From f72ff64029268045dbe4530d8634dd1751cff89f Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Sep 24 2024 17:55:20 +0000
Subject: bastion / iptables: Add internal RH mxes and drop global allow


We want to allow internal mx'es to send us email still.
We want to drop the global allow for port 25 now that we hopefully have
all the legit senders listed.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

---

diff --git a/inventory/group_vars/bastion b/inventory/group_vars/bastion
index 7a7b67e..c9f08e2 100644
--- a/inventory/group_vars/bastion
+++ b/inventory/group_vars/bastion
@@ -67,5 +67,5 @@ primary_auth_source: ipa
 #
 # allow incoming openvpn and smtp
 #
-tcp_ports: [22, 25, 1194]
+tcp_ports: [22, 1194]
 udp_ports: [1194]
diff --git a/roles/base/templates/iptables/iptables.bastion b/roles/base/templates/iptables/iptables.bastion
index 6133eb1..05eb972 100644
--- a/roles/base/templates/iptables/iptables.bastion
+++ b/roles/base/templates/iptables/iptables.bastion
@@ -77,6 +77,9 @@
 -A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
 -A INPUT -s 192.168.0.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
 -A INPUT -s 10.3.160.0/19 -m tcp -p tcp --dport 25 -j ACCEPT
+# redhat mxes
+-A INPUT -s 10.30.177.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
+-A INPUT -s 10.30.29.0/24 -m tcp -p tcp --dport 25 -j ACCEPT
 # mimecast ips from
 # https://community.mimecast.com/s/article/email-security-cloud-gateway-data-centers-and-urls?r=297&ui-knowledge-components-aura-actions.KnowledgeArticleVersionCreateDraftFromOnlineAction.createDraftFromOnlineArticle=1
 -A INPUT -s 170.10.132.0/24 -m tcp -p tcp --dport 25 -j ACCEPT