From e30b524896d7df9f7880dee8e9dd2a8e28bf0732 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Wed, 17 Feb 2021 12:38:15 -0800
Subject: [PATCH] iptables: Limit smokescreen port 4750, add camo port.

Limit incoming connections to port 4750 to only the smokescreen host,
and also allow access to the Camo server on that host, on port 9292.
---
 puppet/zulip_ops/templates/iptables/rules.v4.erb | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/puppet/zulip_ops/templates/iptables/rules.v4.erb b/puppet/zulip_ops/templates/iptables/rules.v4.erb
index fc8b2bbf34..eb93cca3de 100644
--- a/puppet/zulip_ops/templates/iptables/rules.v4.erb
+++ b/puppet/zulip_ops/templates/iptables/rules.v4.erb
@@ -40,9 +40,14 @@
 -A INPUT -p tcp --dport https      -j ACCEPT
 -A INPUT -p tcp --dport postgresql -j ACCEPT
 
+<% if @fqdn.include? "smokescreen" -%>
 #                       Smokescreen proxy
 -A INPUT -p tcp --dport 4750       -j ACCEPT
 
+#                       Camo proxy
+-A INPUT -p tcp --dport 9292       -j ACCEPT
+<% end -%>
+
 #                       statsd
 -A INPUT -p udp --dport 8125       -j ACCEPT
 <% end -%>