opendev/system-config
Code Issues Proposed changes
d9d9a53cb7
system-config/playbooks/roles/iptables/templates/rules.v6.j2
Monty Taylor d93a661ae4 Run iptables in service playbooks instead of base 
It's the only part of base that's important to run when we run a
service. Run it in the service playbooks and get rid of the
dependency on infra-prod-base.

Continue running it in base so that new nodes are brought up
with iptables in place.

Bump the timeout for the mirror job, because the iptables addition
seems to have just bumped it over the edge.

Change-Id: I4608216f7a59cfa96d3bdb191edd9bc7bb9cca39
2020-06-04 07:44:22 -05:00

38 lines
1.4 KiB
Django/Jinja
Raw Blame History

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmpv6 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Public TCP ports
{% for port in iptables_public_tcp_ports -%}
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Public UDP ports
{% for port in iptables_public_udp_ports -%}
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
{% endfor -%}
# Per-host rules
{% for rule in iptables_rules_v6 -%}
-A openstack-INPUT {{ rule }}
{% endfor -%}
{% for host in iptables_allowed_hosts -%}
{% for addr in host.hostname | dns_aaaa -%}
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %}-m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
{% endfor -%}
{% endfor -%}
{% for group in iptables_allowed_groups -%}
{% for addr in groups.get(group.group) | map('extract', hostvars, 'public_v6') -%}
{% if addr -%}
-A openstack-INPUT {% if group.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ group.protocol }} -p {{ group.protocol }} -s {{ addr }} --dport {{ group.port }} -j ACCEPT
{% endif -%}
{% endfor -%}
{% endfor -%}
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
View Git Blame Copy Permalink