X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=roles%2Fin_host_traffic_filtering_controller%2Ftemplates%2Fiptables.j2;fp=roles%2Fin_host_traffic_filtering_controller%2Ftemplates%2Fiptables.j2;h=612a59d0460e14c5e94bea9cd698b1fed3f302f2;hb=74a49ba6ef2ea715fa492db0bcd85c30398688e8;hp=0000000000000000000000000000000000000000;hpb=a936af362724cca0c5dc2c424902d398f9833410;p=ta%2Finfra-ansible.git

diff --git a/roles/in_host_traffic_filtering_controller/templates/iptables.j2 b/roles/in_host_traffic_filtering_controller/templates/iptables.j2
new file mode 100644
index 0000000..612a59d
--- /dev/null
+++ b/roles/in_host_traffic_filtering_controller/templates/iptables.j2
@@ -0,0 +1,71 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+
+
+######INPUT Chain
+#### Platform traffic
+{% set infra_external = networking['infra_external']['interface'] %}
+-A INPUT ! -i {{ infra_external }} -m comment --comment "Allow Non-OAM IPv4 Traffic" -j ACCEPT
+{% if 'infra_access' in networking %}
+{% set infra_access = networking['infra_access']['interface'] %}
+-A INPUT ! -i {{ infra_access }} -m comment --comment "Allow Non-OAM IPv4 Traffic" -j ACCEPT
+{% endif %}
+-A INPUT -m comment --comment "Allow related IPv4 traffic" -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "Allow SSH IPv4 Connection" -j ACCEPT
+-A INPUT -p tcp -m multiport --sports 6514 -m comment --comment "Allow Incoming Remote Logging" -m state --state NEW,ESTABLISHED -j ACCEPT
+
+# Drop all packets from same source over the rate limit
+# To prevent Sockstress TCP DoS attack
+-A INPUT -p tcp -m state --state NEW -m recent --set
+-A INPUT -p tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP
+
+# Drop all NULL packets.
+-A INPUT -p tcp --tcp-flags ALL NONE -j DROP
+
+# ICMP - Allow required types
+-A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "ICMP Echo Requests" -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 0 -m comment --comment "ICMP Echo Replies" -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 11 -m comment --comment "ICMP TTL Exceeded" -j ACCEPT
+-A INPUT -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP Destination Unreachable" -j ACCEPT
+
+# NTP and DNS
+-A INPUT -p udp -m multiport --dports 123 -m comment --comment "Allow Incoming NTP" -j ACCEPT
+-A INPUT -p udp -m multiport --dports 53 -m comment --comment "Allow Incoming DNS" -m state --state ESTABLISHED -j ACCEPT
+
+# SNMP traps to be received from BMC's
+-A INPUT -p udp -m multiport --dports 162 -m comment --comment "Allow Incoming SNMP Traps" -j ACCEPT
+
+-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "Allow Incoming Horizon Dashboard" -j ACCEPT
+{% if haproxy_ssl|default(False) %}
+-A INPUT -p tcp -m multiport --dports 443 -m comment --comment "Allow Incoming Horizon Dashboard" -j ACCEPT
+{% endif %}
+
+#### External HTTP interfaces
+{% if hosts[ansible_hostname]['installation_host']|default(False) %}
+-A INPUT -p tcp -m multiport --dports 8082 -m comment --comment "Allow Installer WebUI" -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+{% endif %}
+-A INPUT -p tcp -m multiport --dports 6385 -m comment --comment "Allow Incoming Ironic Api" -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 5000 -m comment --comment "Allow Incoming Keystone Api" -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 8888 -m comment --comment "Allow Netact Interface " -j ACCEPT
+-A INPUT -p tcp -m multiport --dports 61200 -m comment --comment "Allow Restful Service" -j ACCEPT
+-A INPUT -p tcp -m multiport --dports {{base_shell_inabox_port}}{% if number_of_nodes|int > 1%}:{{base_shell_inabox_port + number_of_nodes|int - 1}}{% endif %} -m comment --comment "Allow Shell in a box" -j ACCEPT
+
+-A INPUT -m comment --comment "Log Dropped IPv4 Traffic" -m limit --limit 2/min -j LOG --log-prefix "iptables-in-dropped: "
+-A INPUT -m comment --comment "Drop All Other Traffic" -j DROP
+
+######FORWARD Chain
+-A FORWARD ! -i {{ infra_external }} -m comment --comment "Allow Forward Non-OAM IPv4 Traffic" -j ACCEPT
+{% if networking['infra_access'] is defined and ansible_hostname in groups['compute']%}
+-A FORWARD -i {{ infra_access }} -m comment --comment "Allow Forward Non-OAM IPv4 Traffic" -j DROP
+{% endif %}
+-A FORWARD -m comment --comment "Allow Forward Related IPv4 Traffic" -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -m comment --comment "Log Dropped Forwarded IPv4 Traffic" -m limit --limit 2/min -j LOG --log-prefix "iptables-fwd-dropped: "
+
+######OUTPUT Chain
+-A OUTPUT -p tcp -m multiport --dports 6514 -m comment --comment "Allow Outgoing remote logging" -m state --state NEW,ESTABLISHED -j ACCEPT
+-A OUTPUT -p udp -m multiport --dports 53 -m comment --comment "Allow Outgoing DNS" -m state --state NEW,ESTABLISHED -j ACCEPT
+
+COMMIT