Add iptables role

Co-Authored-By: James E. Blair <corvus@inaugust.com>
Change-Id: Id8b347483affd710759f9b225bfadb3ce851333c
Depends-On: https://review.openstack.org/596503

hiera/common.yaml

@@ -6,68 +6,6 @@ elasticsearch_nodes:
 - elasticsearch05.openstack.org
 - elasticsearch06.openstack.org
 - elasticsearch07.openstack.org
-elasticsearch_iptables_rule_data:
-- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch02.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch03.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch04.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch05.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch06.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'elasticsearch07.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker01.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker02.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker03.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker04.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker05.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker06.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker07.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker08.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker09.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker10.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker11.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker12.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker13.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker14.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker15.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker16.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker17.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker18.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker19.openstack.org'}
-- {protocol: 'tcp', port: '9200:9400', hostname: 'logstash-worker20.openstack.org'}
-logstash_iptables_rule_data:
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker01.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker02.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker03.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker04.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker05.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker06.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker07.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker08.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker09.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker10.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker11.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker12.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker13.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker14.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker15.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker16.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker17.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker18.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker19.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'logstash-worker20.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker01.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'subunit-worker02.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze01.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze02.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze03.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze04.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze05.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze06.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze07.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze08.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze09.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze10.openstack.org'}
-- {protocol: 'tcp', port: '4730', hostname: 'ze11.openstack.org'}
 infra_apache_serveradmin: noc@openstack.org
 statusbot_channels:
 - airshipit

inventory/groups.yaml

@@ -2,6 +2,7 @@ plugin: constructed
 groups:
   adns: inventory_hostname.startswith('adns')
   afs: inventory_hostname is match('afs\d+.*openstack.org')
+  afs-client: inventory_hostname is match('(review-dev\d*|mirror\d*\..*|files\d*|ze\d+|afsdb.*|afs.*\..*)\.openstack\.org')
   afsadmin: inventory_hostname is match('mirror-update\d+\.openstack\.org')
   afsdb: inventory_hostname is match('afsdb.*openstack.org')
   ask: inventory_hostname.startswith('ask')
@@ -11,21 +12,31 @@ groups:
   eavesdrop: inventory_hostname.startswith('eavesdrop')
   elasticsearch: inventory_hostname is match('elasticsearch0[1-7]\.openstack\.org')
   ethercalc: inventory_hostname.startswith('ethercalc')
+  etherpad: inventory_hostname.startswith('etherpad')
   files: inventory_hostname.startswith('files')
   firehose: inventory_hostname.startswith('firehose')
   futureparser: inventory_hostname is match('(review-dev\d*|groups\d*|groups-dev\d*|graphite\d*|etherpad-dev\d*|ask-staging\d*|codesearch\d*)\.openstack\.org')
+  gerrit: inventory_hostname is match('review.*\.openstack\.org')
   git-loadbalancer: inventory_hostname is match('git(-fe\d+)?\.openstack\.org')
   git-server: inventory_hostname is match('git\d+\.openstack\.org')
   grafana: inventory_hostname.startswith('grafana')
-  groups: inventory_hostname.regex_match('groups(-dev)?\d*\.openstack\.org')
+  graphite: inventory_hostname.startswith('graphite')
+  groups: inventory_hostname is match('groups(-dev)?\d*\.openstack\.org')
+  health: inventory_hostname.startswith('health')
+  kdc: inventory_hostname.startswith('kdc')
+  logstash: inventory_hostname is match('logstash\d*\.openstack\.org')
   logstash-worker: inventory_hostname.startswith('logstash-worker')
   mailman: inventory_hostname.startswith('lists')
-  nodepool: inventory_hostname is match('^(nodepool|nb|nl)')
+  mirror: inventory_hostname is match('mirror\d*\..*\.openstack\.org')
+  nodepool: inventory_hostname is match('(nodepool|nb|nl)')
   ns: inventory_hostname.startswith('ns')
   paste: inventory_hostname.startswith('paste')
+  pbx: inventory_hostname.startswith('pbx')
   puppet: not inventory_hostname.startswith('bridge')
+  refstack: inventory_hostname.startswith('refstack')
   review-dev: inventory_hostname is match('review-dev\d+\.openstack\.org')
   review: inventory_hostname is match('review\d+\.openstack\.org')
+  static: inventory_hostname.startswith('static')
   status: inventory_hostname.startswith('status')
   storyboard: inventory_hostname.startswith('storyboard')
   storyboard-dev: inventory_hostname is match('storyboard-dev\d*\.openstack\.org')
@@ -33,8 +44,10 @@ groups:
   survey: inventory_hostname.startswith('survey')
   translate-dev: inventory_hostname is match('translate-dev\d+\.openstack\.org')
   translate: inventory_hostname is match('translate\d+\.openstack\.org')
+  webservers: inventory_hostname is match('(grafana\d*|health\d*|graphite\d*|groups\d*|groups-dev\d*|eavesdrop\d*|paste\d*|ethercalc\d+|etherpad\d*|etherpad-dev\d*|files\d*|refstack\d*|static\d*|status\d*|survey\d+|nodepool|nl\d+|nb\d+|zm\d+|ask|ask-staging|translate.*|codesearch\d*|cacti\d+|wiki.*|storyboard.*|openstackid-dev|planet)\.openstack\.org|openstackid.org')
   wiki-dev: inventory_hostname is match('wiki-dev\d+\.openstack\.org')
   wiki: inventory_hostname is match('wiki\d+\.openstack\.org')
+  zookeeper: inventory_hostname.startswith('zk')
   zuul-executor: inventory_hostname.startswith('ze')
   zuul-merger: inventory_hostname is match('z[lm](static)?\d+\.openstack\.org')
   zuul-scheduler: inventory_hostname.startswith('zuul')

manifests/site.pp

@@ -20,13 +20,7 @@ node default {
 #
 # Node-OS: xenial
 node 'review.openstack.org' {
-  $iptables_rules =
+  class { 'openstack_project::server': }
-    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418],
-    iptables_rules6           => $iptables_rules,
-    iptables_rules4           => $iptables_rules,
-  }
 
   class { 'openstack_project::review':
     project_config_repo                 => 'https://git.openstack.org/openstack-infra/project-config',
@@ -66,13 +60,7 @@ node 'review.openstack.org' {
 node 'review01.openstack.org' {
   $group = "review"
 
-  $iptables_rules =
+  class { 'openstack_project::server': }
-    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418],
-    iptables_rules6           => $iptables_rules,
-    iptables_rules4           => $iptables_rules,
-  }
 
   class { 'openstack_project::review':
     project_config_repo                 => 'https://git.openstack.org/openstack-infra/project-config',
@@ -112,12 +100,7 @@ node 'review01.openstack.org' {
 node /^review-dev\d*\.openstack\.org$/ {
   $group = "review-dev"
 
-  $iptables_rules =
-    ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443, 29418],
-    iptables_rules6           => $iptables_rules,
-    iptables_rules4           => $iptables_rules,
     afs                       => true,
   }
 
@@ -148,9 +131,7 @@ node /^review-dev\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^grafana\d*\.openstack\.org$/ {
   $group = "grafana"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
   class { 'openstack_project::grafana':
     admin_password      => hiera('grafana_admin_password'),
     admin_user          => hiera('grafana_admin_user', 'username'),
@@ -166,9 +147,7 @@ node /^grafana\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^health\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
   class { 'openstack_project::openstack_health_api':
     subunit2sql_db_host => hiera('subunit2sql_db_host', 'localhost'),
   }
@@ -187,7 +166,6 @@ node /^cacti\d+\.openstack\.org$/ {
 # Node-OS: trusty
 node 'puppetmaster.openstack.org' {
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [8140],
     pin_puppet                => '3.6.',
   }
   class { 'openstack_project::puppetmaster':
@@ -206,40 +184,7 @@ node 'puppetmaster.openstack.org' {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^graphite\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-    iptables_allowed_hosts    => [
-      {protocol => 'udp', port => '8125', hostname => 'git.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'firehose01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'mirror-update01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'logstash.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nodepool.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl02.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl03.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'nl04.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zuul01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm02.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm03.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm04.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm05.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm06.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm07.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'zm08.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze01.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze02.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze03.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze04.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze05.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze06.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze07.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze08.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze09.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze10.openstack.org'},
-      {protocol => 'udp', port => '8125', hostname => 'ze11.openstack.org'},
-    ],
-  }
 
