starting to use ceph on ipv6 as well ....
This commit is contained in:
parent
c99727567d
commit
b9d53909b8
|
@ -66,7 +66,8 @@ case $1 in
|
|||
iptables -A FORWARD -i ipmigw1 -j DROP
|
||||
|
||||
## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions
|
||||
#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
|
||||
#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
|
||||
|
||||
|
||||
#special tables
|
||||
iptables -t mangle -F
|
||||
|
@ -102,6 +103,16 @@ case $1 in
|
|||
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway
|
||||
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9103 -j ACCEPT # prometheus collectd-exporter
|
||||
|
||||
## ceph
|
||||
ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
|
||||
ip6tables -A INPUT -i lo -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
|
||||
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
|
||||
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
|
||||
ip6tables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
|
||||
ip6tables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
|
||||
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
|
||||
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
|
||||
|
||||
## traffic we want to see encrypted over the VPN
|
||||
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
|
||||
ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN
|
||||
|
|
Loading…
Reference in New Issue