infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

openshift builds aren't in the cluster overlay network, fix iptables rules

Browse source 
Signed-off-by: Adam Miller <admiller@redhat.com>
This commit is contained in:
Adam Miller 2016-11-07 23:04:54 +00:00
parent 1686f64886
commit e916d0bb46
2 changed files with 50 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

50
files/osbs/fix-docker-iptables.production
View file

@ -8,47 +8,47 @@
iptables --flush FORWARD
# Re-insert some basic rules
iptables -A FORWARD -o br0 -j DOCKER
iptables -A FORWARD -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -o docker0 -j DOCKER
iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
# Now insert access to allowed boxes
# docker-registry
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
#koji.fp.o
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
# pkgs
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
# DNS
iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
# mirrors.fp.o
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
# dl.phx2
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
# Docker is CRAZY and forces Google DNS upon us.....
iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

50
files/osbs/fix-docker-iptables.staging
View file

@ -8,47 +8,47 @@
iptables --flush FORWARD
# Re-insert some basic rules
iptables -A FORWARD -o br0 -j DOCKER
iptables -A FORWARD -o br0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i br0 -o br0 -j ACCEPT
iptables -A FORWARD -o docker0 -j DOCKER
iptables -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i docker0 -o docker0 -j ACCEPT
# Now insert access to allowed boxes
# docker-registry
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
#koji.fp.o
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
# pkgs.stg
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
# DNS
iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
iptables -A FORWARD -i br0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
# mirrors.fp.o
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
# dl.phx2
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
iptables -A FORWARD -i br0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
iptables -A FORWARD -i docker0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
# Docker is CRAZY and forces Google DNS upon us.....
iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A FORWARD -i br0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
iptables -A FORWARD -i docker0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited