91 lines
4.3 KiB
Bash
91 lines
4.3 KiB
Bash
#!/bin/bash -xe
|
|
# Note: this is done as a script because it needs to be run after
|
|
# every docker service restart.
|
|
# And just doing an iptables-restore is going to mess up kubernetes'
|
|
# NAT table.
|
|
# And it gets even better with openshift! It thinks I'm stupid and need
|
|
# to be corrected by automatically adding the "allow all" rules back at
|
|
# the top as soon as I remove them.
|
|
# To circumvent that, we're just adding a new chain for this, as it seems
|
|
# that it doesn't do anything with the firewall if we keep its rules in
|
|
# place. (it doesn't check the order of its rules, only that they exist)
|
|
|
|
if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ];
|
|
then
|
|
iptables -N FILTER_FORWARD
|
|
fi
|
|
if [ "`iptables -nL | grep 'FILTER_FORWARD all'`" == "" ];
|
|
then
|
|
iptables -I FORWARD 1 -j FILTER_FORWARD
|
|
iptables -I FORWARD 2 -j REJECT
|
|
iptables -I DOCKER-ISOLATION 1 -j FILTER_FORWARD
|
|
fi
|
|
|
|
# Delete all old rules
|
|
iptables --flush FILTER_FORWARD
|
|
|
|
# Re-insert some basic rules
|
|
iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT
|
|
|
|
# Now insert access to allowed boxes
|
|
# docker-registry aws cdn
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.34 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.23 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.73 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.88 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.34 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.23 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.73 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 54.230.74.88 --dport 443 -j ACCEPT
|
|
|
|
# Candidate registry
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.102 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.102 --dport 443 -j ACCEPT
|
|
|
|
#koji.fp.o
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.104 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.104 --dport 443 -j ACCEPT
|
|
|
|
# pkgs
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.116 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.116 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.169.116 --dport 9418 -j ACCEPT
|
|
|
|
# DNS
|
|
iptables -A FILTER_FORWARD -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p udp -m udp -d 10.3.163.33 --dport 53 -j ACCEPT
|
|
|
|
# mirrors.fp.o
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.76 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.77 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.75 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.74 --dport 443 -j ACCEPT
|
|
|
|
# infrastructure.fp.o (infra repos)
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.35 --dport 443 -j ACCEPT
|
|
|
|
# Kerberos
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.76 --dport 1088 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.77 --dport 1088 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.75 --dport 1088 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.74 --dport 1088 -j ACCEPT
|
|
|
|
# dl.phx2
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.49 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.49 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.50 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.50 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.51 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.51 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.85 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.85 --dport 443 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.84 --dport 80 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.3.163.84 --dport 443 -j ACCEPT
|
|
|
|
# Docker is CRAZY and forces Google DNS upon us.....
|
|
iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
|
|
iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
|
|
|
|
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
|
|
|