adding firewall rules for edge boxes

This commit is contained in:
toby 2018-10-20 18:55:45 +02:00
parent 0eceabfe1d
commit c7d116d1c1
1 changed files with 7 additions and 0 deletions

View File

@ -35,6 +35,10 @@ case $1 in
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration
#rules for edge nodes, these should be more specific but for now, it'll do
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp
### mgmt
iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT
@ -66,6 +70,9 @@ case $1 in
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
#rules for edge nodes, these should be more specific but for now, it'll do
ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer
ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer
### mgmt
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf
ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt