apply Patricks magic osbs cluster iptables rules to new cluster

Signed-off-by: Adam Miller <admiller@redhat.com>

files/osbs/fix-docker-iptables.production

@@ -3,52 +3,66 @@
 # every docker service restart.
 # And just doing an iptables-restore is going to mess up kubernetes'
 # NAT table.
+# And it gets even better with openshift! It thinks I'm stupid and need
+# to be corrected by automatically adding the "allow all" rules back at
+# the top as soon as I remove them.
+# To circumvent that, we're just adding a new chain for this, as it seems
+# that it doesn't do anything with the firewall if we keep its rules in
+# place. (it doesn't check the order of its rules, only that they exist)
+
+if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ];
+then
+    iptables -N FILTER_FORWARD
+fi
+if [ "`iptables -nL | grep 'FILTER_FORWARD  all'`" == "" ];
+then
+    iptables -I FORWARD 1 -j FILTER_FORWARD
+fi
 
 # Delete all old rules
-iptables --flush FORWARD
+iptables --flush FILTER_FORWARD
 
 # Re-insert some basic rules
-iptables -A FORWARD -o lbr0 -j DOCKER
+iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT
-iptables -A FORWARD -i lbr0 -o lbr0 -j ACCEPT
 
 # Now insert access to allowed boxes
 # docker-registry
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.56 --dport 443 -j ACCEPT
 
 #koji.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.61 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.61 --dport 443 -j ACCEPT
 
 # pkgs
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.125.44 --dport 9418 -j ACCEPT
 
 # DNS
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 
 # mirrors.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 
 # dl.phx2
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
 
 
 # Docker is CRAZY and forces Google DNS upon us.....
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
 
 iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 

files/osbs/fix-docker-iptables.staging

@@ -3,52 +3,66 @@
 # every docker service restart.
 # And just doing an iptables-restore is going to mess up kubernetes'
 # NAT table.
+# And it gets even better with openshift! It thinks I'm stupid and need
+# to be corrected by automatically adding the "allow all" rules back at
+# the top as soon as I remove them.
+# To circumvent that, we're just adding a new chain for this, as it seems
+# that it doesn't do anything with the firewall if we keep its rules in
+# place. (it doesn't check the order of its rules, only that they exist)
+
+if [ "`iptables -nL | grep FILTER_FORWARD`" == "" ];
+then
+    iptables -N FILTER_FORWARD
+fi
+if [ "`iptables -nL | grep 'FILTER_FORWARD  all'`" == "" ];
+then
+    iptables -I FORWARD 1 -j FILTER_FORWARD
+fi
 
 # Delete all old rules
-iptables --flush FORWARD
+iptables --flush FILTER_FORWARD
 
 # Re-insert some basic rules
-iptables -A FORWARD -o lbr0 -j DOCKER
+iptables -A FILTER_FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-iptables -A FORWARD -o lbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FILTER_FORWARD --src 10.1.0.0/16 --dst 10.1.0.0/16 -j ACCEPT
-iptables -A FORWARD -i lbr0 -o lbr0 -j ACCEPT
 
 # Now insert access to allowed boxes
 # docker-registry
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.217 --dport 443 -j ACCEPT
 
 #koji.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.87 --dport 443 -j ACCEPT
 
 # pkgs.stg
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.83 --dport 9418 -j ACCEPT
 
 # DNS
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.21 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 10.5.126.22 --dport 53 -j ACCEPT
 
 # mirrors.fp.o
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.51 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.52 --dport 443 -j ACCEPT
 
 # dl.phx2
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.93 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.94 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.95 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.96 --dport 443 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 80 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
+iptables -A FILTER_FORWARD -p tcp -m tcp -d 10.5.126.97 --dport 443 -j ACCEPT
 
 
 # Docker is CRAZY and forces Google DNS upon us.....
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.8.8 --dport 53 -j ACCEPT
-iptables -A FORWARD -i lbr0 -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
+iptables -A FILTER_FORWARD -p udp -m udp -d 8.8.4.4 --dport 53 -j ACCEPT
 
-iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
+iptables -A FILTER_FORWARD -j REJECT --reject-with icmp-host-prohibited