From 8bdbba301641ba2e6061ef148e557463a52c2c6b Mon Sep 17 00:00:00 2001 From: toby Date: Thu, 13 Sep 2018 01:17:40 +0200 Subject: [PATCH] orginizing the firewall a little bit, no changes in theory --- files/firewall | 53 +++++++++++++++++++++++--------------------------- 1 file changed, 24 insertions(+), 29 deletions(-) diff --git a/files/firewall b/files/firewall index ed25f1a..3607108 100755 --- a/files/firewall +++ b/files/firewall @@ -18,20 +18,32 @@ case $1 in iptables -P INPUT ACCEPT iptables -F INPUT #unencrypted traffic - iptables -A INPUT -p esp -j ACCEPT # ipsec - iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec - iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec - iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns - iptables -A INPUT -p icmp -j ACCEPT + iptables -A INPUT -p esp -j ACCEPT # ipsec + iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec + iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec + iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns + iptables -A INPUT -p icmp -j ACCEPT #traffic we want to see encrypted over the VPN - iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -m policy --pol ipsec --dir in -j ACCEPT # vxlan traffic - iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration - #iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic - - ##### DROP the rest + iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -m policy --pol ipsec --dir in -j ACCEPT # vxlan traffic + iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration + #iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic + ### mgmt + iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT + iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT + ### DROP the rest iptables -P INPUT DROP + #special tables + iptables -t mangle -F + iptables -t nat -F + iptables -t raw -F + + iptables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK + iptables -t raw -A OUTPUT ! -o mgmt -j NOTRACK + + + #### IPv6 ip6tables -P INPUT ACCEPT ip6tables -F INPUT @@ -43,36 +55,19 @@ case $1 in ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ### mgmt ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys + ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt + ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt ### DROP the rest ip6tables -P INPUT DROP #special tables - iptables -t mangle -F - iptables -t nat -F - iptables -t raw -F - ip6tables -t mangle -F ip6tables -t nat -F ip6tables -t raw -F - ip6tables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK ip6tables -t raw -A OUTPUT ! -o mgmt -j NOTRACK - ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT - ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT - - ##### temp rules till we get VRF in place in the factory, just flip the 3 rules below - if ip link show dev mgmt >/dev/null 2>&1; then - iptables -t raw -A PREROUTING ! -i mgmt1 -j NOTRACK - iptables -t raw -A OUTPUT ! -o mgmt -j NOTRACK - iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -i mgmt -s 10.0.0.0/8 -p tcp --dport 22 -j ACCEPT - else - iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT - iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 22 -j ACCEPT - fi - ##### end temp rules ;;