   class { '::graphite':
     graphite_admin_user     => hiera('graphite_admin_user', 'username'),
@@ -251,9 +196,7 @@ node /^graphite\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^groups\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
   class { 'openstack_project::groups':
     site_admin_password          => hiera('groups_site_admin_password'),
     site_mysql_host              => hiera('groups_site_mysql_host', 'localhost'),
@@ -268,9 +211,7 @@ node /^groups\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^groups-dev\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
   class { 'openstack_project::groups_dev':
     site_admin_password          => hiera('groups_dev_site_admin_password'),
     site_mysql_host              => hiera('groups_dev_site_mysql_host', 'localhost'),
@@ -286,9 +227,7 @@ node /^groups-dev\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^lists\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [25, 80, 465],
-  }
 
   class { 'openstack_project::lists':
     listpassword => hiera('listpassword'),
@@ -297,9 +236,7 @@ node /^lists\d*\.openstack\.org$/ {
 
 # Node-OS: xenial
 node /^lists\d*\.katacontainers\.io$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [25, 80, 465],
-  }
 
   class { 'openstack_project::kata_lists':
     listpassword => hiera('listpassword'),
@@ -310,9 +247,7 @@ node /^lists\d*\.katacontainers\.io$/ {
 node /^paste\d*\.openstack\.org$/ {
   $group = "paste"
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
   class { 'openstack_project::paste':
     db_password         => hiera('paste_db_password'),
     db_host             => hiera('paste_db_host'),
@@ -329,9 +264,7 @@ node /planet\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^eavesdrop\d*\.openstack\.org$/ {
   $group = "eavesdrop"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
 
   class { 'openstack_project::eavesdrop':
     project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
@@ -368,9 +301,7 @@ node /^eavesdrop\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^ethercalc\d+\.openstack\.org$/ {
   $group = "ethercalc"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::ethercalc':
     vhost_name              => 'ethercalc.openstack.org',
@@ -383,9 +314,7 @@ node /^ethercalc\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^etherpad\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::etherpad':
     ssl_cert_file_contents  => hiera('etherpad_ssl_cert_file_contents'),
@@ -400,9 +329,7 @@ node /^etherpad\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^etherpad-dev\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::etherpad_dev':
     mysql_host          => hiera('etherpad-dev_db_host', 'localhost'),
@@ -454,10 +381,7 @@ node /^wiki-dev\d+\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^logstash\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 3306],
-    iptables_allowed_hosts    => hiera_array('logstash_iptables_rule_data'),
-  }
 
   class { 'openstack_project::logstash':
     discover_nodes      => [
@@ -477,9 +401,7 @@ node /^logstash\d*\.openstack\.org$/ {
 node /^logstash-worker\d+\.openstack\.org$/ {
   $group = 'logstash-worker'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22],
-  }
 
