Merge pull request #274 from calcium-machine/develop-catapult

Develop catapult
devopsgroup-io · Sep 15, 2015 · 14f7938 · 14f7938
2 parents d7a2e50 + b2ceb75
commit 14f7938
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 44 deletions.
diff --git a/VERSION.yml b/VERSION.yml
@@ -1 +1 @@
-version: 1.7.0
+version: 1.7.1
diff --git a/provisioners/redhat/modules/iptables.sh b/provisioners/redhat/modules/iptables.sh
@@ -2,44 +2,29 @@ redhat_ip="$(echo "${configuration}" | shyaml get-value environments.${1}.server
 
 # remove all rules
 sudo iptables --flush
+# we're not a router
+sudo iptables --policy FORWARD DROP
+# allow all output, only filter input
+sudo iptables --policy OUTPUT ACCEPT
+
 # allow server/client ssh over 22
 sudo iptables\
     --append INPUT\
     --protocol tcp\
     --dport 22\
     --jump ACCEPT
-sudo iptables\
-    --append OUTPUT\
-    --protocol tcp\
-    --sport 22\
-    --jump ACCEPT
 # allow server to use 127.0.0.1 or localhost, lo = loopback interface
 sudo iptables\
     --append INPUT\
     --in-interface lo\
     --jump ACCEPT
-sudo iptables\
-    --append OUTPUT\
-    --out-interface lo\
-    --jump ACCEPT
 # allow server to access the web for packages, updates, etc
-sudo iptables\
-    --append OUTPUT\
-    --out-interface eth0\
-    --destination 0.0.0.0/0\
-    --jump ACCEPT
 sudo iptables\
     --append INPUT\
     --in-interface eth0\
     --match state\
     --state ESTABLISHED,RELATED\
     --jump ACCEPT
-# allow for outbound mail
-sudo iptables\
-    --append OUTPUT\
-    --protocol tcp\
-    --dport 25\
-    --jump ACCEPT
 # allow incoming web traffic from the world
 if [ "${4}" == "apache" ]; then
     sudo iptables\
@@ -51,12 +36,12 @@ if [ "${4}" == "apache" ]; then
         --state NEW,ESTABLISHED\
         --jump ACCEPT
     sudo iptables\
-        --append OUTPUT\
-        --out-interface eth0\
+        --append INPUT\
+        --in-interface eth0\
         --protocol tcp\
-        --sport 80\
+        --dport 443\
         --match state\
-        --state ESTABLISHED\
+        --state NEW,ESTABLISHED\
         --jump ACCEPT
 # allow incoming database traffic
 elif [ "${4}" == "mysql" ]; then
@@ -70,14 +55,6 @@ elif [ "${4}" == "mysql" ]; then
             --match state\
             --state NEW,ESTABLISHED\
             --jump ACCEPT
-        sudo iptables\
-            --append OUTPUT\
-            --out-interface eth0\
-            --protocol tcp\
-            --sport 3306\
-            --match state\
-            --state ESTABLISHED\
-            --jump ACCEPT
     else
         # from the redhat server
         sudo iptables\
@@ -89,21 +66,10 @@ elif [ "${4}" == "mysql" ]; then
             --match state\
             --state NEW,ESTABLISHED\
             --jump ACCEPT
-        sudo iptables\
-            --append OUTPUT\
-            --out-interface eth0\
-            --protocol tcp\
-            --destination ${redhat_ip}\
-            --sport 3306\
-            --match state\
-            --state ESTABLISHED\
-            --jump ACCEPT
     fi
 fi
 
 # now that everything is configured, we drop everything else (drop does not send any return packets, reject does)
-sudo iptables --policy FORWARD DROP
 sudo iptables --policy INPUT DROP
-sudo iptables --policy OUTPUT DROP
 # output the iptables
 sudo iptables --list