Browse Source

Block outbound SMTP connections from test jobs

Our deployment tests don't need to send E-mail messages. More to the
point, they may perform actions which would like to send E-mail
messages. Make sure, at the network level, they'll be prevented from
doing so. Also allow all connections to egress from the loopback
interface, so that services like mailman can connect to the Exim MTA
on localhost.

Add new rolevars for egress rules to support this, and also fix up
some missing related vars in the iptables role's documentation.

Change-Id: If4acd2d3d543933ed1e00156cc83fe3a270612bd
changes/00/820900/9
Jeremy Stanley 6 months ago
parent
commit
e2dbda1bec
  1. 34
      playbooks/roles/iptables/README.rst
  2. 3
      playbooks/roles/iptables/defaults/main.yaml
  3. 9
      playbooks/roles/iptables/templates/rules.v4.j2
  4. 9
      playbooks/roles/iptables/templates/rules.v6.j2
  5. 3
      playbooks/zuul/templates/group_vars/all.yaml.j2
  6. 2
      testinfra/util.py

34
playbooks/roles/iptables/README.rst

@ -50,14 +50,40 @@ Install and configure iptables
A list of public UDP ports to open.
.. zuul:rolevar:: iptables_rules
:default: []
A list of iptables ingress rules. Each item is a string
containing the iptables command line options for the rule. These
will be expanded to cover IPv4 and IPv6.
.. zuul:rolevar:: iptables_rules_v4
:default: []
A list of iptables v4 rules. Each item is a string containing the
iptables command line options for the rule.
A list of iptables v4 ingress rules. Each item is a string
containing the iptables command line options for the rule.
.. zuul:rolevar:: iptables_rules_v6
:default: []
A list of iptables v6 rules. Each item is a string containing the
iptables command line options for the rule.
A list of iptables v6 ingress rules. Each item is a string
containing the iptables command line options for the rule.
.. zuul:rolevar:: iptables_egress_rules
:default: []
A list of iptables egress rules. Each item is a string
containing the iptables command line options for the rule. These
will be expanded to cover IPv4 and IPv6.
.. zuul:rolevar:: iptables_egress_rules_v4
:default: []
A list of iptables v4 egress rules. Each item is a string
containing the iptables command line options for the rule.
.. zuul:rolevar:: iptables_egress_rules_v6
:default: []
A list of iptables v6 egress rules. Each item is a string
containing the iptables command line options for the rule.

3
playbooks/roles/iptables/defaults/main.yaml

@ -1,4 +1,7 @@
iptables_allowed_hosts: []
iptables_egress_rules: []
iptables_egress_rules_v4: '{{ iptables_egress_rules }}'
iptables_egress_rules_v6: '{{ iptables_egress_rules }}'
iptables_public_ports: []
iptables_public_tcp_ports: '{{ iptables_public_ports }}'
iptables_public_udp_ports: '{{ iptables_public_ports }}'

9
playbooks/roles/iptables/templates/rules.v4.j2

@ -3,6 +3,7 @@
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
:openstack-OUTPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
@ -18,7 +19,7 @@
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host rules
# Per-host ingress rules
{% for rule in iptables_rules_v4 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
@ -35,4 +36,10 @@
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited
# Egress filtering
-A OUTPUT -j openstack-OUTPUT
# Per-host egress rules
{% for rule in iptables_egress_rules_v4 -%}
-A openstack-OUTPUT {{ rule }}
{% endfor -%}
COMMIT

9
playbooks/roles/iptables/templates/rules.v6.j2

@ -3,6 +3,7 @@
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
:openstack-OUTPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmpv6 -j ACCEPT
@ -17,7 +18,7 @@
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host rules
# Per-host ingress rules
{% for rule in iptables_rules_v6 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
@ -34,4 +35,10 @@
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
# Egress filtering
-A OUTPUT -j openstack-OUTPUT
# Per-host egress rules
{% for rule in iptables_egress_rules_v6 -%}
-A openstack-OUTPUT {{ rule }}
{% endfor -%}
COMMIT

3
playbooks/zuul/templates/group_vars/all.yaml.j2

@ -9,3 +9,6 @@ bastion_ipv6: {{ bastion_ipv6 }}
{% endif %}
bastion_public_key: {{ bastion_public_key }}
iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
iptables_egress_rules:
- -o lo -j ACCEPT
- -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset

2
testinfra/util.py

@ -89,6 +89,7 @@ def get_ips(value, family=None):
def verify_iptables(host):
rules = host.iptables.rules()
rules = [x.strip() for x in rules]
print('Comparing against rules:\n%s' % rules)
needed_rules = [
'-P INPUT ACCEPT',
@ -100,6 +101,7 @@ def verify_iptables(host):
'-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
'-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
'-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
'-A openstack-OUTPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset',
'-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited'
]
for rule in needed_rules:

Loading…
Cancel
Save