef,
proto => 'all',
outiface => 'eth0',
chain => 'OUTPUT',
action => 'drop',
before => undef,
}

firewall { '999 drop all output IPv6':
proto => 'all',
outiface => 'eth0',
chain => 'OUTPUT',
action => 'drop',
before => undef,
@@ -104,21 +104,6 @@
provider => 'ip6tables',
}

firewall { '103 allow outgoing ssh traffic':
sport => '22',
proto => 'tcp',
chain => 'OUTPUT',
action => 'accept',
}

firewall { '103 allow outgoing ssh traffic IPv6':
sport => '22',
proto => 'tcp',
chain => 'OUTPUT',
action => 'accept',
provider => 'ip6tables',
}

firewall { '105 allow outgoing dns requests':
dport => '53',
proto => 'udp',
@@ -153,36 +138,6 @@
provider => 'ip6tables',
}

firewall { '107 allow outgoing ftp traffic':
dport => '20',
proto => 'tcp',
chain => 'OUTPUT',
action => 'accept',
}

firewall { '107 allow outgoing ftp traffic IPv6':
dport => '20',
proto => 'tcp',
chain => 'OUTPUT',
action => 'accept',
provider => 'ip6tables',
}

firewall { '108 allow outgoing ftp traffic':
dport => '21',
proto => 'tcp',
chain => 'OUTPUT',
action => 'accept',
}

firewall { '108 allow outgoing ftp traffic IPv6':
dport => '21',
proto => 'tcp',
chain => 'OUTPUT',
action => 'accept',
provider => 'ip6tables',
}

firewall { '109 allow outgoing ntp traffic':
dport => '123',
proto => 'udp',
@@ -198,30 +153,6 @@
provider => 'ip6tables',
}

firewall { '110 allow outgoing localhost traffic':
source => '127.0.0.1',
action => 'accept',
}

firewall { '110 allow outgoing localhost traffic IPv6':
source => '::1',
action => 'accept',
provider => 'ip6tables',
}

firewall { '111 allow incoming localhost traffic':
destination => '127.0.0.1',
chain => 'OUTPUT',
action => 'accept',
}

firewall { '111 allow incoming localhost traffic IPv6':
destination => '::1',
chain => 'OUTPUT',
action => 'accept',
provider => 'ip6tables',
}

firewall { '112 allow outgoing traffic for HKP keyserver proto':
chain => 'OUTPUT',
proto => 'tcp',

This file was deleted.

0 comments on commit 41bd780

Please sign in to comment.
You can’t perform that action at this time.