Hi,
So, this seems to have never been picked up, and I'm guessing the blocking didn't work before or it wasn't tested before (Either way, it's my fault, for which I'm sorry).
Can I get +1s to add the production version of the osbs-master iptables rules?
The actual changes are just a duplicate of the file to prod and updating the ip addresses in there.
commit bb4b4696f99da9b202e454874ee492ceed54a3d9 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Aug 17 17:43:54 2016 +0000
Create production docker iptables script
Signed-off-by: Patrick Uiterwijk puiterwijk@redhat.com
diff --git a/roles/osbs-master/files/fix-docker-iptables b/roles/osbs-master/files/fix-docker-iptables deleted file mode 100644 index c204f74..0000000 --- a/roles/osbs-master/files/fix-docker-iptables +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash -xe -# Note: this is done as a script because it needs to be run after -# every docker service restart. -# And just doing an iptables-restore is going to mess up kubernetes' -# NAT table. - -# Delete all old rules -iptables --flush FORWARD - -# Re-insert some basic rules -iptables -A FORWARD -o docker0 -j DOCKER -iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT - -# Now insert access to allowed boxes -# docker-registry -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT - -#koji.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT - -# pkgs.stg -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT - -# DNS -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT - -# mirrors.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT - -# dl.phx2 -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT - - -# Docker is CRAZY and forces Google DNS upon us..... -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT - -iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited - diff --git a/roles/osbs-master/files/fix-docker-iptables.production b/roles/osbs-master/files/fix-docker-iptables.production new file mode 100644 index 0000000..fc84186 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.production @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table. + +# Delete all old rules +iptables --flush FORWARD + +# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT + +# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT + +#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT + +# pkgs +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT + +# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT + +# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT + +# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT + + +# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT + +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited + diff --git a/roles/osbs-master/files/fix-docker-iptables.staging b/roles/osbs-master/files/fix-docker-iptables.staging new file mode 100644 index 0000000..c204f74 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.staging @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table. + +# Delete all old rules +iptables --flush FORWARD + +# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT + +# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT + +#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT + +# pkgs.stg +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT + +# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT + +# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT + +# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT + + +# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT + +iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited + diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml index bb622d9..d0b0c25 100644 --- a/roles/osbs-master/tasks/main.yml +++ b/roles/osbs-master/tasks/main.yml @@ -126,7 +126,7 @@ when: osbs_export_dir is defined
- name: copy docker iptables script - copy: src=fix-docker-iptables dest=/usr/local/bin/fix-docker-iptables mode=0755 + copy: src="fix-docker-iptables.{{ env }}" dest=/usr/local/bin/fix-docker-iptables mode=0755
- name: copy docker service config copy: src=docker.service dest=/etc/systemd/system/docker.service
+1 from me. If it doesn't work won't break anything else it would seem.
On 17 August 2016 at 13:48, Patrick Uiterwijk puiterwijk@redhat.com wrote:
Hi,
So, this seems to have never been picked up, and I'm guessing the blocking didn't work before or it wasn't tested before (Either way, it's my fault, for which I'm sorry).
Can I get +1s to add the production version of the osbs-master iptables rules?
The actual changes are just a duplicate of the file to prod and updating the ip addresses in there.
commit bb4b4696f99da9b202e454874ee492ceed54a3d9 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Aug 17 17:43:54 2016 +0000
Create production docker iptables script Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/osbs-master/files/fix-docker-iptables b/roles/osbs-master/files/fix-docker-iptables deleted file mode 100644 index c204f74..0000000 --- a/roles/osbs-master/files/fix-docker-iptables +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash -xe -# Note: this is done as a script because it needs to be run after -# every docker service restart. -# And just doing an iptables-restore is going to mess up kubernetes' -# NAT table.
-# Delete all old rules -iptables --flush FORWARD
-# Re-insert some basic rules -iptables -A FORWARD -o docker0 -j DOCKER -iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
-# Now insert access to allowed boxes -# docker-registry -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
-#koji.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
-# pkgs.stg -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
-# DNS -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
-# mirrors.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
-# dl.phx2 -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
-# Docker is CRAZY and forces Google DNS upon us..... -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
-iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
diff --git a/roles/osbs-master/files/fix-docker-iptables.production b/roles/osbs-master/files/fix-docker-iptables.production new file mode 100644 index 0000000..fc84186 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.production @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table.
