Add iptables role

Co-Authored-By: James E. Blair <corvus@inaugust.com> Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c Depends-On: https://review.openstack.org/596503
2018-08-20 18:31:33 -05:00 · 2018-08-20 18:31:33 -05:00 · 15663daaf7
commit 15663daaf7
parent dde24421d0
54 changed files with 816 additions and 373 deletions
--- a/hiera/common.yaml
+++ b/hiera/common.yaml
@ -6,68 +6,6 @@ elasticsearch_nodes:
 - elasticsearch05.openstack.org
 - elasticsearch06.openstack.org
 - elasticsearch07.openstack.org
-elasticsearch_iptables_rule_data:
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
-logstash_iptables_rule_data:
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'}
- {protocol: 'tcp', port: '4730', hostname: 'ze11.openstack.org'}
 infra_apache_serveradmin: noc@openstack.org
 statusbot_channels:
 - airshipit
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@ -2,6 +2,7 @@ plugin: constructed
 groups:
  adns: inventory_hostname.startswith('adns')
  afs: inventory_hostname is match('afs\d+.*openstack.org')
+  afs-client: inventory_hostname is match('(review-dev\d*|mirror\d*\..*|files\d*|ze\d+|afsdb.*|afs.*\..*)\.openstack\.org')
  afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org')
  afsdb: inventory_hostname is match('afsdb.*openstack.org')
  ask: inventory_hostname.startswith('ask')
@ -11,21 +12,31 @@ groups:
  eavesdrop: inventory_hostname.startswith('eavesdrop')
  elasticsearch: inventory_hostname is match('elasticsearch0[1-7]\.openstack\.org')
  ethercalc: inventory_hostname.startswith('ethercalc')
+  etherpad: inventory_hostname.startswith('etherpad')
  files: inventory_hostname.startswith('files')
  firehose: inventory_hostname.startswith('firehose')
  futureparser: inventory_hostname is match('(review-dev\d*|groups\d*|groups-dev\d*|graphite\d*|etherpad-dev\d*|ask-staging\d*|codesearch\d*)\.openstack\.org')
+  gerrit: inventory_hostname is match('review.*\.openstack\.org')
  git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org')
  git-server: inventory_hostname is match('git\d+\.openstack\.org')
  grafana: inventory_hostname.startswith('grafana')
-  groups: inventory_hostname.regex_match('groups(-dev)?\d*\.openstack\.org')
+  graphite: inventory_hostname.startswith('graphite')
+  groups: inventory_hostname is match('groups(-dev)?\d*\.openstack\.org')
+  health: inventory_hostname.startswith('health')
+  kdc: inventory_hostname.startswith('kdc')
+  logstash: inventory_hostname is match('logstash\d*\.openstack\.org')
  logstash-worker: inventory_hostname.startswith('logstash-worker')
  mailman: inventory_hostname.startswith('lists')
-  nodepool: inventory_hostname is match('^(nodepool|nb|nl)')
+  mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
+  nodepool: inventory_hostname is match('(nodepool|nb|nl)')
  ns: inventory_hostname.startswith('ns')
  paste: inventory_hostname.startswith('paste')
+  pbx: inventory_hostname.startswith('pbx')
  puppet: not inventory_hostname.startswith('bridge')
+  refstack: inventory_hostname.startswith('refstack')
  review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org')
  review: inventory_hostname is match('review\d+\.openstack\.org')
+  static: inventory_hostname.startswith('static')
  status: inventory_hostname.startswith('status')
  storyboard: inventory_hostname.startswith('storyboard')
  storyboard-dev: inventory_hostname is match('storyboard-dev\d*\.openstack\.org')
@ -33,8 +44,10 @@ groups:
  survey: inventory_hostname.startswith('survey')
  translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org')
  translate: inventory_hostname is match('translate\d+\.openstack\.org')
+  webservers: inventory_hostname is match('(grafana\d*|health\d*|graphite\d*|groups\d*|groups-dev\d*|eavesdrop\d*|paste\d*|ethercalc\d+|etherpad\d*|etherpad-dev\d*|files\d*|refstack\d*|static\d*|status\d*|survey\d+|nodepool|nl\d+|nb\d+|zm\d+|ask|ask-staging|translate.*|codesearch\d*|cacti\d+|wiki.*|storyboard.*|openstackid-dev|planet)\.openstack\.org|openstackid.org')
  wiki-dev: inventory_hostname is match('wiki-dev\d+\.openstack\.org')
  wiki: inventory_hostname is match('wiki\d+\.openstack\.org')
+  zookeeper: inventory_hostname.startswith('zk')
  zuul-executor: inventory_hostname.startswith('ze')
  zuul-merger: inventory_hostname is match('z[lm](static)?\d+\.openstack\.org')
  zuul-scheduler: inventory_hostname.startswith('zuul')
--- a/manifests/site.pp
+++ b/manifests/site.pp
@ -20,13 +20,7 @@ node default {
 #
 # Node-OS: xenial
 node 'review.openstack.org' {
-  $iptables_rules =
-    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418],
-    iptables_rules6           => $iptables_rules,
-    iptables_rules4           => $iptables_rules,
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::review':
    project_config_repo                 => 'https://git.openstack.org/openstack-infra/project-config',
@ -66,13 +60,7 @@ node 'review.openstack.org' {
 node 'review01.openstack.org' {
  $group = "review"

