From c7d116d1c1a27d14fe9f9fdcb0e6c6f088328f86 Mon Sep 17 00:00:00 2001 From: toby Date: Sat, 20 Oct 2018 18:55:45 +0200 Subject: [PATCH] adding firewall rules for edge boxes --- files/firewall | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/files/firewall b/files/firewall index 405fe25..6e13224 100755 --- a/files/firewall +++ b/files/firewall @@ -35,6 +35,10 @@ case $1 in iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration + #rules for edge nodes, these should be more specific but for now, it'll do + iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites + iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp + iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp ### mgmt iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -66,6 +70,9 @@ case $1 in ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + #rules for edge nodes, these should be more specific but for now, it'll do + ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer + ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer ### mgmt ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt