opendev/system-config
Code Issues Proposed changes

Merge "Add iptables rule blocks to drop traffic from specific IPs"

Browse Source
This commit is contained in:
Zuul
2025-07-23 22:14:54 +00:00
committed by Gerrit Code Review
parent 790fa8bfc2 19bcec8cb5
commit c7f565e31c
6 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
playbooks/roles/iptables/README.rst
View File

@@ -21,6 +21,16 @@ Install and configure iptables
The port number. The port number.
.. zuul:rolevar:: iptables_disallowed_hosts_v4
:default: []
A list of IPv4 addresses from which all traffic should be dropped.
.. zuul:rolevar:: iptables_disallowed_hosts_v6
:default: []
A list of IPv6 addresses from which all traffic should be dropped.
.. zuul:rolevar:: iptables_allowed_groups .. zuul:rolevar:: iptables_allowed_groups
:default: [] :default: []

2
playbooks/roles/iptables/defaults/main.yaml
View File

@@ -1,4 +1,6 @@
iptables_allowed_hosts: [] iptables_allowed_hosts: []
iptables_disallowed_hosts_v4: []
iptables_disallowed_hosts_v6: []
iptables_egress_rules: [] iptables_egress_rules: []
iptables_egress_rules_v4: '{{ iptables_egress_rules }}' iptables_egress_rules_v4: '{{ iptables_egress_rules }}'
iptables_egress_rules_v6: '{{ iptables_egress_rules }}' iptables_egress_rules_v6: '{{ iptables_egress_rules }}'

4
playbooks/roles/iptables/templates/rules.v4.j2
View File

@@ -11,6 +11,10 @@
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere # SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Lists of hosts we want to block
{% for host in iptables_disallowed_hosts_v4 -%}
-A openstack-INPUT -s {{ host }} -j DROP
{% endfor -%}
# Public TCP ports # Public TCP ports
{% for port in iptables_public_tcp_ports -%} {% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT

4
playbooks/roles/iptables/templates/rules.v6.j2
View File

@@ -10,6 +10,10 @@
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere # SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Lists of hosts we want to block
{% for host in iptables_disallowed_hosts_v6 -%}
-A openstack-INPUT -s {{ host }} -j DROP
{% endfor -%}
# Public TCP ports # Public TCP ports
{% for port in iptables_public_tcp_ports -%} {% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT

7
playbooks/zuul/templates/group_vars/all.yaml.j2
View File

@@ -9,6 +9,13 @@ bastion_ipv6: {{ bastion_ipv6 }}
{% endif %} {% endif %}
bastion_public_key: {{ bastion_public_key }} bastion_public_key: {{ bastion_public_key }}
force_docker_io_ipv4: true force_docker_io_ipv4: true
# Block IP ranges used only for documentation purposes to ensure that
# our block rules apply cleanly and don't break the rest of our
# iptables ruleset.
iptables_disallowed_hosts_v4:
- 203.0.113.0/24
iptables_disallowed_hosts_v6:
- 3fff::/20
iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }} iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
iptables_egress_rules: iptables_egress_rules:
- -o lo -j ACCEPT - -o lo -j ACCEPT

1
zuul.d/infra-prod.yaml
View File

@@ -92,6 +92,7 @@
- inventory/service/host_vars/ - inventory/service/host_vars/
- inventory/service/group_vars/ - inventory/service/group_vars/
- playbooks/base.yaml - playbooks/base.yaml
- playbooks/roles/iptables/
- playbooks/roles/base/ - playbooks/roles/base/
- job: - job: