jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixing live migration iptables rules

This commit is contained in:
toby 2018-11-17 02:06:37 +01:00
parent a0d2d87355
commit 9028be6de6
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
files/firewall
View File

@ -37,7 +37,6 @@ case $1 in
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration
## rules for edge nodes, these should be more specific but for now, it'll do ## rules for edge nodes, these should be more specific but for now, it'll do
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
@ -90,6 +89,9 @@ case $1 in
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
## traffic we want to see encrypted over the VPN
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration
## rules for edge nodes, these should be more specific but for now, it'll do ## rules for edge nodes, these should be more specific but for now, it'll do
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)