190 lines
12 KiB
Bash
Executable File
190 lines
12 KiB
Bash
Executable File
#!/bin/bash
|
|
### BEGIN INIT INFO
|
|
# Provides: scriptname
|
|
# Required-Start: $network
|
|
# Required-Stop: $network
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: iptables
|
|
# Description: Enable firewall rules
|
|
### END INIT INFO
|
|
|
|
exec 1> >(logger -s -t $(basename $0)) 2>&1
|
|
|
|
case $1 in
|
|
start)
|
|
echo -n "firewall start..."
|
|
### IPv4
|
|
iptables -P INPUT ACCEPT
|
|
iptables -F INPUT
|
|
## unencrypted traffic
|
|
iptables -A INPUT -p esp -j ACCEPT # ipsec
|
|
iptables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec
|
|
iptables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec
|
|
iptables -A INPUT -p icmp -j ACCEPT # allow pings
|
|
|
|
## local ceph osd services
|
|
iptables -A INPUT -i lo -m multiport -p tcp --sports 6800:7300 -j ACCEPT # local ceph osd traffic
|
|
iptables -A INPUT -i lo -m multiport -p tcp --dports 6800:7300 -j ACCEPT # local ceph osd traffic
|
|
|
|
## traffic we want to see encrypted over the VPN
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 6800:7300 -j ACCEPT # ceph osd traffic
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 6800:7300 -j ACCEPT # ceph osd traffic
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 6789 -j ACCEPT # ceph mon traffic
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --sport 6789 -j ACCEPT # ceph mon traffic
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --dport 4789 -j ACCEPT # vxlan traffic
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp replies for anything over the VPN
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 53 -j ACCEPT # dns replies from anything over the VPN
|
|
iptables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
|
|
|
|
## external services we deplend upon
|
|
iptables -A INPUT -s 170.199.217.0 -p tcp --dport 22 -j ACCEPT # ssh from bastion
|
|
iptables -A INPUT -s 170.199.217.0 -p udp --sport 53 -j ACCEPT # dns replies from bastion
|
|
iptables -A INPUT -s 10.1.19.1 -p tcp --dport 22 -j ACCEPT # ssh from bastion
|
|
iptables -A INPUT -s 10.1.19.11 -p tcp --dport 22 -j ACCEPT # ssh from bastion2
|
|
iptables -A INPUT -s 170.199.216.1 -p tcp --sport 2379 -j ACCEPT # etcd replies stackapi
|
|
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 443 -j ACCEPT # mirrors.wit.com
|
|
iptables -A INPUT -s 170.199.216.13 -p tcp --sport 25 -j ACCEPT # allow email smart host
|
|
|
|
## rules for edge nodes, these should be more specific but for now, it'll do
|
|
iptables -A INPUT -i up+ -p gre -j ACCEPT # gre tunnels from other sites
|
|
iptables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # upstream to public bgp
|
|
iptables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # upstream from public bgp
|
|
|
|
### mgmt
|
|
iptables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT
|
|
iptables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
### DROP the rest
|
|
iptables -P INPUT DROP
|
|
|
|
|
|
## some rules for bastion boxes to protect the mgmt networks
|
|
iptables -F FORWARD
|
|
iptables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
iptables -A FORWARD -o mgmtgw1 -j DROP
|
|
iptables -A FORWARD -i ipmigw1 -j DROP
|
|
iptables -A FORWARD -o ipmigw1 -j DROP
|
|
|
|
|
|
#special tables
|
|
iptables -t mangle -F
|
|
iptables -t nat -F
|
|
iptables -t raw -F
|
|
|
|
|
|
# this matters only on bastion boxes
|
|
iptables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT
|
|
iptables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT
|
|
iptables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT
|
|
iptables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT
|
|
# this matters on all boxes
|
|
iptables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
|
|
iptables -t raw -A OUTPUT -o mgmt -j ACCEPT
|
|
iptables -t raw -A PREROUTING -j NOTRACK
|
|
iptables -t raw -A OUTPUT -j NOTRACK
|
|
|
|
|
|
|
|
#### IPv6
|
|
ip6tables -P INPUT ACCEPT
|
|
ip6tables -F INPUT
|
|
## unencrypted traffic
|
|
ip6tables -A INPUT -p esp -j ACCEPT # ipsec
|
|
ip6tables -A INPUT -p udp --dport 500 --sport 500 -j ACCEPT # ipsec
|
|
ip6tables -A INPUT -p udp --dport 4500 --sport 4500 -j ACCEPT # ipsec
|
|
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT # ping
|
|
ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
|
ip6tables -A INPUT -s fe80::/10 -i feth+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
|
|
|
ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p tcp --dport 22 -j ACCEPT # ssh from bastion
|
|
ip6tables -A INPUT -s 2604:bbc0:0:113::1 -p udp --sport 53 -j ACCEPT # dns replies from bastion
|
|
ip6tables -A INPUT -s 2604:bbc0:0:113::b -p tcp --dport 22 -j ACCEPT # ssh from bastion2
|
|
ip6tables -A INPUT -s 2604:bbc0:0:113::b -p udp --sport 53 -j ACCEPT # dns replies from bastion2
|
|
ip6tables -A INPUT -s 2001:67c:1560:8003::c7 -p udp --sport 123 -j ACCEPT # ntp
|
|
ip6tables -A INPUT -s 2001:67c:1560:8003::c8 -p udp --sport 123 -j ACCEPT # ntp
|
|
|
|
## traffic we want to see encrypted over the VPN
|
|
ip6tables -A INPUT -m policy --pol ipsec --dir in -p tcp --dport 22 -j ACCEPT # ssh if coming over the VPN
|
|
ip6tables -A INPUT -m policy --pol ipsec --dir in -p udp --sport 123 -j ACCEPT # ntp if coming over the VPN
|
|
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --dports 49152:49215 -j ACCEPT # libvirt live migration
|
|
ip6tables -A INPUT -m policy --pol ipsec --dir in -m multiport -p tcp --sports 49152:49215 -j ACCEPT # libvirt live migration
|
|
|
|
## rules for edge nodes, these should be more specific but for now, it'll do
|
|
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --sport 179 -j ACCEPT # bgp (allow init as well as responding)
|
|
ip6tables -A INPUT -s fe80::/10 -i gre+ -p tcp --dport 179 -j ACCEPT # bgp (allow init as well as responding)
|
|
ip6tables -A INPUT -i up+ -p tcp --dport 179 -j ACCEPT # bgp to public peer
|
|
ip6tables -A INPUT -i up+ -p tcp --sport 179 -j ACCEPT # bgp from public peer
|
|
|
|
### mgmt
|
|
ip6tables -A INPUT -i mgmt1 -s fe80::/10 -p udp --dport 546 -j ACCEPT # allow dhcp replys, unlcear why but needs the physical interface not vrf
|
|
ip6tables -A INPUT -i mgmt -p tcp --dport 22 -j ACCEPT # allow ssh from mgmt
|
|
ip6tables -A INPUT -i mgmt -m state --state ESTABLISHED,RELATED -j ACCEPT # allow stateful connections over mgmt
|
|
|
|
### DROP the rest
|
|
ip6tables -P INPUT DROP
|
|
|
|
|
|
## some rules for bastion boxes to protect the mgmt networks
|
|
ip6tables -F FORWARD
|
|
ip6tables -A FORWARD -o mgmtgw1 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
ip6tables -A FORWARD -o mgmtgw1 -j DROP
|
|
ip6tables -A FORWARD -i ipmigw1 -j DROP
|
|
ip6tables -A FORWARD -o ipmigw1 -j DROP
|
|
|
|
|
|
#special tables
|
|
ip6tables -t mangle -F
|
|
ip6tables -t nat -F
|
|
ip6tables -t raw -F
|
|
|
|
|
|
# this matters only on bastion boxes
|
|
ip6tables -t raw -A PREROUTING -i mgmtgw1 -j ACCEPT
|
|
ip6tables -t raw -A OUTPUT -o mgmtgw1 -j ACCEPT
|
|
ip6tables -t raw -A PREROUTING -i ipmigw1 -j ACCEPT
|
|
ip6tables -t raw -A OUTPUT -o ipmigw1 -j ACCEPT
|
|
# this matters on all boxes
|
|
ip6tables -t raw -A PREROUTING -i mgmt1 -j ACCEPT
|
|
ip6tables -t raw -A OUTPUT -o mgmt -j ACCEPT
|
|
ip6tables -t raw -A PREROUTING -j NOTRACK
|
|
ip6tables -t raw -A OUTPUT -j NOTRACK
|
|
|
|
|
|
#some boxes get special addon rules
|
|
[ -e /etc/init.d/firewall-addon ] && source /etc/init.d/firewall-addon
|
|
|
|
;;
|
|
|
|
stop)
|
|
echo -n "firewall stop..."
|
|
|
|
#### Firewall rules
|
|
iptables -P INPUT ACCEPT
|
|
iptables -F
|
|
iptables -t raw -F
|
|
iptables -t nat -F
|
|
iptables -t mangle -F
|
|
|
|
ip6tables -P INPUT ACCEPT
|
|
ip6tables -F
|
|
ip6tables -t raw -F
|
|
ip6tables -t nat -F
|
|
ip6tables -t mangle -F
|
|
|
|
echo " done"
|
|
;;
|
|
|
|
restart)
|
|
#$0 stop
|
|
$0 start
|
|
;;
|
|
|
|
*)
|
|
echo "use $0 [start|stop|restart]"
|
|
;;
|
|
|
|
esac
|
|
|
|
exit 0
|