-  $iptables_rules =
-    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418],
-    iptables_rules6           => $iptables_rules,
-    iptables_rules4           => $iptables_rules,
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::review':
    project_config_repo                 => 'https://git.openstack.org/openstack-infra/project-config',
@ -112,12 +100,7 @@ node 'review01.openstack.org' {
 node /^review-dev\d*\.openstack\.org$/ {
  $group = "review-dev"

-  $iptables_rules =
-    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418],
-    iptables_rules6           => $iptables_rules,
-    iptables_rules4           => $iptables_rules,
    afs                       => true,
  }

@ -148,9 +131,7 @@ node /^review-dev\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^grafana\d*\.openstack\.org$/ {
  $group = "grafana"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::grafana':
    admin_password      => hiera('grafana_admin_password'),
    admin_user          => hiera('grafana_admin_user', 'username'),
@ -166,9 +147,7 @@ node /^grafana\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^health\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::openstack_health_api':
    subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
  }
@ -187,7 +166,6 @@ node /^cacti\d+\.openstack\.org$/ {
 # Node-OS: trusty
 node 'puppetmaster.openstack.org' {
  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [8140],
    pin_puppet                => '3.6.',
  }
  class { 'openstack_project::puppetmaster':
@ -206,40 +184,7 @@ node 'puppetmaster.openstack.org' {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^graphite\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-    iptables_allowed_hosts    => [
-      {protocol => 'udp', port => '8125', hostname => 'git.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'mirror-update01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl03.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl04.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zuul01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'},
-    ],
-  }
+  class { 'openstack_project::server': }

  class { '::graphite':
    graphite_admin_user     => hiera('graphite_admin_user', 'username'),
@ -251,9 +196,7 @@ node /^graphite\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^groups\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::groups':
    site_admin_password          => hiera('groups_site_admin_password'),
    site_mysql_host              => hiera('groups_site_mysql_host', 'localhost'),
@ -268,9 +211,7 @@ node /^groups\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^groups-dev\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::groups_dev':
    site_admin_password          => hiera('groups_dev_site_admin_password'),
    site_mysql_host              => hiera('groups_dev_site_mysql_host', 'localhost'),
@ -286,9 +227,7 @@ node /^groups-dev\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^lists\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [25, 80, 465],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::lists':
    listpassword => hiera('listpassword'),
@ -297,9 +236,7 @@ node /^lists\d*\.openstack\.org$/ {

 # Node-OS: xenial
 node /^lists\d*\.katacontainers\.io$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [25, 80, 465],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::kata_lists':
    listpassword => hiera('listpassword'),
@ -310,9 +247,7 @@ node /^lists\d*\.katacontainers\.io$/ {
 node /^paste\d*\.openstack\.org$/ {
  $group = "paste"

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::paste':
    db_password         => hiera('paste_db_password'),
    db_host             => hiera('paste_db_host'),
@ -329,9 +264,7 @@ node /planet\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^eavesdrop\d*\.openstack\.org$/ {
  $group = "eavesdrop"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::eavesdrop':
    project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
@ -368,9 +301,7 @@ node /^eavesdrop\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^ethercalc\d+\.openstack\.org$/ {
  $group = "ethercalc"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::ethercalc':
    vhost_name              => 'ethercalc.openstack.org',
@ -383,9 +314,7 @@ node /^ethercalc\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^etherpad\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::etherpad':
    ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
@ -400,9 +329,7 @@ node /^etherpad\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^etherpad-dev\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::etherpad_dev':
    mysql_host          => hiera('etherpad-dev_db_host', 'localhost'),
@ -454,10 +381,7 @@ node /^wiki-dev\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 3306],
-    iptables_allowed_hosts    => hiera_array('logstash_iptables_rule_data'),
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::logstash':
    discover_nodes      => [
@ -477,9 +401,7 @@ node /^logstash\d*\.openstack\.org$/ {
 node /^logstash-worker\d+\.openstack\.org$/ {
  $group = 'logstash-worker'

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::logstash_worker':
    discover_node         => 'elasticsearch03.openstack.org',
@ -492,9 +414,7 @@ node /^logstash-worker\d+\.openstack\.org$/ {
 # Node-OS: xenial
 node /^subunit-worker\d+\.openstack\.org$/ {
  $group = "subunit-worker"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::subunit_worker':
    subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),
    subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),
@ -506,10 +426,7 @@ node /^subunit-worker\d+\.openstack\.org$/ {
 # Node-OS: xenial
 node /^elasticsearch0[1-7]\.openstack\.org$/ {
  $group = "elasticsearch"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22],
-    iptables_allowed_hosts    => hiera_array('elasticsearch_iptables_rule_data'),
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::elasticsearch_node':
    discover_nodes => $elasticsearch_nodes,
  }
@ -517,12 +434,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {

 # Node-OS: xenial
 node /^firehose\d+\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    # NOTE(mtreinish) Port 80 and 8080 are disabled because websocket
-    # connections seem to crash mosquitto. Once this is fixed we should add
-    # them back
-    iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::firehose':
    gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
    gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),
@ -572,9 +484,7 @@ node /^git(-fe\d+)?\.openstack\.org$/ {
 node /^git\d+\.openstack\.org$/ {
  $group = "git-server"
  include openstack_project
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [4443, 8080, 29418],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::git_backend':
    project_config_repo                     => 'https://git.openstack.org/openstack-infra/project-config',
@ -621,7 +531,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
  $group = "mirror"

  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
    afs                       => true,
    afs_cache_size            => 50000000,  # 50GB
  }
@ -637,7 +546,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
 node /^files\d*\.openstack\.org$/ {
  $group = "files"
  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
    afs                       => true,
    afs_cache_size            => 10000000,  # 10GB
  }
@ -666,9 +574,7 @@ node /^files\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^refstack\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'refstack':
    mysql_host          => hiera('refstack_mysql_host', 'localhost'),
    mysql_database      => hiera('refstack_mysql_db_name', 'refstack'),
@ -750,9 +656,7 @@ node /^storyboard-dev\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^static\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::static':
    project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
    swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',
@ -769,27 +673,7 @@ node /^static\d*\.openstack\.org$/ {

 # Node-OS: xenial
 node /^zk\d+\.openstack\.org$/ {
-  class { 'openstack_project::server':
-    iptables_allowed_hosts    => [
-      # Zookeeper clients
-      {protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
-      # Zookeeper election
-      {protocol => 'tcp', port => '2888', hostname => 'zk01.openstack.org'},
-      {protocol => 'tcp', port => '2888', hostname => 'zk02.openstack.org'},
-      {protocol => 'tcp', port => '2888', hostname => 'zk03.openstack.org'},
-      # Zookeeper leader
-      {protocol => 'tcp', port => '3888', hostname => 'zk01.openstack.org'},
-      {protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'},
-      {protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'},
-    ],
-  }
+  class { 'openstack_project::server': }

  class { '::zookeeper':
    # ID needs to be numeric, so we use regex to extra numbers from fqdn.
@ -810,9 +694,7 @@ node /^zk\d+\.openstack\.org$/ {
 node /^status\d*\.openstack\.org$/ {
  $group = 'status'

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::status':
    gerrit_host                   => 'review.openstack.org',
@ -829,9 +711,7 @@ node /^status\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^survey\d+\.openstack\.org$/ {
  $group = "survey"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::survey':
    vhost_name              => 'survey.openstack.org',
@ -853,12 +733,7 @@ node /^survey\d+\.openstack\.org$/ {
 node /^adns\d+\.openstack\.org$/ {
  $group = 'adns'

-  class { 'openstack_project::server':
-    iptables_allowed_hosts    => [
-      {protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
-      {protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
-    ],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::master_nameserver':
    tsig_key => hiera('tsig_key', {}),
@ -872,10 +747,7 @@ node /^adns\d+\.openstack\.org$/ {
 node /^ns\d+\.openstack\.org$/ {
  $group = 'ns'

-  class { 'openstack_project::server':
-    iptables_public_udp_ports => [53],
-    iptables_public_tcp_ports => [53],
-  }
+  class { 'openstack_project::server': }

  $tsig_key = hiera('tsig_key', {})
  if $tsig_key != {} {
@ -905,19 +777,7 @@ node /^ns\d+\.openstack\.org$/ {
 node 'nodepool.openstack.org' {
  $group = 'nodepool'

-  class { 'openstack_project::server':
-    iptables_allowed_hosts    => [
-      {protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
-    ],
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }

  class { '::zookeeper':
    # The frequency in hours to look for and purge old snapshots,
@ -968,9 +828,7 @@ node /^nl\d+\.openstack\.org$/ {
  $packethost_project             = hiera('nodepool_packethost_project', 'project')
  $clouds_yaml                    = template("openstack_project/nodepool/clouds.yaml.erb")

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }

  include openstack_project

@ -1030,9 +888,7 @@ node /^nb\d+\.openstack\.org$/ {
  $packethost_project             = hiera('nodepool_packethost_project', 'project')
  $clouds_yaml                   = template("openstack_project/nodepool/clouds.yaml.erb")

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }

  include openstack_project

@ -1085,7 +941,6 @@ node /^ze\d+\.openstack\.org$/ {
  $revision                = 'master'

  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [79, 7900],
    afs                       => true,
  }

@ -1177,30 +1032,7 @@ node /^zuul\d+\.openstack\.org$/ {
  $git_name             = 'OpenStack Zuul'
  $revision             = 'master'

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [79, 80, 443],
-    iptables_allowed_hosts    => [
-      {protocol => 'tcp', port => '4730', hostname => 'ze01.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze02.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze03.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze04.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze05.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze06.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze07.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze08.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze09.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze10.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze11.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm01.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm02.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm03.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm04.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm05.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm06.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
-    ],
-  }
+  class { 'openstack_project::server': }

  class { '::project_config':
    url => 'https://git.openstack.org/openstack-infra/project-config',
@ -1288,9 +1120,7 @@ node /^zm\d+.openstack\.org$/ {
  $git_name             = 'OpenStack Zuul'
  $revision             = 'master'

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }

  # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
  # settings.
@ -1323,12 +1153,7 @@ node /^zm\d+.openstack\.org$/ {

