starting to use ceph on ipv6 as well ....

files/firewall

@@ -66,7 +66,8 @@ case $1 in
         iptables -A FORWARD -i ipmigw1 -j DROP
 
        ## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions
-	#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
+        #iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
+
 
        #special tables
         iptables -t mangle -F
@@ -102,6 +103,16 @@ case $1 in
         ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2          -p tcp   --sport  9091                       -j ACCEPT   # prometheus pushgateway
         ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2          -p tcp   --sport  9103                       -j ACCEPT   # prometheus collectd-exporter
 
+       ## ceph
+        ip6tables -A INPUT -i lo                                             -p tcp   --dport   6789                      -j ACCEPT   # ceph mon traffic
+        ip6tables -A INPUT -i lo                                             -p tcp   --sport   6789                      -j ACCEPT   # ceph mon traffic
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport   6789                      -j ACCEPT   # ceph mon traffic
+        ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --sport   6789                      -j ACCEPT   # ceph mon traffic
+        ip6tables -A INPUT -i lo                           -m multiport      -p tcp   --dports  6800:7300                 -j ACCEPT   # ceph osd traffic
+        ip6tables -A INPUT -i lo                           -m multiport      -p tcp   --sports  6800:7300                 -j ACCEPT   # ceph osd traffic
+        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --dports  6800:7300                 -j ACCEPT   # ceph osd traffic
+        ip6tables -A INPUT -m policy --pol ipsec --dir in  -m multiport      -p tcp   --sports  6800:7300                 -j ACCEPT   # ceph osd traffic
+
        ## traffic we want to see encrypted over the VPN
         ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p tcp   --dport    22                       -j ACCEPT   # ssh if coming over the VPN
         ip6tables -A INPUT -m policy --pol ipsec --dir in                    -p udp   --sport    53                       -j ACCEPT   # dns replies from anything over the VPN