diff --git a/files/firewall b/files/firewall index e3e5147..0fcb936 100755 --- a/files/firewall +++ b/files/firewall @@ -66,7 +66,8 @@ case $1 in iptables -A FORWARD -i ipmigw1 -j DROP ## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions - #iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436 + #iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436 + #special tables iptables -t mangle -F @@ -102,6 +103,16 @@ case $1 in ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9103 -j ACCEPT # prometheus collectd-exporter + ## ceph + ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic + ip6tables -A INPUT -i lo -p tcp --sport 6789 -j ACCEPT # ceph mon traffic + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic + ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic + ip6tables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic + ip6tables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic + ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic + ## traffic we want to see encrypted over the VPN ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN