[SUCS Devel] [Git][sucs/sucs][master] 2 commits: Add ansible playbook to give people full root access across sucs
Imran Hussain
imranh at sucs.org
Sat Feb 11 14:51:17 GMT 2017
Imran Hussain pushed to branch master at sucs / SUCS
Commits:
6153b513 by Imran Hussain at 2017-02-11T12:24:18+00:00
Add ansible playbook to give people full root access across sucs
- - - - -
bb2bb27b by Imran Hussain at 2017-02-11T14:53:10+00:00
Add ansible role to deploy the sucs firewall to gw
- - - - -
8 changed files:
- + ansible/ansible.cfg
- + ansible/full-root.yml
- ansible/inventory/hosts
- + ansible/roles/sucs-firewall/handlers/main.yml
- + ansible/roles/sucs-firewall/tasks/main.yml
- + ansible/roles/sucs-firewall/templates/firewall-rules
- + ansible/ssh_keys/imranh
- + ansible/sucs-firewall.yml
Changes:
=====================================
ansible/ansible.cfg
=====================================
--- /dev/null
+++ b/ansible/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+inventory = ./inventory/hosts
\ No newline at end of file
=====================================
ansible/full-root.yml
=====================================
--- /dev/null
+++ b/ansible/full-root.yml
@@ -0,0 +1,19 @@
+# want to give someone full root access across sucs?
+# well then you've come to the right place!
+
+# if you want to revoke someones root access then add a '#' infront of the key
+# IN THE KEY FILE, untill I work out something better that can maybe use exclusive
+
+#Hopefully one day we'll be able to uncomment this...
+#- hosts: all
+- hosts: gw
+ tasks:
+ - name: deploy ssh keys for root access!
+ authorized_key:
+ user: root
+ state: present
+ key: "{{ item }}"
+ with_file:
+ - ssh_keys/imranh
+ #- ssh_keys/alice
+ #- ssh_keys/bob
\ No newline at end of file
=====================================
ansible/inventory/hosts
=====================================
--- a/ansible/inventory/hosts
+++ b/ansible/inventory/hosts
@@ -1,15 +1,15 @@
[servers-physical]
silver ansible_host=137.44.10.1
-iridium
-backup
-gw
+iridium remote_user=root
+backup remote_user=root
+gw remote_user=root
[servers-virtual]
games
-paf
-su-apiv2
-vmnet
-mirror
+paf remote_user=root
+su-apiv2 remote_user=root
+vmnet remote_user=root
+mirror remote_user=root
[servers:children]
servers-physical
@@ -26,6 +26,6 @@ bromine
iodine
[other]
-door
+door remote_user=root
pi
#vanadium
\ No newline at end of file
=====================================
ansible/roles/sucs-firewall/handlers/main.yml
=====================================
--- /dev/null
+++ b/ansible/roles/sucs-firewall/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: update firewall
+ command: /bin/bash /root/firewall-rules.sh
\ No newline at end of file
=====================================
ansible/roles/sucs-firewall/tasks/main.yml
=====================================
--- /dev/null
+++ b/ansible/roles/sucs-firewall/tasks/main.yml
@@ -0,0 +1,23 @@
+- name: make sure iptables and other packages are installed
+ package:
+ name: "{{ item }}"
+ state: installed
+ with_items:
+ - iptables
+ - conntrack
+ - iptstate
+
+- name: enable ipv4 forwarding
+ sysctl:
+ name: net.ipv4.ip_forward
+ value: 1
+ sysctl_set: yes
+ state: present
+ reload: yes
+
+- name: deploy firewall rules to the machine
+ template:
+ src: firewall-rules
+ dest: /root/firewall-rules.sh
+ mode: 0744
+ notify: update firewall
\ No newline at end of file
=====================================
ansible/roles/sucs-firewall/templates/firewall-rules
=====================================
--- /dev/null
+++ b/ansible/roles/sucs-firewall/templates/firewall-rules
@@ -0,0 +1,574 @@
+#!/bin/sh
+##
+#
+# rollercow's fancy new firewall rules (which may even work!)
