iptables rules for servo-master host

[edunham]

This opens all of the ports currently available on servo-master, which is both saltmaster and buildmaster.

22 (&TCP6): SSH. Whitelist to bastion if we get one, otherwise allow from anywhere
80: nginx for Buildbot status page. Allow from anywhere.
4505, 4506: Salt master; allow from minions only
54856: Homu (python3)
9001, 8010: Buildbot
UDP & UDP6
123: NTP

The only other ports currently in use on the master are for dhclient, which is unnecessary since it has a static IP address.

It seems like Salt should have a better way to get minion IPs for line 112, but some searching revealed conflicting advice, so I figured it would be more efficient to just consult the PR's reviewer. I got the list from https://github.com/servo/servo/wiki/Buildbot-administration .

I checked the iptables state source and it looks like rules are only saved if they do not match an existing rule, so they won't get rewritten on each run.

[metajack]

We'll need to set up static IPs for the EC2 slaves I guess and we'll have to use those IPs here.

---

Reviewed 1 of 1 files at r1.
Review status: all files reviewed at latest revision, 1 unresolved discussion, some commit checks broke.

---

^{buildbot-master.sls, line 112 [r1] (raw file):}
This is not going to work. The EC2 slaves do not have static IPs currently.

---

Comments from the review on Reviewable.io

[edunham]

@metajack Compared to leaving the ports open to the world or opening the ports to anyone in our EC2 region, setting up elastic IPs does look like the best option.

[bors-servo]

☔ The latest upstream changes (presumably #96) made this pull request unmergeable. Please resolve the merge conflicts.

[claudijd]

Just an FYI here, but having '0.0.0.0' in the list I would suspect has an ANY effect, which makes the other IPs redundant.