From d67b2257928b376b89102f5a7c06f654c10a6800 Mon Sep 17 00:00:00 2001 From: toby Date: Sun, 21 Oct 2018 23:08:58 +0200 Subject: [PATCH] cleanup firewall rules and making unnumbered bgp rules a tad more restrictive --- files/firewall | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/files/firewall b/files/firewall index 6e13224..64be2f7 100755 --- a/files/firewall +++ b/files/firewall @@ -17,7 +17,7 @@ case $1 in ### IPv4 iptables -P INPUT ACCEPT iptables -F INPUT - #unencrypted traffic + ## unencrypted traffic iptables -A INPUT -p esp -j ACCEPT # ipsec iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec @@ -25,17 +25,17 @@ case $1 in iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns replies from bastion iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi iptables -A INPUT -s 170.199.210.99 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com - iptables -A INPUT -p icmp -j ACCEPT iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph traffic iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph traffic - #traffic we want to see encrypted over the VPN + iptables -A INPUT -p icmp -j ACCEPT + ## traffic we want to see encrypted over the VPN iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph traffic iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration - #rules for edge nodes, these should be more specific but for now, it'll do + ## rules for edge nodes, these should be more specific but for now, it'll do iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp @@ -59,7 +59,7 @@ case $1 in #### IPv6 ip6tables -P INPUT ACCEPT ip6tables -F INPUT - #unencrypted traffic + ## unencrypted traffic ip6tables -A INPUT -p esp -j ACCEPT # ipsec ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec @@ -68,9 +68,11 @@ case $1 in ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns replies from bastion ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp - ip6tables -A INPUT -s fe80::/10 -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) - ip6tables -A INPUT -s fe80::/10 -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) - #rules for edge nodes, these should be more specific but for now, it'll do + ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) + ## rules for edge nodes, these should be more specific but for now, it'll do + ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding) + ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding) ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer ### mgmt