diff --git a/debian/wit-network-config.postinst b/debian/wit-network-config.postinst index 1050944..56429e3 100755 --- a/debian/wit-network-config.postinst +++ b/debian/wit-network-config.postinst @@ -3,7 +3,7 @@ # # see: dh_installdeb(1) -set -xe +set -e # summary of how this script can be called: # * `configure' diff --git a/files/firewall b/files/firewall index 76d3ae5..4b32587 100755 --- a/files/firewall +++ b/files/firewall @@ -21,6 +21,8 @@ case $1 in iptables -A INPUT -p esp -j ACCEPT # ipsec iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec + iptables -A INPUT -p icmp -j ACCEPT # allow pings + iptables -A INPUT -s 170.199.217.0 -p tcp --dport 22 -j ACCEPT # ssh from bastion iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns replies from bastion iptables -A INPUT -s 10.1.19.1 -p tcp --dport 22 -j ACCEPT # ssh from bastion @@ -28,24 +30,29 @@ case $1 in iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi iptables -A INPUT -s 170.199.216.13 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host - iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph traffic - iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph traffic - iptables -A INPUT -p icmp -j ACCEPT + + iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph osd traffic + iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph osd traffic ## traffic we want to see encrypted over the VPN + iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN + iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp if coming over the VPN iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 8080 -j ACCEPT # ceph rgw traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 8080 -j ACCEPT # ceph rgw traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic - iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic - iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic + iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic + iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic + ## rules for edge nodes, these should be more specific but for now, it'll do iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp + ### mgmt iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT + ### DROP the rest iptables -P INPUT DROP @@ -81,30 +88,37 @@ case $1 in ip6tables -P INPUT ACCEPT ip6tables -F INPUT ## unencrypted traffic - ip6tables -A INPUT -p esp -j ACCEPT # ipsec - ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec - ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec - ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping - ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p tcp --dport 22 -j ACCEPT # ssh from bastion - ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns replies from bastion - ip6tables -A INPUT -s 2604:bbc0:0:113::b -p tcp --dport 22 -j ACCEPT # ssh from bastion2 - ip6tables -A INPUT -s 2604:bbc0:0:113::b -p udp --sport 53 -j ACCEPT # dns replies from bastion2 - ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp - ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp - ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -p esp -j ACCEPT # ipsec + ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec + ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec + ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping + ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + + ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p tcp --dport 22 -j ACCEPT # ssh from bastion + ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns replies from bastion + ip6tables -A INPUT -s 2604:bbc0:0:113::b -p tcp --dport 22 -j ACCEPT # ssh from bastion2 + ip6tables -A INPUT -s 2604:bbc0:0:113::b -p udp --sport 53 -j ACCEPT # dns replies from bastion2 + ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp + ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp + ## traffic we want to see encrypted over the VPN - ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration - ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN + ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp if coming over the VPN + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration + ## rules for edge nodes, these should be more specific but for now, it'll do - ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer - ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer + ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer + ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer + ### mgmt - ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf - ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt - ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt + ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf + ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt + ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt + ### DROP the rest ip6tables -P INPUT DROP