38 lines
1.3 KiB
Plaintext
38 lines
1.3 KiB
Plaintext
*filter
|
|
:INPUT ACCEPT [0:0]
|
|
:FORWARD ACCEPT [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
:openstack-INPUT - [0:0]
|
|
-A INPUT -j openstack-INPUT
|
|
-A openstack-INPUT -i lo -j ACCEPT
|
|
-A openstack-INPUT -p icmpv6 -j ACCEPT
|
|
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
# SSH from anywhere
|
|
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
|
# SNMP
|
|
<% @snmp_v6hosts.each do |host| -%>
|
|
-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
|
|
<% end -%>
|
|
# Public TCP ports
|
|
<% @public_tcp_ports.each do |port| -%>
|
|
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
|
|
<% end -%>
|
|
# Public UDP ports
|
|
<% @public_udp_ports.each do |port| -%>
|
|
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
|
<% end -%>
|
|
# Per-host rules
|
|
<% @rules6.each do |rule| -%>
|
|
-A openstack-INPUT <%= rule %>
|
|
<% end -%>
|
|
<% begin -%>
|
|
<% @allowed_hosts.each do |host| -%>
|
|
<% scope.call_function('dns_aaaa', [host['hostname']]).each do |addr| -%>
|
|
-A openstack-INPUT <% if host['protocol'] == 'tcp' %>-m state --state NEW <% end -%>-m <%= host['protocol'] %> -p <%= host['protocol'] %> -s <%= addr %> --dport <%= host['port'] %> -j ACCEPT
|
|
<% end -%>
|
|
<% end -%>
|
|
<% rescue Resolv::ResolvError -%>
|
|
<% end -%>
|
|
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
|
COMMIT
|