+# 2004
+#
+##
+
+#
+# define useful variables, for our use later
+#
+
+#NETWORKS
+
+#sucs = our boxes,
+export INTERFACE_SUCS=eth0
+export NET_SUCS=137.44.10.0/25
+export IP_SUCS=137.44.10.126
+#guest=guestnet,
+export INTERFACE_GUEST=br0
+export NET_GUEST=137.44.10.128/25
+export IP_GUEST=137.44.10.254
+#outside = the outside
+export INTERFACE_OUTSIDE=eth2
+export NET_OUTSIDE=137.44.19.200/24
+export IP_OUTSIDE=137.44.19.200
+#other usefull subnets
+export NET_CAMPUS=137.44.0.0/16
+export NET_INSIDE=137.44.10.0/24
+export NET_VMS=192.168.10.0/24
+export BACKUP=137.44.6.5
+export VIDEOREMOTE=137.44.19.112
+export STREAMING_SERVER=137.44.10.80
+export STREAMING_PORT=1935
+export GAMES_BOX=137.44.10.3
+
+#TRANSPARENT PROXY BITS
+
+#This be the ip of the box you want to push the requests to...
+#This box has to be configured to accept transparent proxy requests..
+#See http://en.tldp.org/HOWTO/TransparentProxy.html
+export PROXY_BOX=137.44.10.1
+#Port on which the proxy box is listening
+export PROXY_PORT=3128
+
+#OTHER
+
+#Set up the ebtables stuff for guestnet
+/root/updatemaclist.sh
+
+#Tell the script where iptables is
+export IPT='/sbin/iptables'
+
+#
+#Load all the modules we need
+#
+
+modprobe ip_tables
+modprobe ip_conntrack
+modprobe ip_conntrack_ftp
+modprobe ip_conntrack_tftp
+
+#
+#Flush the current rules
+#
+
+$IPT -F
+$IPT -X
+$IPT -t nat -F
+$IPT -t nat -X
+$IPT -P INPUT ACCEPT
+$IPT -P FORWARD ACCEPT
+$IPT -P OUTPUT ACCEPT
+
+#
+#TODO (in no order)
+#
+
+# - MAC filtering for SUCS
+# - MAC filtering for guestnet
+# - Everything else ive forgoten
+
+
+##
+#
+# The Rules
+#
+##
+echo 'Starting Firewall'
+
+#
+# gateway IN
+#
+echo "* - INPUT"
+
+#Allow Existing Connections
+$IPT -A INPUT -m state --state ESTABLISHED -j ACCEPT
+
+#SSH from silver
+$IPT -A INPUT -s 137.44.10.1 -i $INTERFACE_SUCS -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT
+
+#uncomment if you want to be able to ssh in from anywhere
+#SSH from anywhere
+$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport ssh -j ACCEPT
+
+#DHCP from sucs
+$IPT -A INPUT ! -i $INTERFACE_OUTSIDE -p udp -m udp --dport 67 -j ACCEPT
+
+#NTP from anywhere
+$IPT -A INPUT -p udp -m udp --dport 123 -j ACCEPT
+
+#ICMP from anywhere
+$IPT -A INPUT -p ICMP -j ACCEPT
+
+# this is a bodge so that cacti works...
+$IPT -A INPUT -s $NET_SUCS -i $INTERFACE_SUCS -p udp --dport 33439 -j REJECT
+
+# ALL from backup
+$IPT -A INPUT -s $BACKUP -j ACCEPT
+
+# ALL from vanadium/remote video streaming server
+$IPT -A INPUT -s $VIDEOREMOTE -j ACCEPT
+
+# Allow RELATED,ESTABLISHED connections from mirror (FTP)
+$IPT -A INPUT -s 137.44.10.8 -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#DROP the rest
+$IPT -P INPUT DROP
+
+#
+# gateway OUT
+#
+echo "* - OUTPUT"
+
+#Allow Existing Connections
+$IPT -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+
+#SSH to silver
+$IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+#HTTP to mirror
+$IPT -A OUTPUT -d 137.44.10.8 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+
+#HTTPS to staff svn host
+$IPT -A OUTPUT -d 137.44.10.81 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+#SMTP to silver
+$IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
+$IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
+
+#DNS to silver
+$IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
+$IPT -A OUTPUT -d 137.44.10.1 -p udp -m udp --dport 53 -j ACCEPT
+
+#DHCP to guestnet
+$IPT -A OUTPUT -d $NET_INSIDE -p udp -m udp --dport 67 -j ACCEPT
+
+#NTP to anywhere
+$IPT -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT
+$IPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
+
+#RADIUS to silver
+$IPT -A OUTPUT -d 137.44.10.1 -p udp -m udp --dport 1812 -j ACCEPT
+$IPT -A OUTPUT -d 137.44.10.1 -p udp -m udp --dport 1813 -j ACCEPT
+
+#HTTP-Cache to proxy machine
+$IPT -A OUTPUT -d $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
+
+#NUT (ups monitor to silver)
+$IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 3493 -j ACCEPT
+
+#ganglia (to silver)
+$IPT -A OUTPUT -d 137.44.10.1 -p udp -m state --state NEW -m udp --dport 8649 -j ACCEPT
+
+#IMCP to anywhere
+$IPT -A OUTPUT -p ICMP -j ACCEPT
+
+#ALL to backup
+$IPT -A OUTPUT -d $BACKUP -j ACCEPT
+
+#ALL to vanadium/remote video streaming box
+$IPT -A OUTPUT -d $VIDEOREMOTE -j ACCEPT
+
+#DROP the rest
+$IPT -P OUTPUT DROP
+
+
+#
+# Fowarding
+#
+echo "* - FORWARDING"
+
+#
+# Sanity checks
+#
+
+#in from outside, and not for us, drop it!
