airship/treasuremap
Code Issues Proposed changes
ebc1589537
treasuremap/manifests/function/workers-vm-infra/iptables-setup.yaml
Andrii Ostapenko 563e8ccb4d
Separate dhcp domains for worker nodes 
With this commit vm related dhcp traffic are contained within the same
host.

Signed-off-by: Andrii Ostapenko <andrii.ostapenko@att.com>
Change-Id: I916b1e07e9acd4c66942cb5cb434d0ab0d36adbb
2021-06-27 18:55:45 -06:00

44 lines
2.0 KiB
YAML
Raw Blame History

- op: add
path: "/spec/template/spec/preKubeadmCommands/-"
value:
systemctl enable --now iptables-setup.service
- op: add
path: "/spec/template/spec/files/-"
value:
path: /etc/systemd/system/iptables-setup.service
permissions: "0644"
owner: root:root
content: |
[Unit]
Description=Service to setup iptables
Wants=network-online.target
After=network.target network-online.target
[Service]
User=root
WorkingDirectory=/usr/bin
ExecStart=/usr/bin/iptables-setup.sh
[Install]
WantedBy=multi-user.target
- op: add
path: "/spec/template/spec/files/-"
value:
path: /usr/bin/iptables-setup.sh
permissions: "0744"
owner: root:root
content: |
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
# activate ip_forwarding
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE
ebtables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 --log-level info --log-ip --log-prefix EBFWbc -j DROP
ebtables -A FORWARD -o REPLACEMENT_VM_INFRA_INTF -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 --log-level info --log-ip --log-prefix EBFWbc -j DROP
ebtables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto tcp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWtcp -j DROP
ebtables -A FORWARD -o REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto tcp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWtcp -j DROP
ebtables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto udp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWudp -j DROP
ebtables -A FORWARD -o REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto udp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWudp -j DROP
exit 0
View Git Blame Copy Permalink