2
# vim: tabstop=4 shiftwidth=4 softtabstop=4
4
# Copyright 2010 United States Government as represented by the
5
# Administrator of the National Aeronautics and Space Administration.
8
# Licensed under the Apache License, Version 2.0 (the "License"); you may
9
# not use this file except in compliance with the License. You may obtain
10
# a copy of the License at
12
# http://www.apache.org/licenses/LICENSE-2.0
14
# Unless required by applicable law or agreed to in writing, software
15
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
17
# License for the specific language governing permissions and limitations
20
# NOTE(vish): This script sets up some reasonable defaults for iptables and
21
# creates nova-specific chains. If you use this script you should
22
# run nova-network and nova-compute with --use_nova_chains=True
24
# NOTE(vish): If you run nova-api on a different port, make sure to change
26
API_PORT=${API_PORT:-"8773"}
36
# NOTE(vish): This will just get the first ip in the list, so if you
37
# have more than one eth device set up, this will fail, and
38
# you should explicitly pass in the ip of the instance
39
IP=`ifconfig | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'`
45
PRIVATE_RANGE="10.0.0.0/12"
50
# NOTE(vish): Management IP is the ip over which to allow ssh traffic. It
51
# will also allow traffic to nova-api
56
if [ "$CMD" == "clear" ]; then
57
iptables -P INPUT ACCEPT
58
iptables -P FORWARD ACCEPT
59
iptables -P OUTPUT ACCEPT
62
iptables -F nova_input
63
iptables -F nova_output
64
iptables -F nova_forward
65
iptables -t nat -F nova_input
66
iptables -t nat -F nova_output
67
iptables -t nat -F nova_forward
72
if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then
73
iptables -P INPUT DROP
74
iptables -A INPUT -m state --state INVALID -j DROP
75
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
76
iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT
77
iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
78
iptables -N nova_input
79
iptables -A INPUT -j nova_input
80
iptables -A INPUT -p icmp -j ACCEPT
81
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
82
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
84
iptables -P FORWARD DROP
85
iptables -A FORWARD -m state --state INVALID -j DROP
86
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
87
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
88
iptables -N nova_forward
89
iptables -A FORWARD -j nova_forward
91
# NOTE(vish): DROP on output is too restrictive for now. We need to add
92
# in a bunch of more specific output rules to use it.
93
# iptables -P OUTPUT DROP
94
iptables -A OUTPUT -m state --state INVALID -j DROP
95
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
96
iptables -N nova_output
97
iptables -A OUTPUT -j nova_output
99
iptables -t nat -N nova_prerouting
100
iptables -t nat -A PREROUTING -j nova_prerouting
102
iptables -t nat -N nova_postrouting
103
iptables -t nat -A POSTROUTING -j nova_postrouting
105
iptables -t nat -N nova_output
106
iptables -t nat -A OUTPUT -j nova_output
109
if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then
110
iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
111
iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT
114
if [ "$CMD" == "web" ] || [ "$CMD" == "all" ]; then
115
# NOTE(vish): This opens up ports for web access, allowing web-based
116
# dashboards to work.
117
iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
118
iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
121
if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then
122
iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
125
if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then
126
iptables -A nova_input -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT
127
if [ "$IP" != "$MGMT_IP" ]; then
128
iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT
132
if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then
133
iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
136
if [ "$CMD" == "mysql" ] || [ "$CMD" == "all" ]; then
137
iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
140
if [ "$CMD" == "rabbitmq" ] || [ "$CMD" == "all" ]; then
141
iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
142
iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
143
iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
146
if [ "$CMD" == "dnsmasq" ] || [ "$CMD" == "all" ]; then
147
# NOTE(vish): this could theoretically be setup per network
148
# for each host, but it seems like overkill
149
iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
150
iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
151
iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT
154
if [ "$CMD" == "ldap" ] || [ "$CMD" == "all" ]; then
155
iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT