From 94eb7e5d2b89da551017aacd5a33d2264796581b Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Tue, 11 Dec 2018 13:51:21 -0800 Subject: [PATCH] Set iptables forward drop by default Docker wants to set FORWARD DROP but our existing rules set FORWARD ACCEPT. To avoid these two services fighting over each other and to simplify testing lets default to FORWARD DROP too. None of our servers should act as routers currently. If we resurrect infracloud or if we deploy k8s this may change but today this should be fine and be a safer ruleset. Change-Id: I5f19233129cf54eb70beb335c7b6224f0836096c --- playbooks/roles/iptables/templates/rules.v4.j2 | 2 +- playbooks/roles/iptables/templates/rules.v6.j2 | 2 +- testinfra/test_base.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/playbooks/roles/iptables/templates/rules.v4.j2 b/playbooks/roles/iptables/templates/rules.v4.j2 index ec2f8db503..ce845904ff 100644 --- a/playbooks/roles/iptables/templates/rules.v4.j2 +++ b/playbooks/roles/iptables/templates/rules.v4.j2 @@ -1,6 +1,6 @@ *filter :INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :openstack-INPUT - [0:0] -A INPUT -j openstack-INPUT diff --git a/playbooks/roles/iptables/templates/rules.v6.j2 b/playbooks/roles/iptables/templates/rules.v6.j2 index c7549bb4fc..da5d369402 100644 --- a/playbooks/roles/iptables/templates/rules.v6.j2 +++ b/playbooks/roles/iptables/templates/rules.v6.j2 @@ -1,6 +1,6 @@ *filter :INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] +:FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :openstack-INPUT - [0:0] -A INPUT -j openstack-INPUT diff --git a/testinfra/test_base.py b/testinfra/test_base.py index 08449e270d..05032aa427 100644 --- a/testinfra/test_base.py +++ b/testinfra/test_base.py @@ -64,7 +64,7 @@ def test_iptables(host): start = [ '-P INPUT ACCEPT', - '-P FORWARD ACCEPT', + '-P FORWARD DROP', '-P OUTPUT ACCEPT', '-N openstack-INPUT', '-A INPUT -j openstack-INPUT',