 # Node-OS: trusty
 node 'pbx.openstack.org' {
-  class { 'openstack_project::server':
-    # SIP signaling is either TCP or UDP port 5060.
-    # RTP media (audio/video) uses a range of UDP ports.
-    iptables_public_tcp_ports => [5060],
-    iptables_public_udp_ports => ['5060', '10000:20000'],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::pbx':
    sip_providers => [
      {
@ -1346,9 +1171,7 @@ node 'pbx.openstack.org' {
 # A backup machine.  Don't run cron or puppet agent on it.
 node /^backup\d+\..*\.ci\.openstack\.org$/ {
  $group = "ci-backup"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [],
-  }
+  class { 'openstack_project::server': }
  include openstack_project::backup_server
 }

@ -1417,20 +1240,14 @@ node 'single-node-ci.test.only' {

 # Node-OS: trusty
 node 'kdc01.openstack.org' {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [88, 464, 749, 754],
-    iptables_public_udp_ports => [88, 464, 749],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::kdc': }
 }

 # Node-OS: xenial
 node 'kdc04.openstack.org' {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [88, 464, 749, 754],
-    iptables_public_udp_ports => [88, 464, 749],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::kdc':
    slave => true,
@ -1442,7 +1259,6 @@ node 'afsdb01.openstack.org' {
  $group = "afsdb"

  class { 'openstack_project::server':
-    iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
    afs                       => true,
  }

@ -1455,7 +1271,6 @@ node /^afsdb.*\.openstack\.org$/ {
  $group = "afsdb"

  class { 'openstack_project::server':
-    iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
    afs                       => true,
  }

@ -1467,7 +1282,6 @@ node /^afs.*\..*\.openstack\.org$/ {
  $group = "afs"

  class { 'openstack_project::server':
-    iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
    afs                       => true,
  }

@ -1477,9 +1291,7 @@ node /^afs.*\..*\.openstack\.org$/ {
 # Node-OS: trusty
 node 'ask.openstack.org' {

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::ask':
    db_user                      => hiera('ask_db_user', 'ask'),
@ -1493,9 +1305,7 @@ node 'ask.openstack.org' {

 # Node-OS: trusty
 node 'ask-staging.openstack.org' {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstack_project::ask_staging':
    db_password                  => hiera('ask_staging_db_password'),
@ -1507,9 +1317,7 @@ node 'ask-staging.openstack.org' {
 # Node-OS: xenial
 node /^translate\d+\.openstack\.org$/ {
  $group = "translate"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::translate':
    admin_users                => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
    openid_url                 => 'https://openstackid.org',
@ -1555,9 +1363,7 @@ node /^translate-dev\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^codesearch\d*\.openstack\.org$/ {
  $group = "codesearch"
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }
  class { 'openstack_project::codesearch':
    project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
  }
--- a/modules/openstack_project/manifests/cacti.pp
+++ b/modules/openstack_project/manifests/cacti.pp
@ -8,9 +8,7 @@ class openstack_project::cacti (
    fail("${::osfamily} is not supported.")
  }

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }

  class { '::apache':
    default_vhost => false,
--- a/modules/openstack_project/manifests/git.pp
+++ b/modules/openstack_project/manifests/git.pp
@ -20,9 +20,7 @@ class openstack_project::git (
  $balancer_member_ips = [],
  $selinux_mode = 'enforcing'
 ) {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 9418],
-  }
+  class { 'openstack_project::server': }

  if ($::osfamily == 'RedHat') {
    class { 'selinux':
--- a/modules/openstack_project/manifests/openstackid_dev.pp
+++ b/modules/openstack_project/manifests/openstackid_dev.pp
@ -61,9 +61,7 @@ class openstack_project::openstackid_dev (
  $session_cookie_secure = false,
 ) {

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstackid':
    site_admin_password        => $site_admin_password,
--- a/modules/openstack_project/manifests/openstackid_prod.pp
+++ b/modules/openstack_project/manifests/openstackid_prod.pp
@ -62,9 +62,7 @@ class openstack_project::openstackid_prod (
  $session_cookie_secure = false,
 ) {

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'openstackid':
    site_admin_password        => $site_admin_password,
--- a/modules/openstack_project/manifests/planet.pp
+++ b/modules/openstack_project/manifests/planet.pp
@ -2,9 +2,7 @@
 #
 class openstack_project::planet (
 ) {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80],
-  }
+  class { 'openstack_project::server': }
  include ::planet

  planet::site { 'openstack':
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@ -2,11 +2,6 @@
 #
 # A server that we expect to run for some time
 class openstack_project::server (
-  $iptables_public_tcp_ports = [],
-  $iptables_public_udp_ports = [],
-  $iptables_rules4           = [],
-  $iptables_rules6           = [],
-  $iptables_allowed_hosts    = [],
  $pin_puppet                = '3.',
  $ca_server                 = undef,
  $enable_unbound            = true,
@ -49,10 +44,6 @@ class openstack_project::server (
        'kdc04.openstack.org',
      ],
    }
-    $all_udp = concat(
-      $iptables_public_udp_ports, [7001])
-  } else {
-    $all_udp = $iptables_public_udp_ports
  }

  class { 'openstack_project::automatic_upgrades':
@ -61,20 +52,4 @@ class openstack_project::server (

  include snmpd

-  $snmp_v4hosts = [
-    '172.99.116.215', # cacti02.openstack.org
-  ]
-  $snmp_v6hosts = [
-    '2001:4800:7821:105:be76:4eff:fe04:b9a5', # cacti02.opentsack.org
-  ]
-  class { 'iptables':
-    public_tcp_ports => $iptables_public_tcp_ports,
-    public_udp_ports => $all_udp,
-    rules4           => $iptables_rules4,
-    rules6           => $iptables_rules6,
-    snmp_v4hosts     => $snmp_v4hosts,
-    snmp_v6hosts     => $snmp_v6hosts,
-    allowed_hosts    => $iptables_allowed_hosts,
-  }
-
 }
--- a/modules/openstack_project/manifests/storyboard.pp
+++ b/modules/openstack_project/manifests/storyboard.pp
@ -26,9 +26,7 @@ class openstack_project::storyboard(
    url  => $project_config_repo,
  }

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }


  mysql_backup::backup_remote { 'storyboard':
--- a/modules/openstack_project/manifests/summit.pp
+++ b/modules/openstack_project/manifests/summit.pp
@ -1,8 +0,0 @@
-class openstack_project::summit (
-) {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80],
-  }
-}
-
-# vim:sw=2:ts=2:expandtab:textwidth=79
--- a/modules/openstack_project/manifests/translate_dev.pp
+++ b/modules/openstack_project/manifests/translate_dev.pp
@ -35,9 +35,7 @@ class openstack_project::translate_dev(
  $from_address,
  ) {

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'project_config':
    url  => $project_config_repo,
--- a/modules/openstack_project/manifests/wiki.pp
+++ b/modules/openstack_project/manifests/wiki.pp
@ -23,9 +23,7 @@ class openstack_project::wiki (
    ensure => present;
  }

-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
-  }
+  class { 'openstack_project::server': }

  class { 'mediawiki':
    role                       => 'all',
--- a/modules/openstack_project/spec/acceptance/basic_spec.rb
+++ b/modules/openstack_project/spec/acceptance/basic_spec.rb
@ -79,14 +79,4 @@ describe 'openstack_project::server' do
    end
  end

-  describe command('iptables -S') do
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
-    its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
-  end
-
 end
--- a/modules/openstack_project/spec/acceptance/fixtures/default.pp
+++ b/modules/openstack_project/spec/acceptance/fixtures/default.pp
@ -1,12 +1,8 @@
-$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
 $manage_afs = $::operatingsystem ? {
  'CentOS' => false,
  default  => true
 }

 class { 'openstack_project::server':
-  iptables_public_tcp_ports => [80, 443, 29418],
-  iptables_rules6           => $iptables_rules,
-  iptables_rules4           => $iptables_rules,
  afs                       => $manage_afs,
 }
--- a/playbooks/base.yaml
+++ b/playbooks/base.yaml
@ -16,3 +16,4 @@
 - hosts: "!ci-backup:!disabled"
  roles:
    - exim
+    - iptables
--- a/playbooks/filter_plugins/init.py
+++ b/playbooks/filter_plugins/init.py
--- a/playbooks/filter_plugins/getaddrinfo.py
+++ b/playbooks/filter_plugins/getaddrinfo.py
@ -0,0 +1,41 @@
+# Copyright (c) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import socket
+
+
+class FilterModule(object):
+
+    def dns(self, value, family):
+        ret = set()
+        try:
+            addr_info = socket.getaddrinfo(value, None, family)
+        except socket.gaierror:
+            return ret
+        for addr in addr_info:
+            ret.add(addr[4][0])
+        return sorted(ret)
+
+    def dns_a(self, value):
+        return self.dns(value, socket.AF_INET)
+
+    def dns_aaaa(self, value):
+        return self.dns(value, socket.AF_INET6)
+
+    def filters(self):
+        return {
+            'dns_a': self.dns_a,
+            'dns_aaaa': self.dns_aaaa,
+        }
--- a/playbooks/group_vars/afs.yaml
+++ b/playbooks/group_vars/afs.yaml
@ -0,0 +1 @@
+iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
--- a/playbooks/group_vars/afsdb.yaml
+++ b/playbooks/group_vars/afsdb.yaml
@ -0,0 +1 @@
+iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]
--- a/playbooks/group_vars/all.yaml
+++ b/playbooks/group_vars/all.yaml
@ -12,6 +12,11 @@ exim_base_aliases:
  root: "{{ exim_sysadmins }}"
 exim_aliases: "{{ exim_base_aliases|combine(exim_extra_aliases) }}"

+iptables_base_allowed_hosts:
+  - {'protocol': 'udp', 'port': 161, 'hostname': 'cacti.openstack.org'}
+iptables_extra_allowed_hosts: []
+iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
+
 # When adding new users, always pick a UID larger than the last UID, do not
 # fill in holes in the middle of the range.
 all_users:
@ -161,3 +166,10 @@ disabled_users:
  - elizabeth
  - nibz
  - slukjanov
+
+iptables_snmp_v4_hosts:
+  # cacti02.openstack.org
+  - 172.99.116.215
+iptables_snmp_v6_hosts:
+  # cacti02.openstack.org
+  - 2001:4800:7821:105:be76:4eff:fe04:b9a5
--- a/playbooks/group_vars/eavesdrop.yaml
+++ b/playbooks/group_vars/eavesdrop.yaml
@ -0,0 +1,2 @@
+iptables_public_tcp_ports:
+  - 80
--- a/playbooks/group_vars/elasticsearch.yaml
+++ b/playbooks/group_vars/elasticsearch.yaml
@ -0,0 +1,82 @@
+iptables_rule_data:
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch02.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch03.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch04.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch05.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch06.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch07.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker01.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker02.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker03.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker04.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker05.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker06.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker07.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker08.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker09.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker10.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker11.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker12.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker13.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker14.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker15.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker16.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker17.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker18.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker19.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker20.openstack.org
--- a/playbooks/group_vars/firehose.yaml
+++ b/playbooks/group_vars/firehose.yaml
@ -17,3 +17,9 @@ exim_transports:
      socket = /var/run/cyrus/socket/lmtp
      user = cyrus
      batch_max = 35
+iptables_public_tcp_ports:
+  - 25
+  - 80
+  - 443
+  - 1883
+  - 8883
--- a/playbooks/group_vars/gerrit.yaml
+++ b/playbooks/group_vars/gerrit.yaml
@ -0,0 +1,8 @@
+exim_extra_aliases:
+  gerrit2: root
+iptables_rules:
+  - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
+iptables_public_tcp_ports:
+  - 80
+  - 443
+  - 29418
--- a/playbooks/group_vars/git-loadbalancer.yaml
+++ b/playbooks/group_vars/git-loadbalancer.yaml
@ -0,0 +1,4 @@
+iptables_public_tcp_ports:
+  - 80
+  - 443
+  - 9418
--- a/playbooks/group_vars/git-server.yaml
+++ b/playbooks/group_vars/git-server.yaml
@ -1 +1,5 @@
 ansible_python_interpreter: python2
+iptables_public_tcp_ports:
+  - 4443
+  - 8080
+  - 29418
--- a/playbooks/group_vars/graphite.yaml
+++ b/playbooks/group_vars/graphite.yaml
@ -0,0 +1,88 @@
+iptables_extra_allowed_hosts:
+  - hostname: git.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: firehose01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: mirror-update01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: logstash.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nodepool.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl02.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl03.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl04.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zuul01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm02.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm03.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm04.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm05.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm06.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm07.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm08.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze02.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze03.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze04.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze05.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze06.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze07.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze08.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze09.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze10.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze11.openstack.org
+    port: 8125
+    protocol: udp
--- a/playbooks/group_vars/kdc.yaml
+++ b/playbooks/group_vars/kdc.yaml
@ -0,0 +1,9 @@
+iptables_public_tcp_ports:
+  - 88
+  - 464
+  - 749
+  - 754
+iptables_public_udp_ports:
+  - 88
+  - 464
+  - 749
--- a/playbooks/group_vars/logstash.yaml
+++ b/playbooks/group_vars/logstash.yaml
@ -0,0 +1,103 @@
+iptables_public_tcp_ports:
+  - 80
+  - 3306
+iptables_rule_data:
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker01.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker02.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker03.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker04.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker05.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker06.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker07.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker08.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker09.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker10.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker11.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker12.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker13.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker14.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker15.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker16.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker17.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker18.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker19.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker20.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: subunit-worker01.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: subunit-worker02.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze01.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze02.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze03.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze04.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze05.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze06.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze07.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze08.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze09.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze10.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze11.openstack.org
--- a/playbooks/group_vars/mailman.yaml
+++ b/playbooks/group_vars/mailman.yaml
@ -2,3 +2,7 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
+iptables_public_tcp_ports:
+  - 25
+  - 80
+  - 465
--- a/playbooks/group_vars/mirror.yaml
+++ b/playbooks/group_vars/mirror.yaml
@ -0,0 +1,5 @@
+iptables_public_tcp_ports:
+  - 80
+  - 8080
+  - 8081
+  - 8082
--- a/playbooks/group_vars/nodepool.yaml
+++ b/playbooks/group_vars/nodepool.yaml
@ -0,0 +1,26 @@
+iptables_extra_allowed_hosts:
+  - protocol: tcp
+    port: 2181
+    hostname: nb01.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nb02.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nb03.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl01.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl02.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl03.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl04.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: zuul01.openstack.org
+
--- a/playbooks/group_vars/ns.yaml
+++ b/playbooks/group_vars/ns.yaml
@ -0,0 +1,2 @@
+iptables_public_ports:
+  - 53
--- a/playbooks/group_vars/pbx.yaml
+++ b/playbooks/group_vars/pbx.yaml
@ -0,0 +1,7 @@
+# SIP signaling is either TCP or UDP port 5060.
+# RTP media (audio/video) uses a range of UDP ports.
+iptables_public_tcp_ports:
+  - 5060
+iptables_public_udp_ports:
+  - 5060
+  - 10000:20000
--- a/playbooks/group_vars/review-dev.yaml
+++ b/playbooks/group_vars/review-dev.yaml
@ -1,2 +0,0 @@
-exim_extra_aliases:
-  gerrit2: root
--- a/playbooks/group_vars/review.yaml
