[MediaWiki-commits] [Gerrit] add iptables to deny access to NRPE on hosts with public IP ... - change (operations/puppet)

Dzahn (Code Review) Fri, 12 Apr 2013 13:14:45 -0700

Dzahn has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/59001



Change subject: add iptables to deny access to NRPE on hosts with public IP 
except for our own networks
......................................................................

add iptables to deny access to NRPE on hosts with public IP
except for our own networks

Change-Id: I28f0fcb66a3e867f10ee958a7c5623461d557619
---
M manifests/nrpe.pp
1 file changed, 44 insertions(+), 0 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/01/59001/1

diff --git a/manifests/nrpe.pp b/manifests/nrpe.pp
index e2ccc3f..b1785bc 100644
--- a/manifests/nrpe.pp
+++ b/manifests/nrpe.pp
@@ -130,3 +130,47 @@
                ensure => running;
        }
 }
+
+class nrpe::firewall {
+
+  # deny access to NRPE  (5666/TCP) from external networks
+
+  class iptables-purges {
+
+    require 'iptables::tables'
+    iptables_purge_service{  'deny_pub_nrpe': service => 'nrpe' }
+  }
+
+  class iptables-accepts {
+
+    require 'nrpe::firewall::iptables-purges'
+
+    iptables_add_service{ 'lo_all': interface => 'lo', service => 'all', jump 
=> 'ACCEPT' }
+    iptables_add_service{ 'localhost_all': source => '127.0.0.1', service => 
'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'private_pmtpa_nolabs': source => '10.0.0.0/14', 
service => 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'private_esams': source => '10.21.0.0/24', service 
=> 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'private_eqiad1': source => '10.64.0.0/17', service 
=> 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'private_eqiad2': source => '10.65.0.0/20', service 
=> 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'private_virt': source => '10.4.16.0/24', service => 
'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'public_152': source => '208.80.152.0/24', service 
=> 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'public_153': source => '208.80.153.128/26', service 
=> 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'public_154': source => '208.80.154.0/24', service 
=> 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'public_fundraising': source => '208.80.155.0/27', 
service => 'all', jump => 'ACCEPT' }
+    iptables_add_service{ 'public_esams': source => '91.198.174.0/25', service 
=> 'all', jump => 'ACCEPT' }
+  }
+
+  class iptables-drops {
+
+    require 'nrpe::firewall::iptables-accepts'
+    iptables_add_service{ 'deny_pub_nrpe': service => 'nrpe', jump => 'DROP' }
+  }
+
+  class iptables {
+
+    require 'nrpe::firewall::iptables-drops'
+    iptables_add_exec{ "${hostname}_nrpe": service => 'nrpe' }
+  }
+
+  require 'nrpe::firewall::iptables'
+}
+

-- 
To view, visit https://gerrit.wikimedia.org/r/59001
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I28f0fcb66a3e867f10ee958a7c5623461d557619
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Dzahn <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

[MediaWiki-commits] [Gerrit] add iptables to deny access to NRPE on hosts with public IP ... - change (operations/puppet)

Reply via email to