jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

adding firewall restart to postinst script. firewall is now restarted on upgrade, may break kickstart, need to test

This commit is contained in:
toby 2018-11-28 18:14:08 +01:00
parent f022e1e2c0
commit 83e0ccc728
2 changed files with 20 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/wit-network-config.postinst vendored
View File

@ -235,6 +235,7 @@ case "$1" in
auto ${ifname}
iface ${ifname} inet static
address ${ipv4/\\/}
iface ${ifname} inet6 static
address ${ipv6/\\/}
@ -389,6 +390,7 @@ case "$1" in
#systemctl disable strongswan # disable ipsec till we have the certs and all ansible will enable it after dropping certs
systemctl enable firewall
systemctl restart firewall
systemctl enable systemd-timesyncd
systemctl restart systemd-timesyncd
systemctl restart ssh

29
files/firewall
View File

@ -23,6 +23,21 @@ case $1 in
iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec
iptables -A INPUT -p icmp -j ACCEPT # allow pings
## local ceph osd services
iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph osd traffic
iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph osd traffic
## traffic we want to see encrypted over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp replies for anything over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
## external services we deplend upon
iptables -A INPUT -s 170.199.217.0 -p tcp --dport 22 -j ACCEPT # ssh from bastion
iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns replies from bastion
iptables -A INPUT -s 10.1.19.1 -p tcp --dport 22 -j ACCEPT # ssh from bastion
@ -31,17 +46,6 @@ case $1 in
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host
iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph osd traffic
iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph osd traffic
## traffic we want to see encrypted over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp if coming over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
## rules for edge nodes, these should be more specific but for now, it'll do
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
@ -170,13 +174,16 @@ case $1 in
echo " done"
;;
restart)
#$0 stop
$0 start
;;
*)
echo "use $0 [start|stop|restart]"
;;
esac
exit 0