+++ b/playbooks/group_vars/review.yaml
@ -1,2 +0,0 @@
-exim_extra_aliases:
-  gerrit2: root
--- a/playbooks/group_vars/webservers.yaml
+++ b/playbooks/group_vars/webservers.yaml
@ -0,0 +1,4 @@
+iptables_public_tcp_ports:
+  - 22
+  - 80
+  - 443
--- a/playbooks/group_vars/zookeeper.yaml
+++ b/playbooks/group_vars/zookeeper.yaml
@ -0,0 +1,17 @@
+iptables_extra_allowed_hosts:
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb03.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl03.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl04.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'zuul01.openstack.org'}
+  # Zookeeper election
+  - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk03.openstack.org'}
+  # Zookeeper leader
+  - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk03.openstack.org'}
--- a/playbooks/group_vars/zuul-executor.yaml
+++ b/playbooks/group_vars/zuul-executor.yaml
@ -0,0 +1,3 @@
+iptables_public_tcp_ports:
+  - 79
+  - 7900
--- a/playbooks/group_vars/zuul-scheduler.yaml
+++ b/playbooks/group_vars/zuul-scheduler.yaml
@ -0,0 +1,63 @@
+iptables_public_tcp_ports:
+  - 79
+  - 80
+  - 443
+iptables_extra_allowed_hosts:
+  - protocol: tcp
+    port: 4730
+    hostname: ze01.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze02.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze03.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze04.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze05.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze06.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze07.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze08.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze09.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze10.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze11.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm01.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm02.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm03.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm04.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm05.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm06.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm07.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm08.openstack.org
+
--- a/playbooks/roles/iptables/README.rst
+++ b/playbooks/roles/iptables/README.rst
@ -0,0 +1,44 @@
+Install and configure iptables
+
+**Role Variables**
+
+.. zuul:rolevar:: iptables_allowed_hosts
+   :default: []
+
+   A list of dictionaries, each item in the list is a rule to add for
+   a host/port combination.  The format of the dictionary is:
+
+   .. zuul:rolevar:: hostname
+
+      The hostname to allow.  It will automatically be resolved, and
+      all IP addresses will be added to the firewall.
+
+   .. zuul:rolevar:: protocol
+
+      One of "tcp" or "udp".
+
+   .. zuul:rolevar:: port
+
+      The port number.
+
+.. zuul:rolevar:: iptables_public_tcp_ports
+   :default: []
+
+   A list of public TCP ports to open.
+
+.. zuul:rolevar:: iptables_public_udp_ports
+   :default: []
+
+   A list of public UDP ports to open.
+
+.. zuul:rolevar:: iptables_rules_v4
+   :default: []
+
+   A list of iptables v4 rules.  Each item is a string containing the
+   iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_rules_v6
+   :default: []
+
+   A list of iptables v6 rules.  Each item is a string containing the
+   iptables command line options for the rule.
--- a/playbooks/roles/iptables/defaults/main.yaml
+++ b/playbooks/roles/iptables/defaults/main.yaml
@ -0,0 +1,7 @@
+iptables_allowed_hosts: []
+iptables_public_ports: []
+iptables_public_tcp_ports: '{{ iptables_public_ports }}'
+iptables_public_udp_ports: '{{ iptables_public_ports }}'
+iptables_rules: []
+iptables_rules_v4: '{{ iptables_rules }}'
+iptables_rules_v6: '{{ iptables_rules }}'
--- a/playbooks/roles/iptables/handlers/main.yaml
+++ b/playbooks/roles/iptables/handlers/main.yaml
@ -0,0 +1,11 @@
+- name: Reload iptables Debian
+  import_tasks: tasks/reload-debian.yaml
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'Debian'
+
+- name: Reload iptables RedHat
+  import_tasks: tasks/reload-redhat.yaml
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'RedHat'
--- a/playbooks/roles/iptables/tasks/RedHat.yaml
+++ b/playbooks/roles/iptables/tasks/RedHat.yaml
@ -0,0 +1,11 @@
+- name: Disable firewalld
+  service:
+    name: firewalld
+    enabled: no
+    state: stopped
+  failed_when: false
+
+- name: Ensure firewalld is removed
+  package:
+    name: firewalld
+    state: absent
--- a/playbooks/roles/iptables/tasks/main.yaml
+++ b/playbooks/roles/iptables/tasks/main.yaml
@ -0,0 +1,54 @@
+- name: Include OS-specific variables
+  include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      paths:
+        - 'vars'
+
+- name: Install iptables
+  package:
+    name: '{{ package_name }}'
+    state: present
+
+- name: Ensure iptables rules directory
+  file:
+    state: directory
+    path: '{{ rules_dir }}'
+
+- name: Install IPv4 rules files
+  template:
+    src: rules.v4.j2
+    dest: '{{ ipv4_rules }}'
+    owner: root
+    group: root
+    mode: 0640
+    setype: '{{ setype | default(omit) }}'
+  notify:
+    - Reload iptables Debian
+    - Reload iptables RedHat
+
+- name: Install IPv6 rules files
+  template:
+    src: rules.v6.j2
+    dest: '{{ ipv6_rules }}'
+    owner: root
+    group: root
+    mode: 0640
+    setype: '{{ setype | default(omit) }}'
+  notify:
+    - Reload iptables Debian
+    - Reload iptables RedHat
+
+- name: Include OS specific tasks
+  include_tasks: "{{ item }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      skip: true
+  loop: "{{ query('first_found', params) }}"
+
+- name: Enable iptables service
+  service:
+    name: '{{ service_name }}'
+    enabled: true
--- a/playbooks/roles/iptables/tasks/reload-debian.yaml
+++ b/playbooks/roles/iptables/tasks/reload-debian.yaml
@ -0,0 +1,2 @@
+- name: Reload iptables (Debian)
+  command: '{{ reload_command }}'
--- a/playbooks/roles/iptables/tasks/reload-redhat.yaml
+++ b/playbooks/roles/iptables/tasks/reload-redhat.yaml
@ -0,0 +1,5 @@
+- name: Reload iptables (Red Hat)
+  command: 'systemctl reload iptables'
+
+- name: Reload ip6tables (Red Hat)
+  command: 'systemctl reload ip6tables'
--- a/playbooks/roles/iptables/templates/rules.v4.j2
+++ b/playbooks/roles/iptables/templates/rules.v4.j2
@ -0,0 +1,31 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
+#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+{% for port in iptables_public_tcp_ports -%}
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Public UDP ports
+{% for port in iptables_public_udp_ports -%}
+-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Per-host rules
+{% for rule in iptables_rules_v4 -%}
+-A openstack-INPUT {{ rule }}
+{% endfor -%}
+{% for host in iptables_allowed_hosts -%}
+{% for addr in host.hostname | dns_a -%}
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+{% endfor -%}
+{% endfor -%}
+-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@ -0,0 +1,30 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmpv6 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+{% for port in iptables_public_tcp_ports -%}
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Public UDP ports
+{% for port in iptables_public_udp_ports -%}
+-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Per-host rules
+{% for rule in iptables_rules_v6 -%}
+-A openstack-INPUT {{ rule }}
+{% endfor -%}
+{% for host in iptables_allowed_hosts -%}
+{% for addr in host.hostname | dns_aaaa -%}
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+{% endfor -%}
+{% endfor -%}
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT
--- a/playbooks/roles/iptables/vars/Debian.yaml
+++ b/playbooks/roles/iptables/vars/Debian.yaml
@ -0,0 +1,6 @@
+package_name: iptables-persistent
+service_name: netfilter-persistent
+rules_dir: /etc/iptables
+ipv4_rules: /etc/iptables/rules.v4
+ipv6_rules: /etc/iptables/rules.v6
+reload_command: /usr/sbin/netfilter-persistent start
--- a/playbooks/roles/iptables/vars/RedHat.yaml
+++ b/playbooks/roles/iptables/vars/RedHat.yaml
@ -0,0 +1,6 @@
+package_name: iptables-services
+service_name: iptables
+rules_dir: /etc/sysconfig
+ipv4_rules: /etc/sysconfig/iptables
+ipv6_rules: /etc/sysconfig/ip6tables
+setype: 'etc_t'
--- a/playbooks/roles/iptables/vars/Ubuntu.trusty.yaml
+++ b/playbooks/roles/iptables/vars/Ubuntu.trusty.yaml
@ -0,0 +1,6 @@
+package_name: iptables-persistent
+service_name: iptables-persistent
+rules_dir: /etc/iptables
+ipv4_rules: /etc/iptables/rules.v4
+ipv6_rules: /etc/iptables/rules.v6
+reload_command: /etc/init.d/iptables-persistent reload
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@ -12,6 +12,20 @@
 # License for the specific language governing permissions and limitations
 # under the License.

