Simplify iptables deployment

Restrict outgoing traffic to the internet only and remove now unused rules for internal, vlan based communication between nodes.
droidwiki · Aug 25, 2019 · 41bd780 · 41bd780
1 parent b88a61e
commit 41bd780
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 97 deletions.
diff --git a/hieradata/nodes/donut.dwnet.yaml b/hieradata/nodes/donut.dwnet.yaml
@@ -5,6 +5,19 @@ admin::groups:
 droidwiki::default::isnfsserver: true
 redis::bind: '172.16.0.1'
 
+docker::worker_token: >
+    ENC[PKCS7,MIIBygYJKoZIhvcNAQcDoIIBuzCCAbcCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAK+71u6EZKjcVzV8CxR9fCN9n5HgTAAKI9MOU
+    n+Av+fHzPx5prO6CtWPYApcH1CtKEQKzDpBqNx8Ro7+jGpL2mDsF4evkCZ6t
+    aGHQyICjakR+tABoruXpnfMPcmC2r+Lm67blmPQ91uF4Cqe5aHA+pt8lgWim
+    2QPCDy2aoUNmlFi4qkKNfrlRW+lzz0YJ4vHhBNLJtQJ2JVXsLpCbnHzDV/g2
+    RdXdXPfHYECZyhsi9s5GvqYMUpuKzrAhCX6JmTkuxpwWoj/UZs4ZDpfyh5DL
+    vpTjwH7r3jRE/dthhES4JDbU5PTaDzX21GmT11VZZv9X+p9a6uW0/1+gwUyg
+    tSurwzCBjAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQKZIZuF7GgR19zgIN
+    KvKkI4Bga0vVlaSTSSAkvBf792tJaqBCYhoRggdsmmnnEmK31MVc4H0wV4VV
+    RbPRWGt94gLnFCj5Bpet3qWwijroQDlgYmrczLQJX3XN2AIojL8vtUq8Ke2Z
+    clclIPQ+ZzPKAo/p]
+
 nginx::tls::fullchain: /etc/letsencrypt/live/droidwiki.org/fullchain.pem
 nginx::tls::privkey: /etc/letsencrypt/live/droidwiki.org/privkey.pem
 nginx::nginx_upstreams:

diff --git a/manifests/site.pp b/manifests/site.pp
@@ -19,7 +19,6 @@
     manager => true,
   }
   include role::concourse
-  include role::elasticsearch
 
   include role::puppetboard
 

diff --git a/modules/fw/manifests/post.pp b/modules/fw/manifests/post.pp
@@ -72,19 +72,6 @@
     provider => 'ip6tables',
   }
 
-  firewall { '997 drop all input':
-    proto  => 'all',
-    action => 'drop',
-    before => undef,
-  }
-
-  firewall { '997 drop all input IPv6':
-    proto    => 'all',
-    action   => 'drop',
-    before   => undef,
-    provider => 'ip6tables',
-  }
-
   firewall { '998 drop all forward':
     proto  => 'all',
     chain  => 'FORWARD',
@@ -101,14 +88,16 @@
   }
 
   firewall { '999 drop all output':
-    proto  => 'all',
-    chain  => 'OUTPUT',
-    action => 'drop',
-    before => undef,
+    proto    => 'all',
+    outiface => 'eth0',
+    chain    => 'OUTPUT',
+    action   => 'drop',
+    before   => undef,
   }
 
   firewall { '999 drop all output IPv6':
     proto    => 'all',
+    outiface => 'eth0',
     chain    => 'OUTPUT',
     action   => 'drop',
     before   => undef,

diff --git a/modules/fw/manifests/pre.pp b/modules/fw/manifests/pre.pp
@@ -104,21 +104,6 @@
     provider => 'ip6tables',
   }
 
-  firewall { '103 allow outgoing ssh traffic':
-    sport  => '22',
-    proto  => 'tcp',
-    chain  => 'OUTPUT',
-    action => 'accept',
-  }
-
-  firewall { '103 allow outgoing ssh traffic IPv6':
-    sport    => '22',
-    proto    => 'tcp',
-    chain    => 'OUTPUT',
-    action   => 'accept',
-    provider => 'ip6tables',
-  }
-
   firewall { '105 allow outgoing dns requests':
     dport  => '53',
     proto  => 'udp',
@@ -153,36 +138,6 @@
     provider => 'ip6tables',
   }
 
-  firewall { '107 allow outgoing ftp traffic':
-    dport  => '20',
-    proto  => 'tcp',
-    chain  => 'OUTPUT',
-    action => 'accept',
-  }
-
-  firewall { '107 allow outgoing ftp traffic IPv6':
-    dport    => '20',
-    proto    => 'tcp',
-    chain    => 'OUTPUT',
-    action   => 'accept',
-    provider => 'ip6tables',
-  }
-
-  firewall { '108 allow outgoing ftp traffic':
-    dport  => '21',
-    proto  => 'tcp',
-    chain  => 'OUTPUT',
-    action => 'accept',
-  }
-
-  firewall { '108 allow outgoing ftp traffic IPv6':
-    dport    => '21',
-    proto    => 'tcp',
-    chain    => 'OUTPUT',
-    action   => 'accept',
-    provider => 'ip6tables',
-  }
-
   firewall { '109 allow outgoing ntp traffic':
     dport  => '123',
     proto  => 'udp',
@@ -198,30 +153,6 @@
     provider => 'ip6tables',
   }
 
-  firewall { '110 allow outgoing localhost traffic':
-    source => '127.0.0.1',
-    action => 'accept',
-  }
-
-  firewall { '110 allow outgoing localhost traffic IPv6':
-    source   => '::1',
-    action   => 'accept',
-    provider => 'ip6tables',
-  }
-
-  firewall { '111 allow incoming localhost traffic':
-    destination => '127.0.0.1',
-    chain       => 'OUTPUT',
-    action      => 'accept',
-  }
-
-  firewall { '111 allow incoming localhost traffic IPv6':
-    destination => '::1',
-    chain       => 'OUTPUT',
-    action      => 'accept',
-    provider    => 'ip6tables',
-  }
-
   firewall { '112 allow outgoing traffic for HKP keyserver proto':
     chain  => 'OUTPUT',
     proto  => 'tcp',

diff --git a/modules/role/manifests/elasticsearch.pp b/modules/role/manifests/elasticsearch.pp