search

chef-cookbooks / iptables

Development repository for Chef Cookbook iptables
https://supermarket.chef.io/cookbooks/iptables
Apache License 2.0
102 stars 141 forks source link

you can haaaaazzzzzzz .... omg can you ever haz. this is my favorite by ... #4

Closed ghost closed 11 years ago

ghost commented 11 years ago

...far... easily the most useful thing I've ever written imho. Please Please Please, read the readme file its gonna tell you far more than what I can tell you right off the top of my head at the moment. This really is my favorite cookbook next to my DNS cookbook, actually I have an "ssh script" cookbook that creates something to this effect:

!/bin/bash

LOCALHOST="127.0.0.1" ssh -l root -L${LOCALHOST}:4141:127.0.0.1:4040 -L${LOCALHOST}:8999:127.0.0.1:80 -L${LOCALHOST}:9000:127.0.0.1:81 -L${LOCALHOST}:9001:127.0.0.1:82 -L${LOCALHOST}:9002:servicenetip1:80 -L${LOCALHOST}:8091:servicenetip2:8091 -L${LOCALHOST}:8092:servicenetip3:8091 -L${LOCALHOST}:8093:servicenetip4:8091 -L${LOCALHOST}:3306:servicenetip5:3306 -L${LOCALHOST}:3307:servicenetip6:3306 -L${LOCALHOST}:3308:servicenetip7:3306 ectectect

its a very tedious script but it works really really well and nobody can access those addresses except the chef server on rackspace's servicenet (or so, thats the intended purpose of all of this anyway...) basically, the intended purpose is nobody can even ssh to my chef server except me from our work IP and me from my home IP, and I HAVE to ssh to that server to get to ssh to any of the other servers.....really tedious but once you have the hang of it and understand it all well it's really a life saver.

ghost commented 11 years ago

in short, the thing that is very special about my iptables cookbook is that it allows you to define many to many, many to one, and one to many relationships using roles and attributes. It really deserves more of an audience and I'd like to get some other developers in on it to make it better and if nothing else, I would love to hear feedback.

ghost commented 11 years ago

OH! I remember what I was going to say now! yeah there are some obvious flaws with this, for example... how can I bootstrap a new node to use a DNS server if the DNS server isn't allowing queries from that node in iptables yet? The same very big problem with rsync because I rsync source code to be built for services that newly created nodes will be running. since I use knife rackspace from a server that can ssh to any of those servers I've considered adding functionality to the knife rackspace plugin (I wish I could write plugins for plugins) that would basically ssh into those servers and allow the newly created nodes IP to its services before executing bootstrap.......

^____ really would love some feedback on this one .....

another possibility I've considered is a daemon that would run on those hosts that basically listens to a rabbitmq fanout for specific tasks from an appropriate sender..

Also if not a plugin for rackspace plugin or a modification to the plugin then a hack that I found in bootstrap templates:

<% system('cd /root && tar -cvf /root/chef-repo.tar chef-repo/') <--- hax print('copy and paste this password when prompted: ' + @config[:ssh_password]+ "\n") system('scp /root/chef-repo.tar root@'+@config[:server_name]+':/root/chef-repo.tar') %>

bash -c ' ... use your imagination

ghost commented 11 years ago

If you need to see to believe:

oot@appsrv-1-1-1:~# iptables -v -L Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
4840K 1816M ACCEPT all -- lo any anywhere anywhere
85M 11G ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 1499K 90M ACCEPT tcp -- eth1 any lb-1-1-2.connectxyz.local anywhere tcp dpt:http 1563K 94M ACCEPT tcp -- eth1 any lb-1-1-1.connectxyz.local anywhere tcp dpt:http 1500K 90M ACCEPT tcp -- eth1 any lb-1-1-3.connectxyz.local anywhere tcp dpt:http 3 180 ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:22002 0 0 ACCEPT udp -- eth1 any chefserver-1-1.connectxyz.local anywhere udp dpt:22002 0 0 ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:mysql 0 0 ACCEPT udp -- eth1 any chefserver-1-1.connectxyz.local anywhere udp dpt:mysql 51786 3104K ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:ssh 858 51480 ACCEPT tcp -- eth1 any ossec-1-1.connectxyz.local anywhere tcp dpt:ssh 361K 22M ACCEPT tcp -- eth1 any chefserver-1-1.connectxyz.local anywhere tcp dpt:nrpe 155K 13M ACCEPT icmp -- eth1 any chefserver-1-1.connectxyz.local anywhere limit: avg 10/sec burst 5 10309 619K ACCEPT tcp -- eth1 any ossec-1-1.connectxyz.local anywhere tcp dpt:munin 0 0 ACCEPT tcp -- eth0 any chefserver-1-1.connectxyz.local anywhere tcp dpt:ssh 370K 117M LOGGING all -- any any anywhere anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 96M packets, 8411M bytes) pkts bytes target prot opt in out source destination

Chain LOGGING (1 references) pkts bytes target prot opt in out source destination
370K 117M LOG all -- any any anywhere anywhere limit: avg 100/min burst 5 LOG level warning prefix "Dropped: " 370K 117M DROP all -- any any anywhere anywhere
root@appsrv-1-1-1:~#

ghost commented 11 years ago

[5642534.495979] Dropped: IN=eth0 OUT= MAC=bc:76:4e:04:a9:eb:70:ca:9b:8d:9a:ff:08:00 SRC=188.127.229.152 DST=xx.xx.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=7777 DPT=19704 WINDOW=0 RES=0x00 ACK RST URGP=0 [5642544.662297] Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:bc:76:4e:04:b8:6d:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=19881 PROTO=UDP SPT=68 DPT=67 LEN=308 [5642548.080380] Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:bc:76:4e:04:eb:2c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=4871 PROTO=UDP SPT=68 DPT=67 LEN=308 [5642548.327266] Dropped: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:bc:76:4e:04:a2:70:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=13148 PROTO=UDP SPT=68 DPT=67 LEN=308

Ive been getting a shit load of spammy broadcast traffic on rackspace, I think they broke something

sethvargo commented 11 years ago

Hey @paigeadele! Thank you for supporting the Opscode Cookbooks! Our process has a couple prerequisites before we can merge your contribution. We need to ensure you've completed a Contributor License Agreement (CLA) and a ticket on our ticket tracker for the release workflow. Pull requests are optional, but should always include the ticket number that they're related to for cross-referencing. Please take a moment to review the below wiki page for the appropriate steps:

sethvargo commented 11 years ago

Ohai!

I'm going to close this due to inactivity, but please re-open if you have more time to work on this issue :smile:.