From dd952da38b90d5d0f55d708f808c84b252b265cd Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Thu, 4 Jun 2020 10:36:08 -0700 Subject: [PATCH] base / iptables: drop old openstack template and update osusol with new batcave egress ip Signed-off-by: Kevin Fenzi --- .../iptables/iptables.openstack-compute | 67 ------------------- roles/base/templates/iptables/iptables.osuosl | 4 +- 2 files changed, 2 insertions(+), 69 deletions(-) delete mode 100644 roles/base/templates/iptables/iptables.openstack-compute diff --git a/roles/base/templates/iptables/iptables.openstack-compute b/roles/base/templates/iptables/iptables.openstack-compute deleted file mode 100644 index 9280ed5f60..0000000000 --- a/roles/base/templates/iptables/iptables.openstack-compute +++ /dev/null @@ -1,67 +0,0 @@ -# {{ ansible_managed }} -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] - -# allow ping and traceroute --A INPUT -p icmp -j ACCEPT - -# localhost is fine --A INPUT -i lo -j ACCEPT - -# Established connections allowed --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT - -# if the blocked_ips is defined - drop them -{% if blocked_ips is defined %} -{% for ip in blocked_ips %} --A INPUT -s {{ ip }} -j DROP -{% endfor %} -{% endif %} - -# allow ssh - always --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT - -# allow incoming gre -# openstack needs this to handle external ips right --A INPUT -p gre -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT - -# compute nodes need to allow vnc ports from the controller --A INPUT -s 172.24.0.9 -p tcp -m tcp --dport 5900:6900 -j ACCEPT - -# for nrpe - allow it from nocs --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT -# FIXME - this is the global nat-ip and we need the noc01-specific ip --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT --A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT - -# if the host/group defines incoming tcp_ports - allow them -{% if tcp_ports is defined %} -{% for port in tcp_ports %} --A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT -{% endfor %} -{% endif %} - -# if the host/group defines incoming udp_ports - allow them -{% if udp_ports is defined %} -{% for port in udp_ports %} --A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT -{% endfor %} -{% endif %} - -# if there are custom rules - put them in as-is -{% if custom_rules is defined %} -{% for rule in custom_rules %} -{{ rule }} -{% endfor %} -{% endif %} - -# otherwise kick everything out --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited -COMMIT diff --git a/roles/base/templates/iptables/iptables.osuosl b/roles/base/templates/iptables/iptables.osuosl index d27dc9751e..b5e23fbcea 100644 --- a/roles/base/templates/iptables/iptables.osuosl +++ b/roles/base/templates/iptables/iptables.osuosl @@ -26,8 +26,8 @@ -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 192.168.0.0/24 -i tun0 -j ACCEPT # external ip for phx2 -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 209.132.181.0/24 -j ACCEPT -# external ip for scrye --A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 75.148.32.185 -j ACCEPT +# external ip for iad2/batcave01 +-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -s 38.145.60.16 -j ACCEPT # for nrpe - allow it from nocs -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT