Merge "Block outbound SMTP connections from test jobs"

2021-12-14 20:46:12 +00:00 · 2021-12-14 20:46:12 +00:00 · b044cba65a
commit b044cba65a
parent 63fb188aa3 e2dbda1bec
6 changed files with 54 additions and 6 deletions
--- a/playbooks/roles/iptables/README.rst
+++ b/playbooks/roles/iptables/README.rst
@ -50,14 +50,40 @@ Install and configure iptables

   A list of public UDP ports to open.

+.. zuul:rolevar:: iptables_rules
+   :default: []
+
+   A list of iptables ingress rules.  Each item is a string
+   containing the iptables command line options for the rule. These
+   will be expanded to cover IPv4 and IPv6.
+
 .. zuul:rolevar:: iptables_rules_v4
   :default: []

-   A list of iptables v4 rules.  Each item is a string containing the
-   iptables command line options for the rule.
+   A list of iptables v4 ingress rules.  Each item is a string
+   containing the iptables command line options for the rule.

 .. zuul:rolevar:: iptables_rules_v6
   :default: []

-   A list of iptables v6 rules.  Each item is a string containing the
-   iptables command line options for the rule.
+   A list of iptables v6 ingress rules.  Each item is a string
+   containing the iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_egress_rules
+   :default: []
+
+   A list of iptables egress rules.  Each item is a string
+   containing the iptables command line options for the rule. These
+   will be expanded to cover IPv4 and IPv6.
+
+.. zuul:rolevar:: iptables_egress_rules_v4
+   :default: []
+
+   A list of iptables v4 egress rules.  Each item is a string
+   containing the iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_egress_rules_v6
+   :default: []
+
+   A list of iptables v6 egress rules.  Each item is a string
+   containing the iptables command line options for the rule.
--- a/playbooks/roles/iptables/defaults/main.yaml
+++ b/playbooks/roles/iptables/defaults/main.yaml
@ -1,4 +1,7 @@
 iptables_allowed_hosts: []
+iptables_egress_rules: []
+iptables_egress_rules_v4: '{{ iptables_egress_rules }}'
+iptables_egress_rules_v6: '{{ iptables_egress_rules }}'
 iptables_public_ports: []
 iptables_public_tcp_ports: '{{ iptables_public_ports }}'
 iptables_public_udp_ports: '{{ iptables_public_ports }}'
--- a/playbooks/roles/iptables/templates/rules.v4.j2
+++ b/playbooks/roles/iptables/templates/rules.v4.j2
@ -3,6 +3,7 @@
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
+:openstack-OUTPUT - [0:0]
 -A INPUT -j openstack-INPUT
 -A openstack-INPUT -i lo -j ACCEPT
 -A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
@ -18,7 +19,7 @@
 {% for port in iptables_public_udp_ports -%}
 -A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
 {% endfor -%}
-# Per-host rules
+# Per-host ingress rules
 {% for rule in iptables_rules_v4 -%}
 -A openstack-INPUT {{ rule }}
 {% endfor -%}
@ -35,4 +36,10 @@
 {% endfor -%}
 {% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited
+# Egress filtering
+-A OUTPUT -j openstack-OUTPUT
+# Per-host egress rules
+{% for rule in iptables_egress_rules_v4 -%}
+-A openstack-OUTPUT {{ rule }}
+{% endfor -%}
 COMMIT
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@ -3,6 +3,7 @@
 :FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
+:openstack-OUTPUT - [0:0]
 -A INPUT -j openstack-INPUT
 -A openstack-INPUT -i lo -j ACCEPT
 -A openstack-INPUT -p icmpv6 -j ACCEPT
@ -17,7 +18,7 @@
 {% for port in iptables_public_udp_ports -%}
 -A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
 {% endfor -%}
-# Per-host rules
+# Per-host ingress rules
 {% for rule in iptables_rules_v6 -%}
 -A openstack-INPUT {{ rule }}
 {% endfor -%}
@ -34,4 +35,10 @@
 {% endfor -%}
 {% endfor -%}
 -A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+# Egress filtering
+-A OUTPUT -j openstack-OUTPUT
+# Per-host egress rules
+{% for rule in iptables_egress_rules_v6 -%}
+-A openstack-OUTPUT {{ rule }}
+{% endfor -%}
 COMMIT
--- a/playbooks/zuul/templates/group_vars/all.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/all.yaml.j2
@ -9,3 +9,6 @@ bastion_ipv6: {{ bastion_ipv6 }}
 {% endif %}
 bastion_public_key: {{ bastion_public_key }}
 iptables_test_public_tcp_ports: {{ iptables_test_public_tcp_ports }}
+iptables_egress_rules:
+  - -o lo -j ACCEPT
+  - -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
--- a/testinfra/util.py
+++ b/testinfra/util.py
@ -89,6 +89,7 @@ def get_ips(value, family=None):
 def verify_iptables(host):
    rules = host.iptables.rules()
    rules = [x.strip() for x in rules]
+    print('Comparing against rules:\n%s' % rules)

    needed_rules = [
        '-P INPUT ACCEPT',
@ -100,6 +101,7 @@ def verify_iptables(host):
        '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
        '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
+        '-A openstack-OUTPUT -p tcp -m tcp --dport 25 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset',
        '-A openstack-INPUT -j REJECT --reject-with icmp-admin-prohibited'
    ]
    for rule in needed_rules: