From a343ade9c44a1f58aad7bbdad03e0fda82ab89c4 Mon Sep 17 00:00:00 2001 From: toby Date: Fri, 5 Oct 2018 22:27:10 +0000 Subject: [PATCH] adding new firewall rule for stackapi --- files/firewall | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/files/firewall b/files/firewall index 61ece0f..405fe25 100755 --- a/files/firewall +++ b/files/firewall @@ -23,8 +23,11 @@ case $1 in iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec iptables -A INPUT -s 170.199.217.0 -p tcp --dport 22 -j ACCEPT # ssh from bastion iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns replies from bastion + iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi iptables -A INPUT -s 170.199.210.99 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com iptables -A INPUT -p icmp -j ACCEPT + iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph traffic + iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph traffic #traffic we want to see encrypted over the VPN iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic @@ -32,8 +35,6 @@ case $1 in iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration - iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph traffic - iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph traffic ### mgmt iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT