1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
#!/usr/bin/env bash
# vim: tabstop=4 shiftwidth=4 softtabstop=4
# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# NOTE(vish): This script sets up some reasonable defaults for iptables and
# creates nova-specific chains. If you use this script you should
# run nova-network and nova-compute with --use_nova_chains=True
# NOTE(vish): If you run nova-api on a different port, make sure to change
# the port here
API_PORT=${API_PORT:-"8773"}
if [ -n "$1" ]; then
CMD=$1
else
CMD="all"
fi
if [ -n "$2" ]; then
IP=$2
else
# NOTE(vish): This will just get the first ip in the list, so if you
# have more than one eth device set up, this will fail, and
# you should explicitly pass in the ip of the instance
IP=`LC_ALL=C ifconfig | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'`
fi
if [ -n "$3" ]; then
PRIVATE_RANGE=$3
else
PRIVATE_RANGE="10.0.0.0/12"
fi
if [ -n "$4" ]; then
# NOTE(vish): Management IP is the ip over which to allow ssh traffic. It
# will also allow traffic to nova-api
MGMT_IP=$4
else
MGMT_IP="$IP"
fi
if [ "$CMD" == "clear" ]; then
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -F nova_input
iptables -F nova_output
iptables -F nova_forward
iptables -t nat -F nova_input
iptables -t nat -F nova_output
iptables -t nat -F nova_forward
iptables -t nat -X
iptables -X
fi
if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then
iptables -P INPUT DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT
iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
iptables -N nova_input
iptables -A INPUT -j nova_input
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -N nova_forward
iptables -A FORWARD -j nova_forward
# NOTE(vish): DROP on output is too restrictive for now. We need to add
# in a bunch of more specific output rules to use it.
# iptables -P OUTPUT DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -N nova_output
iptables -A OUTPUT -j nova_output
iptables -t nat -N nova_prerouting
iptables -t nat -A PREROUTING -j nova_prerouting
iptables -t nat -N nova_postrouting
iptables -t nat -A POSTROUTING -j nova_postrouting
iptables -t nat -N nova_output
iptables -t nat -A OUTPUT -j nova_output
fi
if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT
fi
if [ "$CMD" == "web" ] || [ "$CMD" == "all" ]; then
# NOTE(vish): This opens up ports for web access, allowing web-based
# dashboards to work.
iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
fi
if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
fi
if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT
if [ "$IP" != "$MGMT_IP" ]; then
iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT
fi
fi
if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
fi
if [ "$CMD" == "mysql" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
fi
if [ "$CMD" == "rabbitmq" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
fi
if [ "$CMD" == "dnsmasq" ] || [ "$CMD" == "all" ]; then
# NOTE(vish): this could theoretically be setup per network
# for each host, but it seems like overkill
iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT
fi
if [ "$CMD" == "ldap" ] || [ "$CMD" == "all" ]; then
iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT
fi
|