#! /bin/sh # vim: tabstop=4 shiftwidth=4 softtabstop=4 # Copyright 2010 United States Government as represented by the # Administrator of the National Aeronautics and Space Administration. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # NOTE(vish): This script sets up some reasonable defaults for iptables and # creates nova-specific chains. If you use this script you should # run nova-network and nova-compute with --use_nova_chains=True # NOTE(vish): If you run public nova-api on a different port, make sure to # change the port here if [ -f /etc/default/nova-iptables ] ; then . /etc/default/nova-iptables fi export LC_ALL=C API_PORT=${API_PORT:-"8773"} if [ ! -n "$IP" ]; then # NOTE(vish): IP address is what address the services ALLOW on. # This will just get the first ip in the list, so if you # have more than one eth device set up, this will fail, and # you should explicitly pass in the ip of the instance IP=`ifconfig | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'` fi if [ ! -n "$PRIVATE_RANGE" ]; then #NOTE(vish): PRIVATE_RANGE: range is ALLOW to access DHCP PRIVATE_RANGE="192.168.0.0/12" fi if [ ! -n "$MGMT_IP" ]; then # NOTE(vish): Management IP is the ip over which to allow ssh traffic. It # will also allow traffic to nova-api MGMT_IP="$IP" fi if [ ! -n "$DMZ_IP" ]; then # NOTE(vish): DMZ IP is the ip over which to allow api & objectstore access DMZ_IP="$IP" fi clear_nova_iptables() { iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F iptables -t nat -F iptables -F services iptables -X services # HACK: re-adding fail2ban rules :( iptables -N fail2ban-ssh iptables -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh iptables -A fail2ban-ssh -j RETURN } load_nova_iptables() { iptables -P INPUT DROP iptables -A INPUT -m state --state INVALID -j DROP iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # NOTE(ja): allow localhost for everything iptables -A INPUT -d 127.0.0.1/32 -j ACCEPT # NOTE(ja): 22 only allowed MGMT_IP before, but we widened it to any # address, since ssh should be listening only on internal # before we re-add this rule we will need to add # flexibility for RSYNC between omega/stingray iptables -A INPUT -m tcp -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT iptables -A INPUT -p icmp -j ACCEPT iptables -N services iptables -A INPUT -j services iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable iptables -P FORWARD DROP iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # NOTE(vish): DROP on output is too restrictive for now. We need to add # in a bunch of more specific output rules to use it. # iptables -P OUTPUT DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT if [ -n "$GANGLIA" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT iptables -A services -m udp -p udp -d $IP --dport 8649 -j ACCEPT fi # if [ -n "$WEB" ] || [ -n "$ALL" ]; then # # NOTE(vish): This opens up ports for web access, allowing web-based # # dashboards to work. # iptables -A services -m tcp -p tcp -d $IP --dport 80 -j ACCEPT # iptables -A services -m tcp -p tcp -d $IP --dport 443 -j ACCEPT # fi if [ -n "$OBJECTSTORE" ] || [ -n "$ALL" ]; then # infrastructure iptables -A services -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT # clients iptables -A services -m tcp -p tcp -d $DMZ_IP --dport 3333 -j ACCEPT fi if [ -n "$API" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT if [ "$IP" != "$DMZ_IP" ]; then iptables -A services -m tcp -p tcp -d $DMZ_IP --dport $API_PORT -j ACCEPT fi if [ "$IP" != "$MGMT_IP" ] && [ "$DMZ_IP" != "$MGMT_IP" ]; then iptables -A services -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT fi fi if [ -n "$REDIS" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT fi if [ -n "$MYSQL" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT fi if [ -n "$RABBITMQ" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT iptables -A services -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT iptables -A services -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT fi if [ -n "$DNSMASQ" ] || [ -n "$ALL" ]; then # NOTE(vish): this could theoretically be setup per network # for each host, but it seems like overkill iptables -A services -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT iptables -A services -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT iptables -A services -m udp -p udp --dport 67 -j ACCEPT fi if [ -n "$LDAP" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport 389 -j ACCEPT fi if [ -n "$ISCSI" ] || [ -n "$ALL" ]; then iptables -A services -m tcp -p tcp -d $IP --dport 3260 -j ACCEPT iptables -A services -m tcp -p tcp -d 127.0.0.0/16 --dport 3260 -j ACCEPT fi } case "$1" in start) echo "Starting nova-iptables: " load_nova_iptables ;; stop) echo "Clearing nova-iptables: " clear_nova_iptables ;; restart) echo "Restarting nova-iptables: " clear_nova_iptables load_nova_iptables ;; *) echo "Usage: $NAME {start|stop|restart}" >&2 exit 1 ;; esac exit 0