jcarr
/
wit-network-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

firewall: updating mirrors.wit.com to allow the new location in usw1 over ipv6

This commit is contained in:
toby 2019-03-11 21:48:58 +00:00
parent eeb6cedbf6
commit c760ae7c2c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
files/firewall
View File

@ -39,7 +39,6 @@ case $1 in
## external services we depend upon ## external services we depend upon
iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host
## rules for edge nodes, these should be more specific but for now, it'll do ## rules for edge nodes, these should be more specific but for now, it'll do
@ -102,6 +101,7 @@ case $1 in
## external services we depend upon ## external services we depend upon
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9091 -j ACCEPT # prometheus pushgateway
ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9103 -j ACCEPT # prometheus collectd-exporter ip6tables -A INPUT -s 2600:1f14:3f:1b01:e296:593a:484a:64d2 -p tcp --sport 9103 -j ACCEPT # prometheus collectd-exporter
ip6tables -A INPUT -s 2604:bbc0:1:20::a001 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com
## ceph ## ceph
ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
@ -121,7 +121,7 @@ case $1 in
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration
## rules for edge nodes, these should be more specific but for now, it'll do ## rules for edge nodes, shouldn't ever end up matching on "normal nodes"
ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)