   class { 'openstack_project::logstash_worker':
     discover_node         => 'elasticsearch03.openstack.org',
@@ -492,9 +414,7 @@ node /^logstash-worker\d+\.openstack\.org$/ {
 # Node-OS: xenial
 node /^subunit-worker\d+\.openstack\.org$/ {
   $group = "subunit-worker"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22],
-  }
   class { 'openstack_project::subunit_worker':
     subunit2sql_db_host   => hiera('subunit2sql_db_host', ''),
     subunit2sql_db_pass   => hiera('subunit2sql_db_password', ''),
@@ -506,10 +426,7 @@ node /^subunit-worker\d+\.openstack\.org$/ {
 # Node-OS: xenial
 node /^elasticsearch0[1-7]\.openstack\.org$/ {
   $group = "elasticsearch"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22],
-    iptables_allowed_hosts    => hiera_array('elasticsearch_iptables_rule_data'),
-  }
   class { 'openstack_project::elasticsearch_node':
     discover_nodes => $elasticsearch_nodes,
   }
@@ -517,12 +434,7 @@ node /^elasticsearch0[1-7]\.openstack\.org$/ {
 
 # Node-OS: xenial
 node /^firehose\d+\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    # NOTE(mtreinish) Port 80 and 8080 are disabled because websocket
-    # connections seem to crash mosquitto. Once this is fixed we should add
-    # them back
-    iptables_public_tcp_ports => [22, 25, 80, 1883, 8883, 443],
-  }
   class { 'openstack_project::firehose':
     gerrit_ssh_host_key => hiera('gerrit_ssh_rsa_pubkey_contents'),
     gerrit_public_key   => hiera('germqtt_gerrit_ssh_public_key'),
@@ -572,9 +484,7 @@ node /^git(-fe\d+)?\.openstack\.org$/ {
 node /^git\d+\.openstack\.org$/ {
   $group = "git-server"
   include openstack_project
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [4443, 8080, 29418],
-  }
 
   class { 'openstack_project::git_backend':
     project_config_repo                     => 'https://git.openstack.org/openstack-infra/project-config',
@@ -621,7 +531,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
   $group = "mirror"
 
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80, 8080, 8081, 8082],
     afs                       => true,
     afs_cache_size            => 50000000,  # 50GB
   }
@@ -637,7 +546,6 @@ node /^mirror\d*\..*\.openstack\.org$/ {
 node /^files\d*\.openstack\.org$/ {
   $group = "files"
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [80, 443],
     afs                       => true,
     afs_cache_size            => 10000000,  # 10GB
   }
@@ -666,9 +574,7 @@ node /^files\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^refstack\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
   class { 'refstack':
     mysql_host          => hiera('refstack_mysql_host', 'localhost'),
     mysql_database      => hiera('refstack_mysql_db_name', 'refstack'),
@@ -750,9 +656,7 @@ node /^storyboard-dev\d*\.openstack\.org$/ {
 # Node-OS: trusty
 # Node-OS: xenial
 node /^static\d*\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
   class { 'openstack_project::static':
     project_config_repo     => 'https://git.openstack.org/openstack-infra/project-config',
     swift_authurl           => 'https://identity.api.rackspacecloud.com/v2.0/',
@@ -769,27 +673,7 @@ node /^static\d*\.openstack\.org$/ {
 
 # Node-OS: xenial
 node /^zk\d+\.openstack\.org$/ {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_allowed_hosts    => [
-      # Zookeeper clients
-      {protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
-      # Zookeeper election
-      {protocol => 'tcp', port => '2888', hostname => 'zk01.openstack.org'},
-      {protocol => 'tcp', port => '2888', hostname => 'zk02.openstack.org'},
-      {protocol => 'tcp', port => '2888', hostname => 'zk03.openstack.org'},
-      # Zookeeper leader
-      {protocol => 'tcp', port => '3888', hostname => 'zk01.openstack.org'},
-      {protocol => 'tcp', port => '3888', hostname => 'zk02.openstack.org'},
-      {protocol => 'tcp', port => '3888', hostname => 'zk03.openstack.org'},
-    ],
-  }
 
   class { '::zookeeper':
     # ID needs to be numeric, so we use regex to extra numbers from fqdn.
@@ -810,9 +694,7 @@ node /^zk\d+\.openstack\.org$/ {
 node /^status\d*\.openstack\.org$/ {
   $group = 'status'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::status':
     gerrit_host                   => 'review.openstack.org',
@@ -829,9 +711,7 @@ node /^status\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^survey\d+\.openstack\.org$/ {
   $group = "survey"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::survey':
     vhost_name              => 'survey.openstack.org',
@@ -853,12 +733,7 @@ node /^survey\d+\.openstack\.org$/ {
 node /^adns\d+\.openstack\.org$/ {
   $group = 'adns'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_allowed_hosts    => [
-      {protocol => 'tcp', port => '53', hostname => 'ns1.openstack.org'},
-      {protocol => 'tcp', port => '53', hostname => 'ns2.openstack.org'},
-    ],
-  }
 
   class { 'openstack_project::master_nameserver':
     tsig_key => hiera('tsig_key', {}),
@@ -872,10 +747,7 @@ node /^adns\d+\.openstack\.org$/ {
 node /^ns\d+\.openstack\.org$/ {
   $group = 'ns'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_udp_ports => [53],
-    iptables_public_tcp_ports => [53],
-  }
 
   $tsig_key = hiera('tsig_key', {})
   if $tsig_key != {} {
@@ -905,19 +777,7 @@ node /^ns\d+\.openstack\.org$/ {
 node 'nodepool.openstack.org' {
   $group = 'nodepool'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_allowed_hosts    => [
-      {protocol => 'tcp', port => '2181', hostname => 'nb01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nb03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl01.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl02.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl03.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'nl04.openstack.org'},
-      {protocol => 'tcp', port => '2181', hostname => 'zuul01.openstack.org'},
-    ],
-    iptables_public_tcp_ports => [80],
-  }
 
   class { '::zookeeper':
     # The frequency in hours to look for and purge old snapshots,
@@ -968,9 +828,7 @@ node /^nl\d+\.openstack\.org$/ {
   $packethost_project             = hiera('nodepool_packethost_project', 'project')
   $clouds_yaml                    = template("openstack_project/nodepool/clouds.yaml.erb")
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
 
   include openstack_project
 
@@ -1030,9 +888,7 @@ node /^nb\d+\.openstack\.org$/ {
   $packethost_project             = hiera('nodepool_packethost_project', 'project')
   $clouds_yaml                   = template("openstack_project/nodepool/clouds.yaml.erb")
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
   include openstack_project
 
@@ -1085,7 +941,6 @@ node /^ze\d+\.openstack\.org$/ {
   $revision                = 'master'
 
   class { 'openstack_project::server':
-    iptables_public_tcp_ports => [79, 7900],
     afs                       => true,
   }
 
@@ -1177,30 +1032,7 @@ node /^zuul\d+\.openstack\.org$/ {
   $git_name             = 'OpenStack Zuul'
   $revision             = 'master'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [79, 80, 443],
-    iptables_allowed_hosts    => [
-      {protocol => 'tcp', port => '4730', hostname => 'ze01.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze02.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze03.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze04.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze05.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze06.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze07.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze08.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze09.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze10.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'ze11.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm01.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm02.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm03.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm04.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm05.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm06.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm07.openstack.org'},
-      {protocol => 'tcp', port => '4730', hostname => 'zm08.openstack.org'},
-    ],
-  }
 
   class { '::project_config':
     url => 'https://git.openstack.org/openstack-infra/project-config',
@@ -1288,9 +1120,7 @@ node /^zm\d+.openstack\.org$/ {
   $git_name             = 'OpenStack Zuul'
   $revision             = 'master'
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
 
   # NOTE(pabelanger): We call ::zuul directly, so we can override all in one
   # settings.
@@ -1323,12 +1153,7 @@ node /^zm\d+.openstack\.org$/ {
 
 # Node-OS: trusty
 node 'pbx.openstack.org' {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    # SIP signaling is either TCP or UDP port 5060.
-    # RTP media (audio/video) uses a range of UDP ports.
-    iptables_public_tcp_ports => [5060],
-    iptables_public_udp_ports => ['5060', '10000:20000'],
-  }
   class { 'openstack_project::pbx':
     sip_providers => [
       {
@@ -1346,9 +1171,7 @@ node 'pbx.openstack.org' {
 # A backup machine.  Don't run cron or puppet agent on it.
 node /^backup\d+\..*\.ci\.openstack\.org$/ {
   $group = "ci-backup"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [],
-  }
   include openstack_project::backup_server
 }
 
@@ -1417,20 +1240,14 @@ node 'single-node-ci.test.only' {
 
 # Node-OS: trusty
 node 'kdc01.openstack.org' {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [88, 464, 749, 754],
-    iptables_public_udp_ports => [88, 464, 749],
-  }
 
   class { 'openstack_project::kdc': }
 }
 
 # Node-OS: xenial
 node 'kdc04.openstack.org' {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [88, 464, 749, 754],
-    iptables_public_udp_ports => [88, 464, 749],
-  }
 
   class { 'openstack_project::kdc':
     slave => true,
@@ -1442,7 +1259,6 @@ node 'afsdb01.openstack.org' {
   $group = "afsdb"
 
   class { 'openstack_project::server':
-    iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
     afs                       => true,
   }
 
@@ -1455,7 +1271,6 @@ node /^afsdb.*\.openstack\.org$/ {
   $group = "afsdb"
 
   class { 'openstack_project::server':
-    iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
     afs                       => true,
   }
 
@@ -1467,7 +1282,6 @@ node /^afs.*\..*\.openstack\.org$/ {
   $group = "afs"
 
   class { 'openstack_project::server':
-    iptables_public_udp_ports => [7000,7002,7003,7004,7005,7006,7007],
     afs                       => true,
   }
 
@@ -1477,9 +1291,7 @@ node /^afs.*\..*\.openstack\.org$/ {
 # Node-OS: trusty
 node 'ask.openstack.org' {
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::ask':
     db_user                      => hiera('ask_db_user', 'ask'),
@@ -1493,9 +1305,7 @@ node 'ask.openstack.org' {
 
 # Node-OS: trusty
 node 'ask-staging.openstack.org' {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [22, 80, 443],
-  }
 
   class { 'openstack_project::ask_staging':
     db_password                  => hiera('ask_staging_db_password'),
@@ -1507,9 +1317,7 @@ node 'ask-staging.openstack.org' {
 # Node-OS: xenial
 node /^translate\d+\.openstack\.org$/ {
   $group = "translate"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
   class { 'openstack_project::translate':
     admin_users                => 'aeng,cboylan,eumel8,ianw,ianychoi,infra,jaegerandi,mordred,stevenk',
     openid_url                 => 'https://openstackid.org',
@@ -1555,9 +1363,7 @@ node /^translate-dev\d*\.openstack\.org$/ {
 # Node-OS: xenial
 node /^codesearch\d*\.openstack\.org$/ {
   $group = "codesearch"
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
   class { 'openstack_project::codesearch':
     project_config_repo => 'https://git.openstack.org/openstack-infra/project-config',
   }

modules/openstack_project/manifests/cacti.pp

@@ -8,9 +8,7 @@ class openstack_project::cacti (
     fail("${::osfamily} is not supported.")
   }
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
   class { '::apache':
     default_vhost => false,

modules/openstack_project/manifests/git.pp

@@ -20,9 +20,7 @@ class openstack_project::git (
   $balancer_member_ips = [],
   $selinux_mode = 'enforcing'
 ) {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443, 9418],
-  }
 
   if ($::osfamily == 'RedHat') {
     class { 'selinux':

modules/openstack_project/manifests/openstackid_dev.pp

@@ -61,9 +61,7 @@ class openstack_project::openstackid_dev (
   $session_cookie_secure = false,
 ) {
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
   class { 'openstackid':
     site_admin_password        => $site_admin_password,

modules/openstack_project/manifests/openstackid_prod.pp

@@ -62,9 +62,7 @@ class openstack_project::openstackid_prod (
   $session_cookie_secure = false,
 ) {
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
   class { 'openstackid':
     site_admin_password        => $site_admin_password,

modules/openstack_project/manifests/planet.pp

@@ -2,9 +2,7 @@
 #
 class openstack_project::planet (
 ) {
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80],
-  }
   include ::planet
 
   planet::site { 'openstack':

modules/openstack_project/manifests/server.pp

@@ -2,11 +2,6 @@
 #
 # A server that we expect to run for some time
 class openstack_project::server (
-  $iptables_public_tcp_ports = [],
-  $iptables_public_udp_ports = [],
-  $iptables_rules4           = [],
-  $iptables_rules6           = [],
-  $iptables_allowed_hosts    = [],
   $pin_puppet                = '3.',
   $ca_server                 = undef,
   $enable_unbound            = true,
@@ -49,10 +44,6 @@ class openstack_project::server (
         'kdc04.openstack.org',
       ],
     }
-    $all_udp = concat(
-      $iptables_public_udp_ports, [7001])
-  } else {
-    $all_udp = $iptables_public_udp_ports
   }
 
   class { 'openstack_project::automatic_upgrades':
@@ -61,20 +52,4 @@ class openstack_project::server (
 
   include snmpd
 
-  $snmp_v4hosts = [
-    '172.99.116.215', # cacti02.openstack.org
-  ]
-  $snmp_v6hosts = [
-    '2001:4800:7821:105:be76:4eff:fe04:b9a5', # cacti02.opentsack.org
-  ]
-  class { 'iptables':
-    public_tcp_ports => $iptables_public_tcp_ports,
-    public_udp_ports => $all_udp,
-    rules4           => $iptables_rules4,
-    rules6           => $iptables_rules6,
-    snmp_v4hosts     => $snmp_v4hosts,
-    snmp_v6hosts     => $snmp_v6hosts,
-    allowed_hosts    => $iptables_allowed_hosts,
-  }
-
 }

modules/openstack_project/manifests/storyboard.pp

@@ -26,9 +26,7 @@ class openstack_project::storyboard(
     url  => $project_config_repo,
   }
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
 
   mysql_backup::backup_remote { 'storyboard':

modules/openstack_project/manifests/summit.pp

@@ -1,8 +0,0 @@
-class openstack_project::summit (
-) {
-  class { 'openstack_project::server':
-    iptables_public_tcp_ports => [22, 80],
-  }
-}
-
-# vim:sw=2:ts=2:expandtab:textwidth=79

modules/openstack_project/manifests/translate_dev.pp

@@ -35,9 +35,7 @@ class openstack_project::translate_dev(
   $from_address,
   ) {
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
   class { 'project_config':
     url  => $project_config_repo,

modules/openstack_project/manifests/wiki.pp

@@ -23,9 +23,7 @@ class openstack_project::wiki (
     ensure => present;
   }
 
-  class { 'openstack_project::server':
+  class { 'openstack_project::server': }
-    iptables_public_tcp_ports => [80, 443],
-  }
 
   class { 'mediawiki':
     role                       => 'all',

modules/openstack_project/spec/acceptance/basic_spec.rb

@@ -79,14 +79,4 @@ describe 'openstack_project::server' do
     end
   end
 
-  describe command('iptables -S') do
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -s 172.99.116.215/32 -p udp -m udp --dport 161 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 29418 -j ACCEPT') }
-    its(:stdout) { should contain('-A openstack-INPUT -p tcp -m tcp --dport 29418 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 100 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with icmp-port-unreachable') }
-    its(:stdout) { should contain('-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited') }
-  end
-
 end

modules/openstack_project/spec/acceptance/fixtures/default.pp

@@ -1,12 +1,8 @@
-$iptables_rules = ['-p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT']
 $manage_afs = $::operatingsystem ? {
   'CentOS' => false,
   default  => true
 }
 
 class { 'openstack_project::server':
-  iptables_public_tcp_ports => [80, 443, 29418],
-  iptables_rules6           => $iptables_rules,
-  iptables_rules4           => $iptables_rules,
   afs                       => $manage_afs,
 }

