#!/bin/bash
### BEGIN INIT INFO
# Provides: scriptname
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: iptables
# Description: Enable firewall rules
### END INIT INFO
exec 1> >(logger -s -t $(basename $0)) 2>&1
case $1 in
start)
echo -n "firewall start..."
### IPv4
iptables -P INPUT ACCEPT
iptables -F INPUT
## unencrypted traffic
iptables -A INPUT -p esp -j ACCEPT -m comment --comment "ipsec"
iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT -m comment --comment "ipsec"
iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec"
iptables -A INPUT -p icmp -j ACCEPT -m comment --comment "allow pings"
## local ceph osd services
iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic"
iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "local ceph osd traffic"
## traffic we want to see encrypted over the VPN
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic"
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic"
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT -m comment --comment "ceph mon traffic"
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT -m comment --comment "ceph mon traffic"
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT -m comment --comment "vxlan traffic"
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT -m comment --comment "ntp replies for bastion"
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT -m comment --comment "dns replies for bastion"
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh if coming over the VPN"
## external services we depend upon
iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT -m comment --comment "etcd replies stackapi"
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT -m comment --comment "allow email smart host"
## rules for edge nodes, shouldn't ever end up matching on "normal nodes"
iptables -A INPUT -i up+ -p gre -j ACCEPT -m comment --comment "gre tunnels from other sites"
iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "upstream to public bgp"
iptables -A INPUT -i up+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "upstream from public bgp"
iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customer"
iptables -A INPUT -i customer+ -m ttl --ttl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customers"
### mgmt
iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh on mgmt vrf"
iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "stateful mgmt vrf"
### DROP the rest
iptables -P INPUT DROP
## this may only be needed on edge in some cases. needs to be tweaked once we have a network again spaning multiple regions
#iptables -t mangle -A FORWARD -p tcp -m tcp -o usw1 --tcp-flags SYN,RST SYN -m tcpmss --mss 1437:10000 -j TCPMSS --set-mss 1436
#special tables
iptables -F FORWARD
iptables -F OUTPUT
iptables -t mangle -F
iptables -t nat -F
iptables -t raw -F
# this matters on all boxes
iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf"
iptables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf"
iptables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track the rest"
iptables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track the rest"
#### IPv6
ip6tables -P INPUT ACCEPT
ip6tables -F INPUT
## unencrypted traffic
ip6tables -A INPUT -p esp -j ACCEPT -m comment --comment "ipsec"
ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT -m comment --comment "ipsec"
ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT -m comment --comment "ipsec"
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT -m comment --comment "icmp"
ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)"
ip6tables -A INPUT -s fe80::/10 -i feth+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)"
## external services we depend upon
ip6tables -A INPUT -s 2604:bbc0:1:20::a001 -p tcp --sport 443 -j ACCEPT -m comment --comment "# mirrors.wit.com"
## ceph
ip6tables -A INPUT -i lo -p tcp --dport 6789 -j ACCEPT -m comment --comment "ceph mon traffic"
ip6tables -A INPUT -i lo -p tcp --sport 6789 -j ACCEPT -m comment --comment "ceph mon traffic"
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT -m comment --comment "ceph mon traffic"
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT -m comment --comment "ceph mon traffic"
ip6tables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic"
ip6tables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic"
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic"
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT -m comment --comment "ceph osd traffic"
## traffic we want to see encrypted over the VPN
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh if coming over the VPN"
ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT -m comment --comment "dns replies from anything over the VPN"
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 80 -j ACCEPT -m comment --comment "http replies for bastion"
ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT -m comment --comment "ntp if coming over the VPN"
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT -m comment --comment "libvirt live migration"
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT -m comment --comment "libvirt live migration"
## rules for edge nodes, these should be more specific but for now, it'll do
ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)"
ip6tables -A INPUT -s fe80::/10 -i gre+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)"
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)"
ip6tables -A INPUT -s fe80::/10 -i ibgp+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp (allow init as well as responding)"
ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "bgp to public peer"
ip6tables -A INPUT -i up+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "bgp from public peer"
ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --dport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customer"
ip6tables -A INPUT -i customer+ -m hl --hl-eq 1 -p tcp --sport 179 -j ACCEPT -m comment --comment "downstream bgp for dedicated customers"
### mgmt
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT -m comment --comment "dhcp replys, unlcear why physical if not vrf"
ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT -m comment --comment "ssh for mgmt vrf"
ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "stateful mgmt vrf"
### DROP the rest
ip6tables -P INPUT DROP
#special tables
ip6tables -F FORWARD
ip6tables -F OUTPUT
ip6tables -t mangle -F
ip6tables -t nat -F
ip6tables -t raw -F
# manage conntrack
ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT -m comment --comment "DO track mgmt vrf"
ip6tables -t raw -A OUTPUT -o mgmt -j ACCEPT -m comment --comment "DO track mgmt vrf"
ip6tables -t raw -A PREROUTING -j NOTRACK -m comment --comment "do NOT track default vrf"
ip6tables -t raw -A OUTPUT -j NOTRACK -m comment --comment "do NOT track default vrf"
#some boxes get special addon rules
[ -e /etc/init.d/firewall-addon ] && source /etc/init.d/firewall-addon
;;
stop)
echo -n "firewall stop..."
#### Firewall rules
iptables -P INPUT ACCEPT
iptables -F
iptables -t raw -F
iptables -t nat -F
iptables -t mangle -F
ip6tables -P INPUT ACCEPT
ip6tables -F
ip6tables -t raw -F
ip6tables -t nat -F
ip6tables -t mangle -F
echo " done"
;;
restart)
#$0 stop
$0 start
;;
*)
echo "use $0 [start|stop|restart]"
;;
esac
exit 0