+$IPT -A FORWARD -i $INTERFACE_OUTSIDE ! -d $NET_INSIDE -j DROP
+
+#in from sucs, not useing a sucs ip, drop it!
+$IPT -A FORWARD -i $INTERFACE_SUCS ! -s $NET_SUCS -j DROP
+
+#in from guestnet and not useing a guestnet ip and not in a tunnel drop it!
+$IPT -A FORWARD -i $INTERFACE_GUEST ! -s $NET_GUEST -m policy --dir in --pol none -j DROP
+
+#in from guestnet and not marked as allowed, drop it!
+$IPT -A FORWARD -i $INTERFACE_GUEST ! -d $NET_INSIDE -m mark ! --mark 1 -j REJECT
+
+#from inside heading outside outside, and not with one of our ip's!
+$IPT -A FORWARD -o $INTERFACE_OUTSIDE ! -s $NET_INSIDE -j DROP
+
+#
+# Common Rules
+# These rules are common to all internal networks
+#
+
+#Allow Existing Connections
+$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
+
+#ICMP (to anywhere) from anywhere
+$IPT -A FORWARD -p ICMP -j ACCEPT
+
+#UDP Traceroute (to anywhere) from anywhere - Some traceroutes use the following UDP ports
+$IPT -A FORWARD -p udp --dport 33434:33523 -j ACCEPT
+
+#Proxy stuff
+$IPT -t nat -A POSTROUTING -o $INTERFACE_SUCS -s $NET_SUCS -d $PROXY_BOX -p tcp --dport $PROXY_PORT -j SNAT --to $IP_SUCS
+$IPT -t nat -A POSTROUTING -o $INTERFACE_SUCS -s $NET_GUEST -d $PROXY_BOX -p tcp --dport $PROXY_PORT -j SNAT --to $IP_SUCS
+$IPT -A FORWARD -s $NET_SUCS -d $PROXY_BOX -i $INTERFACE_SUCS -p tcp --dport $PROXY_PORT -j ACCEPT
+$IPT -A FORWARD -s $NET_GUEST -d $PROXY_BOX -i $INTERFACE_GUEST -p tcp --dport $PROXY_PORT -j ACCEPT
+
+#HTTP (to Off Campus) from Inside (not via proxy) DROP!
+$IPT -A FORWARD ! -i $INTERFACE_OUTSIDE ! -d $NET_CAMPUS ! -s $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 80 -j REJECT
+
+#From backup to sucs
+$IPT -A FORWARD -d $NET_SUCS -s $BACKUP -j ACCEPT
+
+#From backup to vanadium on guestnet
+$IPT -A FORWARD -d 137.44.10.212 -s $BACKUP -j ACCEPT
+
+#From vanadium to sucs
+$IPT -A FORWARD -d $NET_SUCS -s $VIDEOREMOTE -j ACCEPT
+
+
+#
+# Special Rules
+# Any special rules go here, for example droping of specific ip ranges would go here
+#
+
+#Games Servers
+#AA
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 4534 -j ACCEPT
+
+#CStrike
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 27015:27016 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 27015:27016 -j ACCEPT
+
+#games
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 7777:7778 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 17777 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 27017 -j ACCEPT
+
+#Minecraft
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 25565 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 25565 -j ACCEPT
+
+#Monster
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 45000 -j ACCEPT
+
+#BZFlag
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m state --state NEW -m tcp --dport 5150 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 5150 -j ACCEPT
+
+#OpenTTD
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m state --state NEW -m tcp --dport 3979 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 3979 -j ACCEPT
+
+#Steam
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --sport 27000:27030 --dport 1025:65355 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --sport 4380 --dport 1025:65255 -j ACCEPT
+
+#games http
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+
+#games HTTPS
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+#teamspeak2 ports
+#$IPT -A FORWARD -d $GAMES_BOX -p tcp -m state --state NEW -m tcp --dport 8767 -j ACCEPT
+#$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 8767 -j ACCEPT
+
+#teamspeak3 now uses this port
+#$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 9987 -j ACCEPT
+
+#mumble
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 64738 -j ACCEPT
+
+#cube 2
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 28785 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 28785 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 28786 -j ACCEPT
+$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 28786 -j ACCEPT
+
+#Try and get steam working from inside the room ~elbows
+
+$IPT -A FORWARD -p udp -m udp --dport 27000:27030 -j ACCEPT
+$IPT -A FORWARD -p tcp -m tcp --dport 27014:27050 -j ACCEPT
+$IPT -A FORWARD -p udp -m udp --dport 4380 -j ACCEPT
+
+#
+# SUCS
+# All rules for the sucs network go here
+#
+echo "* - Zone - SUCS"
+
+#SMTP only from Silver to anywhere
+# only logging it for now ~imranh
+$IPT -A FORWARD ! -s 137.44.10.1 -i $INTERFACE_SUCS -p tcp -m tcp --dport 25 -j LOG
+#$IPT -A FORWARD ! -s 137.44.10.1 -i $INTERFACE_SUCS -p tcp -m tcp --dport 25 -j DROP
+
+#All (to anywhere) from sucs
+$IPT -A FORWARD -s $NET_SUCS -i $INTERFACE_SUCS -m state --state NEW -j ACCEPT
+
+#
+# SUCS Services
+# Rules to allow access to services hosted on our network go here
+# In port order to make things easy to find!
+#
+
+#DNS (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -p udp -m udp --dport 53 -j ACCEPT
+
+#SSH (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+#FTP (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
+
+#SMTP (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
+
+#Normal HTTP(s) (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+#VHost HTTP(s) (an alias for silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.61 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.61 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+#GuestNet VHost HTTP(s) (an alias for silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.63 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.63 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+#POP (to silver) from campus
+$IPT -A FORWARD -d 137.44.10.1 -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
+
+#NTP (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -p udp -m udp --dport 123 -j ACCEPT
+
+#SMB (to silver) from campus
+$IPT -A FORWARD -d 137.44.10.1 -s $NET_CAMPUS -p tcp -m state --state NEW -m multiport --dport 139,445 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -s $NET_CAMPUS -p udp -m udp --dport 137:138 -j ACCEPT
+
+#IMAP (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
+
+#IMAPs (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
+
+#POP3s (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
+
+#ICP - (to proxy machine) from campus proxy (octopussy.swan.ac.uk)
+$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT
+$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p udp -m udp --dport 3128 -j ACCEPT
+$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp --dport 3130 -j ACCEPT
+$IPT -A FORWARD -d $PROXY_BOX -s $NET_CAMPUS -p udp -m udp --dport 3130 -j ACCEPT
+
+#Jabber (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
+
+#Jabber SSL (to silver) from anywhere
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 5223 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 5670 -j ACCEPT
+
+#TFTP (to gw) from SUCS
+$IPT -A INPUT -d $IP_SUCS -s $NET_SUCS -p udp --dport 69 -m state --state NEW -j ACCEPT
+$IPT -A OUTPUT -d $NET_SUCS -s $IP_SUCS -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+#
+# GuestNET
+#
+echo "* - Zone - GUEST"
+
+#
+# MAC address filtering
+# (to come)
+#
+
+#
+# Extra Services Allowed IN
+#
+
+echo "VMs stuff"
+
+# rules for iridium, in order, please keep it that way ~imranh
+# Allow the proxmox web interface through
+$IPT -A FORWARD -d 137.44.10.6 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.6 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+# Allow vnc to iridium (?)
