9 {% set infra_external = networking['infra_external']['interface'] %}
10 -A INPUT ! -i {{ infra_external }} -m comment --comment "Allow Non-OAM IPv4 Traffic" -j ACCEPT
11 {% if 'infra_access' in networking %}
12 {% set infra_access = networking['infra_access']['interface'] %}
13 -A INPUT ! -i {{ infra_access }} -m comment --comment "Allow Non-OAM IPv4 Traffic" -j ACCEPT
15 -A INPUT -m comment --comment "Allow related IPv4 traffic" -m state --state RELATED,ESTABLISHED -j ACCEPT
16 -A INPUT -p tcp -m multiport --dports 22 -m comment --comment "Allow SSH IPv4 Connection" -j ACCEPT
17 -A INPUT -p tcp -m multiport --sports 6514 -m comment --comment "Allow Incoming Remote Logging" -m state --state NEW,ESTABLISHED -j ACCEPT
19 # Drop all packets from same source over the rate limit
20 # To prevent Sockstress TCP DoS attack
21 -A INPUT -p tcp -m state --state NEW -m recent --set
22 -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP
24 # Drop all NULL packets.
25 -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
27 # ICMP - Allow required types
28 -A INPUT -p icmp -m icmp --icmp-type 8 -m comment --comment "ICMP Echo Requests" -j ACCEPT
29 -A INPUT -p icmp -m icmp --icmp-type 0 -m comment --comment "ICMP Echo Replies" -j ACCEPT
30 -A INPUT -p icmp -m icmp --icmp-type 11 -m comment --comment "ICMP TTL Exceeded" -j ACCEPT
31 -A INPUT -p icmp -m icmp --icmp-type 3 -m comment --comment "ICMP Destination Unreachable" -j ACCEPT
34 -A INPUT -p udp -m multiport --dports 123 -m comment --comment "Allow Incoming NTP" -j ACCEPT
35 -A INPUT -p udp -m multiport --dports 53 -m comment --comment "Allow Incoming DNS" -m state --state ESTABLISHED -j ACCEPT
37 # SNMP traps to be received from BMC's
38 -A INPUT -p udp -m multiport --dports 162 -m comment --comment "Allow Incoming SNMP Traps" -j ACCEPT
40 -A INPUT -p tcp -m multiport --dports 80 -m comment --comment "Allow Incoming Horizon Dashboard" -j ACCEPT
41 {% if haproxy_ssl|default(False) %}
42 -A INPUT -p tcp -m multiport --dports 443 -m comment --comment "Allow Incoming Horizon Dashboard" -j ACCEPT
45 #### External HTTP interfaces
46 {% if hosts[ansible_hostname]['installation_host']|default(False) %}
47 -A INPUT -p tcp -m multiport --dports 8082 -m comment --comment "Allow Installer WebUI" -j ACCEPT
48 -A INPUT -i lo -j ACCEPT
50 -A INPUT -p tcp -m multiport --dports 6385 -m comment --comment "Allow Incoming Ironic Api" -j ACCEPT
51 -A INPUT -p tcp -m multiport --dports 5000 -m comment --comment "Allow Incoming Keystone Api" -j ACCEPT
52 -A INPUT -p tcp -m multiport --dports 8888 -m comment --comment "Allow Netact Interface " -j ACCEPT
53 -A INPUT -p tcp -m multiport --dports 61200 -m comment --comment "Allow Restful Service" -j ACCEPT
54 -A INPUT -p tcp -m multiport --dports {{base_shell_inabox_port}}{% if number_of_nodes|int > 1%}:{{base_shell_inabox_port + number_of_nodes|int - 1}}{% endif %} -m comment --comment "Allow Shell in a box" -j ACCEPT
56 -A INPUT -m comment --comment "Log Dropped IPv4 Traffic" -m limit --limit 2/min -j LOG --log-prefix "iptables-in-dropped: "
57 -A INPUT -m comment --comment "Drop All Other Traffic" -j DROP
60 -A FORWARD ! -i {{ infra_external }} -m comment --comment "Allow Forward Non-OAM IPv4 Traffic" -j ACCEPT
61 {% if networking['infra_access'] is defined and ansible_hostname in groups['compute']%}
62 -A FORWARD -i {{ infra_access }} -m comment --comment "Allow Forward Non-OAM IPv4 Traffic" -j DROP
64 -A FORWARD -m comment --comment "Allow Forward Related IPv4 Traffic" -m state --state RELATED,ESTABLISHED -j ACCEPT
65 -A FORWARD -m comment --comment "Log Dropped Forwarded IPv4 Traffic" -m limit --limit 2/min -j LOG --log-prefix "iptables-fwd-dropped: "
68 -A OUTPUT -p tcp -m multiport --dports 6514 -m comment --comment "Allow Outgoing remote logging" -m state --state NEW,ESTABLISHED -j ACCEPT
69 -A OUTPUT -p udp -m multiport --dports 53 -m comment --comment "Allow Outgoing DNS" -m state --state NEW,ESTABLISHED -j ACCEPT
Code Review / ta / infra-ansible.git / blob