starting to use ceph on ipv6 as well ....

This commit is contained in:
toby 2019-02-05 20:23:44 -08:00
parent c99727567d
commit b9d53909b8
1 changed files with 12 additions and 1 deletions

View File

@ -66,7 +66,8 @@ case $1 in
iptables -A FORWARD -i ipmigw1 -j DROP
## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions
#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
#special tables
iptables -t mangle -F
@ -102,6 +103,16 @@ case $1 in
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9103 -j ACCEPT # prometheus collectd-exporter
## ceph
ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
ip6tables -A INPUT -i lo -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
ip6tables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
ip6tables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
## traffic we want to see encrypted over the VPN
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN