adding firewall rules for edge boxes
This commit is contained in:
toby
parent
0eceabfe1d
commit
c7d116d1c1
|
|
@ -35,6 +35,10 @@ case $1 in
|
|||
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic
|
||||
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic
|
||||
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration
|
||||
#rules for edge nodes, these should be more specific but for now, it'll do
|
||||
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
|
||||
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
|
||||
iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp
|
||||
### mgmt
|
||||
iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT
|
||||
iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
|
@ -66,6 +70,9 @@ case $1 in
|
|||
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
|
||||
ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
||||
#rules for edge nodes, these should be more specific but for now, it'll do
|
||||
ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer
|
||||
ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer
|
||||
### mgmt
|
||||
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why this needs the physical interface instead of the vrf
|
||||
ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt
|
||||
|
|
|
|||
Loading…
Reference in New Issue