+import socket
+
+
+def get_ips(value, family=None):
+    ret = set()
+    try:
+        addr_info = socket.getaddrinfo(value, None, family)
+    except socket.gaierror:
+        return ret
+    for addr in addr_info:
+        ret.add(addr[4][0])
+    return ret
+
+
 def test_exim_is_installed(host):
    if host.system_info.distribution in ['ubuntu', 'debian']:
        exim = host.package("exim4-base")
@ -21,3 +35,36 @@ def test_exim_is_installed(host):

    cmd = host.run("exim -bt root")
    assert cmd.rc == 0
+
+
+def test_iptables(host):
+    rules = host.iptables.rules()
+    rules = [x.strip() for x in rules]
+
+    start = [
+        '-P INPUT ACCEPT',
+        '-P FORWARD ACCEPT',
+        '-P OUTPUT ACCEPT',
+        '-N openstack-INPUT',
+        '-A INPUT -j openstack-INPUT',
+        '-A openstack-INPUT -i lo -j ACCEPT',
+        '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
+        '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
+        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
+    ]
+    assert rules[:len(start)] == start
+
+    reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
+    assert reject in rules
+
+    # Make sure that the zuul console stream rule has been removed
+    # from the test node
+    zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
+            ' -m tcp --dport 19885 -j ACCEPT')
+    assert zuul not in rules
+
+    # Ensure all IPv4 addresses for cacti are allowed
+    for ip in get_ips('cacti.openstack.org', socket.AF_INET):
+        snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
+                ' --dport 161 -j ACCEPT' % ip)
+        assert snmp in rules
				`@ -0,0 +1 @@`
				`iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]`