+# Delete all old rules +iptables --flush FORWARD
+# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
+#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
+# pkgs +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
+# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
diff --git a/roles/osbs-master/files/fix-docker-iptables.staging b/roles/osbs-master/files/fix-docker-iptables.staging new file mode 100644 index 0000000..c204f74 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.staging @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table.
+# Delete all old rules +iptables --flush FORWARD
+# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
+#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
+# pkgs.stg +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
+# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml index bb622d9..d0b0c25 100644 --- a/roles/osbs-master/tasks/main.yml +++ b/roles/osbs-master/tasks/main.yml @@ -126,7 +126,7 @@ when: osbs_export_dir is defined
- name: copy docker iptables script
- copy: src=fix-docker-iptables
dest=/usr/local/bin/fix-docker-iptables mode=0755
- copy: src="fix-docker-iptables.{{ env }}"
dest=/usr/local/bin/fix-docker-iptables mode=0755
- name: copy docker service config copy: src=docker.service dest=/etc/systemd/system/docker.service
infrastructure mailing list infrastructure@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/infrastructure@lists.fedoraproje...
On Wed, Aug 17, 2016 at 12:48 PM, Patrick Uiterwijk puiterwijk@redhat.com wrote:
Hi,
So, this seems to have never been picked up, and I'm guessing the blocking didn't work before or it wasn't tested before (Either way, it's my fault, for which I'm sorry).
Can I get +1s to add the production version of the osbs-master iptables rules?
+1 from me.
-AdamM
The actual changes are just a duplicate of the file to prod and updating the ip addresses in there.
commit bb4b4696f99da9b202e454874ee492ceed54a3d9 Author: Patrick Uiterwijk puiterwijk@redhat.com Date: Wed Aug 17 17:43:54 2016 +0000
Create production docker iptables script Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
diff --git a/roles/osbs-master/files/fix-docker-iptables b/roles/osbs-master/files/fix-docker-iptables deleted file mode 100644 index c204f74..0000000 --- a/roles/osbs-master/files/fix-docker-iptables +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/bash -xe -# Note: this is done as a script because it needs to be run after -# every docker service restart. -# And just doing an iptables-restore is going to mess up kubernetes' -# NAT table.
-# Delete all old rules -iptables --flush FORWARD
-# Re-insert some basic rules -iptables -A FORWARD -o docker0 -j DOCKER -iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
-# Now insert access to allowed boxes -# docker-registry -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
-#koji.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
-# pkgs.stg -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
-# DNS -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
-# mirrors.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
-# dl.phx2 -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
-# Docker is CRAZY and forces Google DNS upon us..... -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
-iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
diff --git a/roles/osbs-master/files/fix-docker-iptables.production b/roles/osbs-master/files/fix-docker-iptables.production new file mode 100644 index 0000000..fc84186 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.production @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table.
+# Delete all old rules +iptables --flush FORWARD
+# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
+#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
+# pkgs +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
+# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
diff --git a/roles/osbs-master/files/fix-docker-iptables.staging b/roles/osbs-master/files/fix-docker-iptables.staging new file mode 100644 index 0000000..c204f74 --- /dev/null +++ b/roles/osbs-master/files/fix-docker-iptables.staging @@ -0,0 +1,54 @@ +#!/bin/bash -xe +# Note: this is done as a script because it needs to be run after +# every docker service restart. +# And just doing an iptables-restore is going to mess up kubernetes' +# NAT table.
+# Delete all old rules +iptables --flush FORWARD
+# Re-insert some basic rules +iptables -A FORWARD -o docker0 -j DOCKER +iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
+# Now insert access to allowed boxes +# docker-registry +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
+#koji.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
+# pkgs.stg +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
+# DNS +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+# mirrors.fp.o +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+# dl.phx2 +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+# Docker is CRAZY and forces Google DNS upon us..... +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml index bb622d9..d0b0c25 100644 --- a/roles/osbs-master/tasks/main.yml +++ b/roles/osbs-master/tasks/main.yml @@ -126,7 +126,7 @@ when: osbs_export_dir is defined
- name: copy docker iptables script
- copy: src=fix-docker-iptables
dest=/usr/local/bin/fix-docker-iptables mode=0755
- copy: src="fix-docker-iptables.{{ env }}"
dest=/usr/local/bin/fix-docker-iptables mode=0755
- name: copy docker service config copy: src=docker.service dest=/etc/systemd/system/docker.service
infrastructure mailing list infrastructure@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/infrastructure@lists.fedoraproje...
infrastructure@lists.fedoraproject.org