3
# vim: tabstop=4 shiftwidth=4 softtabstop=4
5
# Copyright 2010 United States Government as represented by the
6
# Administrator of the National Aeronautics and Space Administration.
9
# Licensed under the Apache License, Version 2.0 (the "License"); you may
10
# not use this file except in compliance with the License. You may obtain
11
# a copy of the License at
13
# http://www.apache.org/licenses/LICENSE-2.0
15
# Unless required by applicable law or agreed to in writing, software
16
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
18
# License for the specific language governing permissions and limitations
21
# NOTE(vish): This script sets up some reasonable defaults for iptables and
22
# creates nova-specific chains. If you use this script you should
23
# run nova-network and nova-compute with --use_nova_chains=True
26
# NOTE(vish): If you run public nova-api on a different port, make sure to
27
# change the port here
29
if [ -f /etc/default/nova-iptables ] ; then
30
. /etc/default/nova-iptables
33
API_PORT=${API_PORT:-"8773"}
35
if [ ! -n "$IP" ]; then
36
# NOTE(vish): IP address is what address the services ALLOW on.
37
# This will just get the first ip in the list, so if you
38
# have more than one eth device set up, this will fail, and
39
# you should explicitly pass in the ip of the instance
40
IP=`ifconfig | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'`
43
if [ ! -n "$PRIVATE_RANGE" ]; then
44
#NOTE(vish): PRIVATE_RANGE: range is ALLOW to access DHCP
45
PRIVATE_RANGE="192.168.0.0/12"
48
if [ ! -n "$MGMT_IP" ]; then
49
# NOTE(vish): Management IP is the ip over which to allow ssh traffic. It
50
# will also allow traffic to nova-api
54
if [ ! -n "$DMZ_IP" ]; then
55
# NOTE(vish): DMZ IP is the ip over which to allow api & objectstore access
59
clear_nova_iptables() {
60
iptables -P INPUT ACCEPT
61
iptables -P FORWARD ACCEPT
62
iptables -P OUTPUT ACCEPT
67
# HACK: re-adding fail2ban rules :(
68
iptables -N fail2ban-ssh
69
iptables -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
70
iptables -A fail2ban-ssh -j RETURN
73
load_nova_iptables() {
75
iptables -P INPUT DROP
76
iptables -A INPUT -m state --state INVALID -j DROP
77
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
78
# NOTE(ja): allow localhost for everything
79
iptables -A INPUT -d 127.0.0.1/32 -j ACCEPT
80
# NOTE(ja): 22 only allowed MGMT_IP before, but we widened it to any
81
# address, since ssh should be listening only on internal
82
# before we re-add this rule we will need to add
83
# flexibility for RSYNC between omega/stingray
84
iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT
85
iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
86
iptables -A INPUT -p icmp -j ACCEPT
88
iptables -A INPUT -j services
89
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
90
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
92
iptables -P FORWARD DROP
93
iptables -A FORWARD -m state --state INVALID -j DROP
94
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
95
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
97
# NOTE(vish): DROP on output is too restrictive for now. We need to add
98
# in a bunch of more specific output rules to use it.
99
# iptables -P OUTPUT DROP
100
iptables -A OUTPUT -m state --state INVALID -j DROP
101
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
103
if [ -n "$GANGLIA" ] || [ -n "$ALL" ]; then
104
iptables -A services -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
105
iptables -A services -m udp -p udp -d $IP --dport 8649 -j ACCEPT
108
# if [ -n "$WEB" ] || [ -n "$ALL" ]; then
109
# # NOTE(vish): This opens up ports for web access, allowing web-based
110
# # dashboards to work.
111
# iptables -A services -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
112
# iptables -A services -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
115
if [ -n "$OBJECTSTORE" ] || [ -n "$ALL" ]; then
117
iptables -A services -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
119
iptables -A services -m tcp -p tcp -d $DMZ_IP --dport 3333 -j ACCEPT
122
if [ -n "$API" ] || [ -n "$ALL" ]; then
123
iptables -A services -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT
124
if [ "$IP" != "$DMZ_IP" ]; then
125
iptables -A services -m tcp -p tcp -d $DMZ_IP --dport $API_PORT -j ACCEPT
127
if [ "$IP" != "$MGMT_IP" ] && [ "$DMZ_IP" != "$MGMT_IP" ]; then
128
iptables -A services -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT
132
if [ -n "$REDIS" ] || [ -n "$ALL" ]; then
133
iptables -A services -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
136
if [ -n "$MYSQL" ] || [ -n "$ALL" ]; then
137
iptables -A services -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
140
if [ -n "$RABBITMQ" ] || [ -n "$ALL" ]; then
141
iptables -A services -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
142
iptables -A services -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
143
iptables -A services -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
146
if [ -n "$DNSMASQ" ] || [ -n "$ALL" ]; then
147
# NOTE(vish): this could theoretically be setup per network
148
# for each host, but it seems like overkill
149
iptables -A services -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
150
iptables -A services -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
151
iptables -A services -m udp -p udp --dport 67 -j ACCEPT
154
if [ -n "$LDAP" ] || [ -n "$ALL" ]; then
155
iptables -A services -m tcp -p tcp -d $IP --dport 389 -j ACCEPT
158
if [ -n "$ISCSI" ] || [ -n "$ALL" ]; then
159
iptables -A services -m tcp -p tcp -d $IP --dport 3260 -j ACCEPT
160
iptables -A services -m tcp -p tcp -d 127.0.0.0/16 --dport 3260 -j ACCEPT
167
echo "Starting nova-iptables: "
171
echo "Clearing nova-iptables: "
175
echo "Restarting nova-iptables: "
180
echo "Usage: $NAME {start|stop|restart}" >&2