Block outbound SMTP connections from test jobs

Our deployment tests don't need to send E-mail messages. More to the point, they may perform actions which would like to send E-mail messages. Make sure, at the network level, they'll be prevented from doing so. Also allow all connections to egress from the loopback interface, so that services like mailman can connect to the Exim MTA on localhost. Add new rolevars for egress rules to support this, and also fix up some missing related vars in the iptables role's documentation. Change-Id: If4acd2d3d543933ed1e00156cc83fe3a270612bd
2021-12-06 21:02:48 +00:00 · 2021-12-06 21:02:48 +00:00 · e2dbda1bec
commit e2dbda1bec
parent 82edab1d39
6 changed files with 54 additions and 6 deletions
--- a/playbooks/roles/iptables/README.rst
+++ b/playbooks/roles/iptables/README.rst
@ -50,14 +50,40 @@ Install and configure iptables

   A list of public UDP ports to open.

+.. zuul:rolevar:: iptables_rules
+   :default: []
+
+   A list of iptables ingress rules.  Each item is a string
+   containing the iptables command line options for the rule. These
+   will be expanded to cover IPv4 and IPv6.
+
 .. zuul:rolevar:: iptables_rules_v4
   :default: []

-   A list of iptables v4 rules.  Each item is a string containing the
-   iptables command line options for the rule.
+   A list of iptables v4 ingress rules.  Each item is a string
+   containing the iptables command line options for the rule.

 .. zuul:rolevar:: iptables_rules_v6
   :default: []

-   A list of iptables v6 rules.  Each item is a string containing the
-   iptables command line options for the rule.
+   A list of iptables v6 ingress rules.  Each item is a string
+   containing the iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_egress_rules
+   :default: []
+
+   A list of iptables egress rules.  Each item is a string
+   containing the iptables command line options for the rule. These
+   will be expanded to cover IPv4 and IPv6.
+
+.. zuul:rolevar:: iptables_egress_rules_v4
+   :default: []
+
+   A list of iptables v4 egress rules.  Each item is a string
+   containing the iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_egress_rules_v6
+   :default: []
+
+   A list of iptables v6 egress rules.  Each item is a string
+   containing the iptables command line options for the rule.
--- a/playbooks/roles/iptables/defaults/main.yaml
+++ b/playbooks/roles/iptables/defaults/main.yaml
@ -1,4 +1,7 @@
 iptables_allowed_hosts: []
+iptables_egress_rules: []
+iptables_egress_rules_v4: '{{ iptables_egress_rules }}'
+iptables_egress_rules_v6: '{{ iptables_egress_rules }}'
 iptables_public_ports: []
 iptables_public_tcp_ports: '{{ iptables_public_ports }}'
 iptables_public_udp_ports: '{{ iptables_public_ports }}'
--- a/playbooks/roles/iptables/templates/rules.v4.j2
+++ b/playbooks/roles/iptables/templates/rules.v4.j2
@ -3,6 +3,7 @@
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
+:openstack-OUTPUT - [0:0]
 -A INPUT -j openstack-INPUT
 -A openstack-INPUT -i lo -j ACCEPT
 -A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
@ -18,7 +19,7 @@
 {% for port in iptables_public_udp_ports -%}
 -A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
 {% endfor -%}
-# Per-host rules
+# Per-host ingress rules
 {% for rule in iptables_rules_v4 -%}
 -A openstack-INPUT {{ rule }}
 {% endfor -%}
@ -35,4 +36,10 @@
 {% endfor -%}
 {% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited
+# Egress filtering
+-A OUTPUT -j openstack-OUTPUT
+# Per-host egress rules
+{% for rule in iptables_egress_rules_v4 -%}
+-A openstack-OUTPUT {{ rule }}
+{% endfor -%}
 COMMIT
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@ -3,6 +3,7 @@
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
+:openstack-OUTPUT - [0:0]
 -A INPUT -j openstack-INPUT
 -A openstack-INPUT -i lo -j ACCEPT
 -A openstack-INPUT -p icmpv6 -j ACCEPT
@ -17,7 +18,7 @@
 {% for port in iptables_public_udp_ports -%}
 -A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
 {% endfor -%}
-# Per-host rules
+# Per-host ingress rules
 {% for rule in iptables_rules_v6 -%}
 -A openstack-INPUT {{ rule }}
 {% endfor -%}
@ -34,4 +35,10 @@
 {% endfor -%}
 {% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+# Egress filtering
+-A OUTPUT -j openstack-OUTPUT
+# Per-host egress rules
+{% for rule in iptables_egress_rules_v6 -%}
+-A openstack-OUTPUT {{ rule }}
+{% endfor -%}
 COMMIT
--- a/playbooks/zuul/templates/group_vars/all.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/all.yaml.j2
@ -9,3 +9,6 @@ bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
 iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
+iptables_egress_rules:
+  - -o lo -j ACCEPT
+  - -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
--- a/testinfra/util.py
+++ b/testinfra/util.py
@ -89,6 +89,7 @@ def get_ips(value, family=None):
 def verify_iptables(host):
    rules = host.iptables.rules()
    rules = [x.strip() for x in rules]
+    print('Comparing against rules:\n%s' % rules)

    needed_rules = [
        '-P INPUT ACCEPT',
@ -100,6 +101,7 @@ def verify_iptables(host):
        '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
        '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
+        '-A openstack-OUTPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset',
        '-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited'
    ]
    for rule in needed_rules: