199 lines
8.9 KiB
YAML
199 lines
8.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
TripleO Firewall settings
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ExtraFirewallRules:
|
|
default: {}
|
|
description: Mapping of firewall rules.
|
|
type: json
|
|
|
|
conditions:
|
|
no_ctlplane:
|
|
equals:
|
|
- get_params: [ServiceData, net_cidr_map, ctlplane]
|
|
- Null
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the TripleO firewall settings
|
|
value:
|
|
service_name: tripleo_firewall
|
|
config_settings:
|
|
tripleo::firewall::manage_firewall: false
|
|
tripleo::firewall::purge_firewall_rules: false
|
|
firewall_rules:
|
|
map_merge:
|
|
- map_merge:
|
|
repeat:
|
|
for_each:
|
|
<%net_cidr%>: {get_param: [ServiceData, net_cidr_map, ctlplane]}
|
|
template:
|
|
'003 accept ssh from ctlplane subnet <%net_cidr%>':
|
|
source: <%net_cidr%>
|
|
proto: 'tcp'
|
|
dport: 22
|
|
- {get_param: ExtraFirewallRules}
|
|
host_prep_tasks:
|
|
list_concat:
|
|
- - name: Prevent Nftables to set up any rules
|
|
copy:
|
|
dest: /etc/sysconfig/nftables.conf
|
|
content: |
|
|
# This file has been explicitely emptied and disabled by TripleO
|
|
# so that nftables and iptables do not race each other
|
|
register: nftablesconf
|
|
- when: nftablesconf is changed
|
|
block:
|
|
- name: Flush Nftables rules when nftables.conf changed
|
|
shell: if [[ -x /usr/sbin/nft ]]; then /usr/sbin/nft flush ruleset; fi
|
|
- name: Restart iptables to restore firewall after flushing nftables
|
|
systemd:
|
|
state: reloaded
|
|
name: "{{item}}"
|
|
loop:
|
|
- iptables.service
|
|
- ip6tables.service
|
|
- if:
|
|
- no_ctlplane
|
|
- -
|
|
name: Ensure ctlplane subnet is set
|
|
fail:
|
|
msg: |
|
|
No CIDRs found in the ctlplane network tags.
|
|
Please refer to the documentation in order to
|
|
set the correct network tags in DeployedServerPortMap.
|
|
- -
|
|
name: Notice - ctlplane subnet is set
|
|
debug:
|
|
msg: |
|
|
CIDRs found in the ctlplane network tags.
|
|
deploy_steps_tasks:
|
|
- when:
|
|
- (step|int) == 0
|
|
block:
|
|
- name: create iptables service
|
|
copy:
|
|
dest: /etc/systemd/system/tripleo-iptables.service
|
|
content: |
|
|
[Unit]
|
|
Description=Initialize iptables
|
|
Before=iptables.service
|
|
AssertPathExists=/etc/sysconfig/iptables
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/sbin/iptables -t raw -nL
|
|
Environment=BOOTUP=serial
|
|
Environment=CONSOLETYPE=serial
|
|
StandardOutput=syslog
|
|
StandardError=syslog
|
|
[Install]
|
|
WantedBy=basic.target
|
|
- name: create ip6tables service
|
|
copy:
|
|
dest: /etc/systemd/system/tripleo-ip6tables.service
|
|
content: |
|
|
[Unit]
|
|
Description=Initialize ip6tables
|
|
Before=ip6tables.service
|
|
AssertPathExists=/etc/sysconfig/ip6tables
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/usr/sbin/ip6tables -t raw -nL
|
|
Environment=BOOTUP=serial
|
|
Environment=CONSOLETYPE=serial
|
|
StandardOutput=syslog
|
|
StandardError=syslog
|
|
[Install]
|
|
WantedBy=basic.target
|
|
- name: enable tripleo-iptables service (and do a daemon-reload systemd)
|
|
systemd:
|
|
daemon_reload: yes
|
|
enabled: yes
|
|
name: tripleo-iptables.service
|
|
- name: enable tripleo-ip6tables service
|
|
systemd:
|
|
enabled: yes
|
|
name: tripleo-ip6tables.service
|
|
upgrade_tasks:
|
|
- when:
|
|
- (step | int) == 3
|
|
block:
|
|
- name: blank ipv6 rule before activating ipv6 firewall.
|
|
shell: cat /etc/sysconfig/ip6tables > /etc/sysconfig/ip6tables.n-o-upgrade; cat</dev/null>/etc/sysconfig/ip6tables
|
|
args:
|
|
creates: /etc/sysconfig/ip6tables.n-o-upgrade
|
|
- name: cleanup unmanaged rules pushed by iptables-services
|
|
shell: |
|
|
iptables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -C INPUT -p icmp -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -p icmp -j ACCEPT
|
|
iptables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -i lo -j ACCEPT
|
|
iptables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
|
iptables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
iptables -C INPUT -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
|
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
iptables -C FORWARD -j REJECT --reject-with icmp-host-prohibited &>/dev/null && \
|
|
iptables -D FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
|
|
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -p icmp -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A INPUT -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
|
sed -i '/^-A FORWARD -j REJECT --reject-with icmp-host-prohibited$/d' /etc/sysconfig/iptables
|
|
|
|
ip6tables -C INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
|
|
ip6tables -C INPUT -p ipv6-icmp -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -p ipv6-icmp -j ACCEPT
|
|
ip6tables -C INPUT -i lo -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -i lo -j ACCEPT
|
|
ip6tables -C INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
|
|
ip6tables -C INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT &>/dev/null && \
|
|
ip6tables -D INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
|
|
ip6tables -C INPUT -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
|
ip6tables -D INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
ip6tables -C FORWARD -j REJECT --reject-with icmp6-adm-prohibited &>/dev/null && \
|
|
ip6tables -D FORWARD -j REJECT --reject-with icmp6-adm-prohibited
|
|
|
|
sed -i '/^-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -p ipv6-icmp -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -i lo -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -d fe80::\/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A INPUT -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|
|
sed -i '/^-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited$/d' /etc/sysconfig/ip6tables
|