From 83f4e964855e700fa980b791e812a5a4c83922d7 Mon Sep 17 00:00:00 2001 From: Patrick Uiterwijk Date: Tue, 8 Nov 2016 19:58:28 +0000 Subject: [PATCH] Update firewall rules for openshift. I am NOT an idiot Signed-off-by: Patrick Uiterwijk --- .../files/fix-docker-iptables.staging | 68 +++++++++++-------- 1 file changed, 41 insertions(+), 27 deletions(-) diff --git a/roles/osbs-master/files/fix-docker-iptables.staging b/roles/osbs-master/files/fix-docker-iptables.staging index c204f7423e..865a87ec0a 100644 --- a/roles/osbs-master/files/fix-docker-iptables.staging +++ b/roles/osbs-master/files/fix-docker-iptables.staging @@ -3,52 +3,66 @@ # every docker service restart. # And just doing an iptables-restore is going to mess up kubernetes' # NAT table. +# And it gets even better with openshift! It thinks I'm stupid and need +# to be corrected by automatically adding the "allow all" rules back at +# the top as soon as I remove them. +# To circumvent that, we're just adding a new chain for this, as it seems +# that it doesn't do anything with the firewall if we keep its rules in +# place. (it doesn't check the order of its rules, only that they exist) + +if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ]; +then + iptables -N FILTER_FORWARD +fi +if [ "`iptables -nL | grep 'FILTER_FORWARD all'`" == "" ]; +then + iptables -I FORWARD 1 -j FILTER_FORWARD +fi # Delete all old rules -iptables --flush FORWARD +iptables --flush FILTER_FORWARD # Re-insert some basic rules -iptables -A FORWARD -o docker0 -j DOCKER -iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT +iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT # Now insert access to allowed boxes # docker-registry -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT #koji.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT # pkgs.stg -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT # DNS -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT +iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT +iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT # mirrors.fp.o -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT # dl.phx2 -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT -iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT +iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT # Docker is CRAZY and forces Google DNS upon us..... -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT -iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT +iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT +iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT -iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited +iptables -A FILTER_FORWARD -j REJECT --reject-with icmp-host-prohibited