94eb7e5d2b
Docker wants to set FORWARD DROP but our existing rules set FORWARD ACCEPT. To avoid these two services fighting over each other and to simplify testing lets default to FORWARD DROP too. None of our servers should act as routers currently. If we resurrect infracloud or if we deploy k8s this may change but today this should be fine and be a safer ruleset. Change-Id: I5f19233129cf54eb70beb335c7b6224f0836096c
32 lines
1.2 KiB
Django/Jinja
32 lines
1.2 KiB
Django/Jinja
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:openstack-INPUT - [0:0]
|
|
-A INPUT -j openstack-INPUT
|
|
-A openstack-INPUT -i lo -j ACCEPT
|
|
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
|
|
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
|
|
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
# SSH from anywhere
|
|
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
|
# Public TCP ports
|
|
{% for port in iptables_public_tcp_ports -%}
|
|
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
|
|
{% endfor -%}
|
|
# Public UDP ports
|
|
{% for port in iptables_public_udp_ports -%}
|
|
-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
|
|
{% endfor -%}
|
|
# Per-host rules
|
|
{% for rule in iptables_rules_v4 -%}
|
|
-A openstack-INPUT {{ rule }}
|
|
{% endfor -%}
|
|
{% for host in iptables_allowed_hosts -%}
|
|
{% for addr in host.hostname | dns_a -%}
|
|
-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
|
|
{% endfor -%}
|
|
{% endfor -%}
|
|
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
COMMIT
|