8f2af6849c
This allows us to specify rules with hostnames, but have puppet resolve those to IP addresses before writing out the iptables config. This ensures that iptables will always be able to start, as well as keeping firewalls up to date as hosts change. Change-Id: I7a0dfbab67bdba72c0a56acc611503795d2bc350 Depends-On: I29d36cc527351e3e6d2ee2dc1919988379b8db3a
36 lines
1.3 KiB
Plaintext
36 lines
1.3 KiB
Plaintext
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:openstack-INPUT - [0:0]
|
|
-A INPUT -j openstack-INPUT
|
|
-A openstack-INPUT -i lo -j ACCEPT
|
|
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
|
|
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
|
|
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
# SSH from anywhere
|
|
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
|
# SNMP
|
|
<% @snmp_v4hosts.each do |host| -%>
|
|
-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
|
|
<% end -%>
|
|
# Public TCP ports
|
|
<% @public_tcp_ports.each do |port| -%>
|
|
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
|
|
<% end -%>
|
|
# Public UDP ports
|
|
<% @public_udp_ports.each do |port| -%>
|
|
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
|
<% end -%>
|
|
# Per-host rules
|
|
<% @rules4.each do |rule| -%>
|
|
-A openstack-INPUT <%= rule %>
|
|
<% end -%>
|
|
<% @allowed_hosts.each do |host| -%>
|
|
<% scope.call_function('dns_a', [host['hostname']]).each do |addr| -%>
|
|
-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
|
|
<% end -%>
|
|
<% end -%>
|
|
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
|
COMMIT
|