+$IPT -A FORWARD -d 137.44.10.6 -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.6 -p tcp -m state --state NEW -m tcp --dport 5901 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.6 -p tcp -m state --state NEW -m tcp --dport 5902 -j ACCEPT
+
+# Allow access to private VM Net from SUCS Net
+$IPT -A FORWARD -d $NET_VMS -i $INTERFACE_SUCS -j ACCEPT
+
+# mirror
+$IPT -A FORWARD -d 137.44.10.8 -p tcp -m tcp --dport 20 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.8 -p tcp -m tcp --dport 21 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.8 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.8 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.8 -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.8 -p tcp -m tcp --dport 5000:5100 -j ACCEPT
+
+#stream vm
+$IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport 22 -j ACCEPT
+$IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d $STREAMING_SERVER -p tcp -m tcp --dport $STREAMING_PORT -j ACCEPT
+$IPT -A FORWARD -d $STREAMING_SERVER -p udp -m udp --dport $STREAMING_PORT -j ACCEPT
+
+#new stream vm testing ~elbows
+$IPT -A FORWARD -d 137.44.10.112 -p tcp -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.112 -p tcp -m tcp --dport 1935 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.112 -p udp -m udp --dport 1935 -j ACCEPT
+
+# Gitlab instance
+$IPT -A FORWARD -d 137.44.10.81 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.81 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.81 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+# ~andy VM 1/2
+$IPT -A FORWARD -d 137.44.10.82 -p tcp -m state --state NEW -m tcp --dport 3389 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.82 -p udp -m state --state NEW -m udp --dport 3389 -j ACCEPT
+
+# ~andy VM 2/2
+$IPT -A FORWARD -d 137.44.10.84 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+# Xtreme radio VM, icecast2 running on port 80
+$IPT -A FORWARD -d 137.44.10.85 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+
+# ~tswsl1989 VM
+$IPT -A FORWARD -d 137.44.10.88 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.88 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+# rjames93 web server and mumble server
+$IPT -A FORWARD -d 137.44.10.97 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.97 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.97 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.97 -p tcp -m state --state NEW -m tcp --dport 64738 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.97 -p udp -m state --state NEW -m udp --dport 64738 -j ACCEPT
+
+# rjames93
+$IPT -A FORWARD -d 137.44.10.98 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+
+# Rules for whatever 10.99 is, kais58s VM
+$IPT -A FORWARD -d 137.44.10.99 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.99 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+
+#gaming soc vm on 137.44.10.110
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 9987 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p udp -m state --state NEW -m udp --dport 9987 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 10011 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 25565 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.110 -p tcp -m state --state NEW -m tcp --dport 30033 -j ACCEPT
+
+#stig vm and shit
+$IPT -A FORWARD -d 137.44.10.113 -p tcp --dport ssh -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.113 -p tcp --dport 80 -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.113 -p tcp --dport 443 -j ACCEPT
+
+#war! what is it good for?
+#$IPT -A FORWARD -d 137.44.10.123 -p tcp --dport ssh -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.123 -p tcp --dport http -j ACCEPT
+$IPT -A FORWARD -d 137.44.10.123 -p tcp --dport https -j ACCEPT
+
+#
+# Limits on what GuestNET can talk to
+#
+
+# Allow people on guestnet to talk to the VMs in iridium
+$IPT -A FORWARD -d $NET_VMS -i $INTERFACE_GUEST -m mark --mark 1 -j ACCEPT
+
+# Allow all from GUESTNet to Games Server if they are marked as allowed
+$IPT -A FORWARD -d $GAMES_BOX -i $INTERFACE_GUEST -m mark --mark 1 -j ACCEPT
+
+#SMB - Only to silver
+$IPT -A FORWARD ! -d 137.44.10.1 -i $INTERFACE_GUEST -p tcp -m state --state NEW -m tcp --dport 137:139 -j DROP
+$IPT -A FORWARD ! -d 137.44.10.1 -i $INTERFACE_GUEST -p udp -m udp --dport 137:139 -j DROP
+
+#DNS - Only to campus
+$IPT -A FORWARD ! -d $NET_CAMPUS -i $INTERFACE_GUEST -p tcp -m state --state NEW -m tcp --dport 53 -j DROP
+$IPT -A FORWARD ! -d $NET_CAMPUS -i $INTERFACE_GUEST -p udp -m udp --dport 53 -j DROP
+
+#SMTP - Only to silver
+$IPT -A FORWARD ! -d 137.44.10.1 -i $INTERFACE_GUEST -p tcp -m tcp --dport 25 -j DROP
+$IPT -A FORWARD ! -d 137.44.10.1 -i $INTERFACE_GUEST -p tcp -m tcp --dport 587 -j DROP
+
+#HTTP - anything from GuestNET not marked as allowed gets redirected to autoreg page on silver
+$IPT -A FORWARD -i $INTERFACE_GUEST -m mark ! --mark 1 -p tcp -m tcp --dport 443 -j REJECT
+$IPT -t nat -A PREROUTING -i $INTERFACE_GUEST -m mark ! --mark 1 -p tcp -m tcp --dport 3128 -j DNAT --to 137.44.10.63:80
+$IPT -t nat -A PREROUTING -i $INTERFACE_GUEST -m mark ! --mark 1 -p tcp -m tcp --dport 80 -j DNAT --to 137.44.10.63
+
+# Rest of Transparent Proxy
+$IPT -t nat -A PREROUTING ! -i $INTERFACE_OUTSIDE ! -s $PROXY_BOX -p tcp --dport 80 -m policy --dir in --pol none -j DNAT --to $PROXY_BOX:$PROXY_PORT
+
+# pptp vpns
+$IPT -A FORWARD -i $INTERFACE_GUEST -p 47 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+$IPT -A FORWARD -s $NET_GUEST -p 47 -j ACCEPT
+$IPT -A FORWARD -d $NET_GUEST -p 47 -j ACCEPT
+
+#
+# Outright Blocks on what GuestNET can talk to
+#
+
+#kazaa
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 1214 -j LOG
+
+#edonkey
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 4661:4662 -j LOG
+
+#soulseek
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 2234 -j LOG
+$IPT -A FORWARD -i $INTERFACE_GUEST -p udp --dport 2234 -j LOG
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 5534 -j LOG
+$IPT -A FORWARD -i $INTERFACE_GUEST -p udp --dport 5534 -j LOG
+
+#soulseek
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 5500:5503 -j LOG
+
+#GNUtella
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 6346:6347 -j LOG
+$IPT -A FORWARD -i $INTERFACE_GUEST -p udp --dport 6346:6347 -j LOG
+
+#IRC
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 197 -j DROP
+$IPT -A FORWARD -i $INTERFACE_GUEST -p udp --dport 197 -j DROP
+$IPT -A FORWARD -i $INTERFACE_GUEST -p tcp -m tcp --dport 6666:7000 -j DROP
+$IPT -A FORWARD -i $INTERFACE_GUEST -p udp --dport 6666:7000 -j DROP
+
+# Allow other outbound traffic (but keep sucs only visible as it is from campus)
+$IPT -A FORWARD -i $INTERFACE_GUEST -m mark --mark 1 -m state --state NEW -j ACCEPT
+$IPT -A FORWARD -s $NET_GUEST -i $INTERFACE_GUEST -m state --state NEW -j ACCEPT
+
+#TFTP (to gw) from Guestnet
+$IPT -A INPUT -d $IP_GUEST -s $NET_GUEST -p udp --dport 69 -m state --state NEW -j ACCEPT
+$IPT -A OUTPUT -d $NET_GUEST -s $IP_GUEST -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+#
+# END
+#
+
+#Drop the rest
+$IPT -P FORWARD DROP
+
+echo 'DONE!'
=====================================
ansible/ssh_keys/imranh
=====================================
--- /dev/null
+++ b/ansible/ssh_keys/imranh
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDV2g/ns3Drtclt7DI1LvsXja29HySTJoRei/sjYjc+jHAxlIH5xBdqayr4Jpz1nZboYnTuHzIaS7Pt3IkaOAQCFtM832GXZjUKwtYsGhfEJmXl8WHwUiibeDdZaMo2TUWA29Jc5JTAw+01L7aznPgc17/a9Q0Dv7N9CSlTF4773KefLp2VYKncU0pQyV1G51/1UAIxY0rfu5L52Ul/ekmz8xVHAB1EzBilzVImmDxdym4otyxDeiNDsJsDUpKDz8UqnvMTQxQDXa+Y83SBDFF4x2apqZPYMK3HxxKJpuqdxA2sfU4pQtIY2msc7HTySTcD+p2FfGt9609EcUXx8htv imranh at silver.sucs.swan.ac.uk
=====================================
ansible/sucs-firewall.yml
=====================================
--- /dev/null
+++ b/ansible/sucs-firewall.yml
@@ -0,0 +1,4 @@
+- hosts: gw
+ roles:
+ - common
+ - sucs-firewall
\ No newline at end of file
View it on GitLab: https://projects.sucs.org/sucs/sucs/compare/48ceffeead6d342a5c317f6ad584572de4a004dd...bb2bb27b33270e56428af6b8f01b42da36fea801
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sucs.org/pipermail/devel/attachments/20170211/3b3e6368/attachment-0001.html>
More information about the Devel
mailing list