From 59b79dadc4658d07a354235f470992b31213818e Mon Sep 17 00:00:00 2001
From: "Daniel A. Maierhofer" <git@damadmai.at>
Date: Sun, 4 Nov 2018 21:23:40 +0100
Subject: [PATCH] Activate iptables for all except old qemu

---
 host_vars/ariane                                  |  1 -
 host_vars/progress                                |  1 -
 host_vars/proteus                                 |  2 ++
 host_vars/zyklon                                  |  2 ++
 roles/common                                      |  2 +-
 templates/iptables_ariane_v4.j2                   |  8 ++++----
 templates/iptables_ariane_v6.j2                   | 12 ------------
 templates/iptables_progress_v6.j2                 | 12 ------------
 ...ables_sputnik_v4.j2 => iptables_proteus_v4.j2} |  1 +
 templates/iptables_sputnik_v6.j2                  | 12 ------------
 templates/iptables_zyklon_v4.j2                   | 15 +++++++++++++++
 11 files changed, 25 insertions(+), 43 deletions(-)
 delete mode 100644 templates/iptables_ariane_v6.j2
 delete mode 100644 templates/iptables_progress_v6.j2
 rename templates/{iptables_sputnik_v4.j2 => iptables_proteus_v4.j2} (90%)
 delete mode 100644 templates/iptables_sputnik_v6.j2
 create mode 100644 templates/iptables_zyklon_v4.j2

diff --git a/host_vars/ariane b/host_vars/ariane
index 0d6d42a..7b3e027 100644
--- a/host_vars/ariane
+++ b/host_vars/ariane
@@ -5,7 +5,6 @@ inventory_hostname_short: ariane
 common_interfaces: True
 common_interfaces_file: interfaces_ariane.j2
 common_iptables_v4: "iptables_ariane_v4.j2"
-common_iptables_v6: "iptables_ariane_v6.j2"
 
 lxc:
   containers:
diff --git a/host_vars/progress b/host_vars/progress
index e75b5ce..dd9fd5c 100644
--- a/host_vars/progress
+++ b/host_vars/progress
@@ -2,5 +2,4 @@ inventory_hostname: progress.fet.htu.tuwien.ac.at
 inventory_hostname_short: progress
 
 common_iptables_v4: "iptables_progress_v4.j2"
-common_iptables_v6: "iptables_progress_v6.j2"
 printer_ip: dell3465
diff --git a/host_vars/proteus b/host_vars/proteus
index 9ce50c9..a55e037 100644
--- a/host_vars/proteus
+++ b/host_vars/proteus
@@ -1,2 +1,4 @@
 inventory_hostname: proteus.fet.htu.tuwien.ac.at
 inventory_hostname_short: proteus
+
+common_iptables_v4: "iptables_proteus_v4.j2"
diff --git a/host_vars/zyklon b/host_vars/zyklon
index 4e75b4b..2e6462d 100644
--- a/host_vars/zyklon
+++ b/host_vars/zyklon
@@ -1,2 +1,4 @@
 inventory_hostname: zyklon.fet.htu.tuwien.ac.at
 inventory_hostname_short: zyklon
+
+common_iptables_v4: "iptables_zyklon_v4.j2"
diff --git a/roles/common b/roles/common
index d738a88..5e916ca 160000
--- a/roles/common
+++ b/roles/common
@@ -1 +1 @@
-Subproject commit d738a88a2fad083777860b6fec9c64456ad62ac6
+Subproject commit 5e916ca510e01a4a13424dc4bf69a1f4dc043649
diff --git a/templates/iptables_ariane_v4.j2 b/templates/iptables_ariane_v4.j2
index 6112834..1ec0d86 100644
--- a/templates/iptables_ariane_v4.j2
+++ b/templates/iptables_ariane_v4.j2
@@ -4,14 +4,14 @@
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
--A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
--A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
--A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
--A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -s 192.168.86.0/24 -d 192.168.86.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
diff --git a/templates/iptables_ariane_v6.j2 b/templates/iptables_ariane_v6.j2
deleted file mode 100644
index d2927b5..0000000
--- a/templates/iptables_ariane_v6.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp --syn -j DROP
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -p ipv6-icmp -j ACCEPT
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -i lo -j ACCEPT
-COMMIT
diff --git a/templates/iptables_progress_v6.j2 b/templates/iptables_progress_v6.j2
deleted file mode 100644
index d2927b5..0000000
--- a/templates/iptables_progress_v6.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp --syn -j DROP
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -p ipv6-icmp -j ACCEPT
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -i lo -j ACCEPT
-COMMIT
diff --git a/templates/iptables_sputnik_v4.j2 b/templates/iptables_proteus_v4.j2
similarity index 90%
rename from templates/iptables_sputnik_v4.j2
rename to templates/iptables_proteus_v4.j2
index b7efa99..cbe5456 100644
--- a/templates/iptables_sputnik_v4.j2
+++ b/templates/iptables_proteus_v4.j2
@@ -8,6 +8,7 @@
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp -j REJECT --reject-with tcp-reset
 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
 -A INPUT -j REJECT --reject-with icmp-proto-unreachable
diff --git a/templates/iptables_sputnik_v6.j2 b/templates/iptables_sputnik_v6.j2
deleted file mode 100644
index d2927b5..0000000
--- a/templates/iptables_sputnik_v6.j2
+++ /dev/null
@@ -1,12 +0,0 @@
-# {{ ansible_managed }}
-
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -p tcp --syn -j DROP
--A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
--A INPUT -p ipv6-icmp -j ACCEPT
--A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
--A INPUT -i lo -j ACCEPT
-COMMIT
diff --git a/templates/iptables_zyklon_v4.j2 b/templates/iptables_zyklon_v4.j2
new file mode 100644
index 0000000..66618d3
--- /dev/null
+++ b/templates/iptables_zyklon_v4.j2
@@ -0,0 +1,15 @@
+# {{ ansible_managed }}
+
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
+-A INPUT -p tcp -j REJECT --reject-with tcp-reset
+-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
+-A INPUT -j REJECT --reject-with icmp-proto-unreachable
+COMMIT