diff --git a/files/firewall b/files/firewall index aa330b2..93d0e8d 100755 --- a/files/firewall +++ b/files/firewall @@ -18,39 +18,39 @@ case $1 in iptables -P INPUT ACCEPT iptables -F INPUT ## unencrypted traffic - iptables -A INPUT -p esp -j ACCEPT # ipsec - iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec - iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec - iptables -A INPUT -p icmp -j ACCEPT # allow pings + iptables -A INPUT -p esp -j ACCEPT -m comment --comment "ipsec" + iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT -m comment --comment "ipsec" + iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec" + iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow pings" ## local ceph osd services - iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph osd traffic - iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph osd traffic + iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic" + iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic" ## traffic we want to see encrypted over the VPN - iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic - iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic - iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic - iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic - iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic - iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp replies for anything over the VPN - iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN - iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN + iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic" + iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic" + iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT -m comment --comment "ceph mon traffic" + iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT -m comment --comment "ceph mon traffic" + iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT -m comment --comment "vxlan traffic" + iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT -m comment --comment "ntp replies for anything over the VPN" + iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT -m comment --comment "dns replies from anything over the VPN" + iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh if coming over the VPN" ## external services we depend upon - iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi - iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host + iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT -m comment --comment "etcd replies stackapi" + iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT -m comment --comment "allow email smart host" - ## rules for edge nodes, these should be more specific but for now, it'll do - iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites - iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT # upstream to public bgp - iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT # upstream from public bgp - iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer - iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers + ## rules for edge nodes, shouldn't ever end up matching on "normal nodes" + iptables -A INPUT -i up+ -p gre -j ACCEPT -m comment --comment "gre tunnels from other sites" + iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "upstream to public bgp" + iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "upstream from public bgp" + iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customer" + iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customers" ### mgmt - iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT - iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh on mgmt vrf" + iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "stateful mgmt vrf" ### DROP the rest iptables -P INPUT DROP @@ -58,11 +58,12 @@ case $1 in ## some rules for bastion boxes to protect the mgmt networks iptables -F FORWARD - iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT - iptables -A FORWARD -o mgmtgw1 -j DROP - iptables -A FORWARD -o ipmigw1 -j DROP - iptables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT - iptables -A FORWARD -i ipmigw1 -j DROP + iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts" + iptables -A FORWARD -o mgmtgw1 -j DROP -m comment --comment "only for bastion hosts" + iptables -A FORWARD -o ipmigw1 -j DROP -m comment --comment "only for bastion hosts" + iptables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "only for bastion hosts" + iptables -A FORWARD -i ipmigw1 -j DROP -m comment --comment "only for bastion hosts" + ## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions #iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436 @@ -75,15 +76,15 @@ case $1 in # this matters only on bastion boxes - iptables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT - iptables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT - iptables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT - iptables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT + iptables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" + iptables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" + iptables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" + iptables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" # this matters on all boxes - iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT - iptables -t raw -A OUTPUT -o mgmt -j ACCEPT - iptables -t raw -A PREROUTING -j NOTRACK - iptables -t raw -A OUTPUT -j NOTRACK + iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf" + iptables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf" + iptables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track the rest" + iptables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track the rest" @@ -91,48 +92,48 @@ case $1 in ip6tables -P INPUT ACCEPT ip6tables -F INPUT ## unencrypted traffic - ip6tables -A INPUT -p esp -j ACCEPT # ipsec - ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec - ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec - ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # icmp - ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -p esp -j ACCEPT -m comment --comment "ipsec" + ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT -m comment --comment "ipsec" + ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec" + ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "icmp" + ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)" + ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)" ## external services we depend upon - ip6tables -A INPUT -s 2604:bbc0:1:20::a001 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com + ip6tables -A INPUT -s 2604:bbc0:1:20::a001 -p tcp --sport 443 -j ACCEPT -m comment --comment "# mirrors.wit.com" ## ceph - ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic - ip6tables -A INPUT -i lo -p tcp --sport 6789 -j ACCEPT # ceph mon traffic - ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic - ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic - ip6tables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic - ip6tables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic - ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic - ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic + ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT -m comment --comment "ceph mon traffic" + ip6tables -A INPUT -i lo -p tcp --sport 6789 -j ACCEPT -m comment --comment "ceph mon traffic" + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT -m comment --comment "ceph mon traffic" + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT -m comment --comment "ceph mon traffic" + ip6tables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic" + ip6tables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic" + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic" + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic" ## traffic we want to see encrypted over the VPN - ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN - ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN - ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp if coming over the VPN - ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 2379 -j ACCEPT # etcd replies from stackapi - ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration - ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh if coming over the VPN" + ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT -m comment --comment "dns replies from anything over the VPN" + ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT -m comment --comment "ntp if coming over the VPN" + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 2379 -j ACCEPT -m comment --comment "etcd replies from stackapi" + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT -m comment --comment "libvirt live migration" + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT -m comment --comment "libvirt live migration" - ## rules for edge nodes, shouldn't ever end up matching on "normal nodes" - ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp to public peer - ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp from public peer - ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # downstream bgp for dedicated customer - ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # downstream bgp for dedicated customers + ## rules for edge nodes, these should be more specific but for now, it'll do + ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)" + ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)" + ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)" + ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)" + ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp to public peer" + ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp from public peer" + ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customer" + ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customers" ### mgmt - ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf - ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt - ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt + ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT -m comment --comment "dhcp replys, unlcear why physical if not vrf" + ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh for mgmt vrf" + ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "stateful mgmt vrf" ### DROP the rest ip6tables -P INPUT DROP @@ -140,11 +141,11 @@ case $1 in ## some rules for bastion boxes to protect the mgmt networks ip6tables -F FORWARD - ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT - ip6tables -A FORWARD -o mgmtgw1 -j DROP - ip6tables -A FORWARD -o ipmigw1 -j DROP - ip6tables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT - ip6tables -A FORWARD -i ipmigw1 -j DROP + ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -A FORWARD -o mgmtgw1 -j DROP -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -A FORWARD -o ipmigw1 -j DROP -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -A FORWARD -i ipmigw1 -m state --state ESTABLISHED,RELATED -j ACCEPT -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -A FORWARD -i ipmigw1 -j DROP -j ACCEPT -m comment --comment "only for bastion hosts" #special tables @@ -154,15 +155,15 @@ case $1 in # this matters only on bastion boxes - ip6tables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT - ip6tables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT - ip6tables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT - ip6tables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT + ip6tables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" + ip6tables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT -m comment --comment "only for bastion hosts" # this matters on all boxes - ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT - ip6tables -t raw -A OUTPUT -o mgmt -j ACCEPT - ip6tables -t raw -A PREROUTING -j NOTRACK - ip6tables -t raw -A OUTPUT -j NOTRACK + ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf" + ip6tables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf" + ip6tables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track mgmt vrf" + ip6tables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track mgmt vrf" #some boxes get special addon rules