Merge "Add iptables rule blocks to drop traffic from specific IPs"

playbooks/roles/iptables/README.rst

@@ -21,6 +21,16 @@ Install and configure iptables
 
       The port number.
 
+.. zuul:rolevar:: iptables_disallowed_hosts_v4
+   :default: []
+
+   A list of IPv4 addresses from which all traffic should be dropped.
+
+.. zuul:rolevar:: iptables_disallowed_hosts_v6
+   :default: []
+
+   A list of IPv6 addresses from which all traffic should be dropped.
+
 .. zuul:rolevar:: iptables_allowed_groups
    :default: []
 

playbooks/roles/iptables/defaults/main.yaml

@@ -1,4 +1,6 @@
 iptables_allowed_hosts: []
+iptables_disallowed_hosts_v4: []
+iptables_disallowed_hosts_v6: []
 iptables_egress_rules: []
 iptables_egress_rules_v4: '{{ iptables_egress_rules }}'
 iptables_egress_rules_v6: '{{ iptables_egress_rules }}'

playbooks/roles/iptables/templates/rules.v4.j2

@@ -11,6 +11,10 @@
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # SSH from anywhere
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Lists of hosts we want to block
+{% for host in iptables_disallowed_hosts_v4 -%}
+-A openstack-INPUT -s {{ host }} -j DROP
+{% endfor -%}
 # Public TCP ports
 {% for port in iptables_public_tcp_ports -%}
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT

playbooks/roles/iptables/templates/rules.v6.j2

@@ -10,6 +10,10 @@
 -A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # SSH from anywhere
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Lists of hosts we want to block
+{% for host in iptables_disallowed_hosts_v6 -%}
+-A openstack-INPUT -s {{ host }} -j DROP
+{% endfor -%}
 # Public TCP ports
 {% for port in iptables_public_tcp_ports -%}
 -A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT

playbooks/zuul/templates/group_vars/all.yaml.j2

@@ -9,6 +9,13 @@ bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
 force_docker_io_ipv4: true
+# Block IP ranges used only for documentation purposes to ensure that
+# our block rules apply cleanly and don't break the rest of our
+# iptables ruleset.
+iptables_disallowed_hosts_v4:
+  - 203.0.113.0/24
+iptables_disallowed_hosts_v6:
+  - 3fff::/20
 iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
 iptables_egress_rules:
   - -o lo -j ACCEPT

zuul.d/infra-prod.yaml

@@ -92,6 +92,7 @@
       - inventory/service/host_vars/
       - inventory/service/group_vars/
       - playbooks/base.yaml
+      - playbooks/roles/iptables/
       - playbooks/roles/base/
 
 - job: