diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py index bbe6fa7..f22f62f 100644 --- a/bundles/icinga2/metadata.py +++ b/bundles/icinga2/metadata.py @@ -96,3 +96,28 @@ def add_users_from_json(metadata): 'icinga_users': users, }, } + + +@metadata_reactor.provides( + 'iptables/bundle_rules/icinga2', +) +def iptables(metadata): + identifiers = metadata.get('icinga2/restrict-to', set()) + rules = set() + + if identifiers: + for identifier in sorted(identifiers): + resolved = repo.libs.tools.resolve_identifier(repo, identifier) + + for address in resolved['ipv4']: + rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 5665 -j ACCEPT') + else: + rules.add('iptables -A INPUT -p tcp --dport 5665 -j ACCEPT') + + return { + 'iptables': { + 'bundle_rules': { + 'icinga2': list(sorted(rules)), + }, + }, + } diff --git a/bundles/netdata/metadata.py b/bundles/netdata/metadata.py index 75feb0b..2446657 100644 --- a/bundles/netdata/metadata.py +++ b/bundles/netdata/metadata.py @@ -20,20 +20,22 @@ defaults = { 'iptables/bundle_rules/netdata', ) def iptables(metadata): - interfaces = metadata.get('netdata/restrict-to-interfaces', set()) - rules = [] + identifiers = metadata.get('netdata/restrict-to', set()) + rules = set() - if interfaces: - for iface in sorted(interfaces): - rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 19999 -j ACCEPT') + if identifiers: + for identifier in sorted(identifiers): + resolved = repo.libs.tools.resolve_identifier(repo, identifier) + for address in resolved['ipv4']: + rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 19999 -j ACCEPT') else: - rules.append('iptables_both -A INPUT -p tcp --dport 19999 -j ACCEPT') + rules.add('iptables -A INPUT -p tcp --dport 19999 -j ACCEPT') return { 'iptables': { 'bundle_rules': { - 'netdata': rules, + 'netdata': list(sorted(rules)), }, }, } diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index 9304b64..8ec7262 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -146,22 +146,28 @@ def monitoring(metadata): 'iptables/bundle_rules/nginx', ) def iptables(metadata): - interfaces = metadata.get('nginx/restrict-to-interfaces', set()) - rules = [] + identifiers = metadata.get('nginx/restrict-to', set()) + rules = set() - if interfaces: - for iface in sorted(interfaces): - rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 80 -j ACCEPT') - rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 443 -j ACCEPT') + if identifiers: + for identifier in sorted(identifiers): + resolved = repo.libs.tools.resolve_identifier(repo, identifier) + for address in resolved['ipv4']: + rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT') + rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT') + + for address in resolved['ipv6']: + rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 80 -j ACCEPT') + rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 443 -j ACCEPT') else: - rules.append('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT') - rules.append('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT') + rules.add('iptables_both -A INPUT -p tcp --dport 80 -j ACCEPT') + rules.add('iptables_both -A INPUT -p tcp --dport 443 -j ACCEPT') return { 'iptables': { 'bundle_rules': { - 'nginx': rules, + 'nginx': list(sorted(rules)), }, }, } diff --git a/bundles/transmission/metadata.py b/bundles/transmission/metadata.py index dfaf206..10d44ea 100644 --- a/bundles/transmission/metadata.py +++ b/bundles/transmission/metadata.py @@ -37,26 +37,34 @@ defaults = { 'iptables/bundle_rules/transmission', ) def iptables(metadata): - interfaces = metadata.get('transmission/webinterface-on-interfaces', set()) - rules = [] + identifiers = metadata.get('transmission/restrict-to', set()) + rules = set() - rules.append('iptables_both -A INPUT -p udp --dport {} -j ACCEPT'.format( + rules.add('iptables_both -A INPUT -p udp --dport {} -j ACCEPT'.format( metadata.get('transmission/config/peer-port'), )) - rules.append('iptables_both -A INPUT -p tcp --dport {} -j ACCEPT'.format( + rules.add('iptables_both -A INPUT -p tcp --dport {} -j ACCEPT'.format( metadata.get('transmission/config/peer-port'), )) - for iface in sorted(interfaces): - rules.append('iptables_both -A INPUT -i {} -p tcp --dport {} -j ACCEPT'.format( - iface, + if identifiers: + for identifier in sorted(identifiers): + resolved = repo.libs.tools.resolve_identifier(repo, identifier) + + for address in resolved['ipv4']: + rules.add('iptables -A INPUT -p tcp -s {} --dport {} -j ACCEPT'.format( + address, + metadata.get('transmission/config/rpc-port'), + )) + else: + rules.add('iptables -A INPUT -p tcp --dport {} -j ACCEPT'.format( metadata.get('transmission/config/rpc-port'), )) return { 'iptables': { 'bundle_rules': { - 'transmission': rules, + 'transmission': list(sorted(rules)), }, }, } diff --git a/bundles/unbound/metadata.py b/bundles/unbound/metadata.py index 1a83459..c417911 100644 --- a/bundles/unbound/metadata.py +++ b/bundles/unbound/metadata.py @@ -41,17 +41,25 @@ def cpu_cores_to_config_values(metadata): 'iptables/bundle_rules/unbound', ) def iptables(metadata): - interfaces = metadata.get('unbound/restrict-to-interfaces', set()) - rules = [] + identifiers = metadata.get('unbound/restrict-to', set()) + rules = set() - for iface in sorted(interfaces): - rules.append(f'iptables_both -A INPUT -i {iface} -p tcp --dport 53 -j ACCEPT') - rules.append(f'iptables_both -A INPUT -i {iface} -p udp --dport 53 -j ACCEPT') + if identifiers: + for identifier in sorted(identifiers): + resolved = repo.libs.tools.resolve_identifier(repo, identifier) + + for address in resolved['ipv4']: + rules.add(f'iptables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT') + rules.add(f'iptables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT') + + for address in resolved['ipv6']: + rules.add(f'ip6tables -A INPUT -p tcp -s {address} --dport 53 -j ACCEPT') + rules.add(f'ip6tables -A INPUT -p udp -s {address} --dport 53 -j ACCEPT') return { 'iptables': { 'bundle_rules': { - 'unbound': rules, + 'unbound': list(sorted(rules)), }, }, } diff --git a/nodes/home/downloadhelper.py b/nodes/home/downloadhelper.py index fb95f34..b7961e7 100644 --- a/nodes/home/downloadhelper.py +++ b/nodes/home/downloadhelper.py @@ -31,8 +31,8 @@ nodes['home.downloadhelper'] = { 'exclude_from_backups': True, }, 'netdata': { - 'restrict-to-interfaces': { - 'enp1s0.42', + 'restrict-to': { + '172.19.136.0/22', }, }, 'nfs-client': { @@ -52,8 +52,8 @@ nodes['home.downloadhelper'] = { 'download-dir': '/mnt/nas', 'download-queue-size': 10, }, - 'webinterface-on-interfaces': { - 'enp1s0.42', + 'restrict-to': { + '172.19.136.0/22', }, }, }, diff --git a/nodes/home/router.py b/nodes/home/router.py index 78dd0d5..25e8d2d 100644 --- a/nodes/home/router.py +++ b/nodes/home/router.py @@ -82,16 +82,14 @@ nodes['home.router'] = { ], }, 'netdata': { - 'restrict-to-interfaces': { - 'enp1s0.42', - 'wg0', + 'restrict-to': { + '172.19.136.0/22', }, }, 'nginx': { 'use_ssl_for_all_connections': False, - 'restrict-to-interfaces': { - 'enp1s0.42', - 'wg0', + 'restrict-to': { + '172.19.136.0/22', }, }, 'openvpn-client': { @@ -115,9 +113,8 @@ nodes['home.router'] = { }, }, 'unbound': { - 'restrict-to-interfaces': { - 'enp1s0.23', - 'enp1s0.42', + 'restrict-to': { + '172.19.138.0/23', }, }, 'users': { diff --git a/nodes/ovh/icinga2.py b/nodes/ovh/icinga2.py index 86722e2..d2a4ae0 100644 --- a/nodes/ovh/icinga2.py +++ b/nodes/ovh/icinga2.py @@ -46,6 +46,9 @@ nodes['ovh.icinga2'] = { }, }, }, + 'restrict-to': { + '172.19.138.0/24', + }, 'sipgate_user': vault.decrypt('encrypt$gAAAAABfujAmCUnicSAllq8MskXnPodKp3cGcfA6Abvef-rAYwB2CtCwt9oBRVKFskJPVArDaF1wfjNTfLwgX3gTP7xFutJ1HA=='), 'sipgate_pass': vault.decrypt('encrypt$gAAAAABfui_4B7UmOosI_gsQ-xvmd3X_BUDSl-G2KF_Tg8O6RpUvk0gHexOKsrTb6se1ipXsh7RC9pbZCKMtesW0C6j24LHXDKCOjkqI77oO0ZjnG6SUwfcJqg61biNiRlXy8z-9LCGA'), }, @@ -68,12 +71,6 @@ nodes['ovh.icinga2'] = { }, }, }, - 'iptables': { - 'custom_rules': { - # icinga2 api - 'iptables -A INPUT -i wg0 -p tcp --dport 5665 -j ACCEPT', - }, - }, 'nginx': { 'vhosts': { 'icingaweb': {