19bcec8cb5
Sometimes we want to drop all traffic from certain IP addresses. Add a block inside our iptabeles rules before the ACCEPT rules which will DROP traffic from matching IPs. I did not use the existing generic add a rule block because that comes after the accepts for specific public ports. We may wish to block traffic going to a valid port which needs to happen earlier in the ruleset. Note that the test all group_vars file is updated to block ipv4 and ipv6 documentation ranges so that we can see the doesn't break the rest of our iptables rulesets when applied. Finally we edit the infra-prod-base job to trigger when playbooks/roles/iptables is edited. The base.yaml playbook runs this role in addition to the roles in playbooks/roles/base/ so we should trigger the job when iptables updates. Otherwise we will end up waiting for daily runs to update iptables rules. Change-Id: I8fea56b8f55e86841701212fd8a23b544b160ea3
Install and configure iptables
Role Variables