playbooks/base.yaml

@@ -16,3 +16,4 @@
 - hosts: "!ci-backup:!disabled"
   roles:
     - exim
+    - iptables

playbooks/filter_plugins/getaddrinfo.py

@@ -0,0 +1,41 @@
+# Copyright (c) 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import socket
+
+
+class FilterModule(object):
+
+    def dns(self, value, family):
+        ret = set()
+        try:
+            addr_info = socket.getaddrinfo(value, None, family)
+        except socket.gaierror:
+            return ret
+        for addr in addr_info:
+            ret.add(addr[4][0])
+        return sorted(ret)
+
+    def dns_a(self, value):
+        return self.dns(value, socket.AF_INET)
+
+    def dns_aaaa(self, value):
+        return self.dns(value, socket.AF_INET6)
+
+    def filters(self):
+        return {
+            'dns_a': self.dns_a,
+            'dns_aaaa': self.dns_aaaa,
+        }

playbooks/group_vars/afs.yaml

@@ -0,0 +1 @@
+iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

playbooks/group_vars/afsdb.yaml

@@ -0,0 +1 @@
+iptables_public_udp_ports: [7000,7001,7002,7003,7004,7005,7006,7007]

playbooks/group_vars/all.yaml

@@ -12,6 +12,11 @@ exim_base_aliases:
   root: "{{ exim_sysadmins }}"
 exim_aliases: "{{ exim_base_aliases|combine(exim_extra_aliases) }}"
 
+iptables_base_allowed_hosts:
+  - {'protocol': 'udp', 'port': 161, 'hostname': 'cacti.openstack.org'}
+iptables_extra_allowed_hosts: []
+iptables_allowed_hosts: "{{ iptables_base_allowed_hosts + iptables_extra_allowed_hosts }}"
+
 # When adding new users, always pick a UID larger than the last UID, do not
 # fill in holes in the middle of the range.
 all_users:
@@ -161,3 +166,10 @@ disabled_users:
   - elizabeth
   - nibz
   - slukjanov
+
+iptables_snmp_v4_hosts:
+  # cacti02.openstack.org
+  - 172.99.116.215
+iptables_snmp_v6_hosts:
+  # cacti02.openstack.org
+  - 2001:4800:7821:105:be76:4eff:fe04:b9a5

playbooks/group_vars/eavesdrop.yaml

@@ -0,0 +1,2 @@
+iptables_public_tcp_ports:
+  - 80

playbooks/group_vars/elasticsearch.yaml

@@ -0,0 +1,82 @@
+iptables_rule_data:
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch02.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch03.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch04.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch05.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch06.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: elasticsearch07.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker01.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker02.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker03.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker04.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker05.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker06.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker07.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker08.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker09.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker10.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker11.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker12.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker13.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker14.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker15.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker16.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker17.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker18.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker19.openstack.org
+  - protocol: tcp
+    port: 9200:9400
+    hostname: logstash-worker20.openstack.org

playbooks/group_vars/firehose.yaml

@@ -17,3 +17,9 @@ exim_transports:
       socket = /var/run/cyrus/socket/lmtp
       user = cyrus
       batch_max = 35
+iptables_public_tcp_ports:
+  - 25
+  - 80
+  - 443
+  - 1883
+  - 8883

playbooks/group_vars/gerrit.yaml

@@ -0,0 +1,8 @@
+exim_extra_aliases:
+  gerrit2: root
+iptables_rules:
+  - -p tcp --syn --dport 29418 -m connlimit --connlimit-above 100 -j REJECT
+iptables_public_tcp_ports:
+  - 80
+  - 443
+  - 29418

playbooks/group_vars/git-loadbalancer.yaml

@@ -0,0 +1,4 @@
+iptables_public_tcp_ports:
+  - 80
+  - 443
+  - 9418

playbooks/group_vars/git-server.yaml

@@ -1 +1,5 @@
 ansible_python_interpreter: python2
+iptables_public_tcp_ports:
+  - 4443
+  - 8080
+  - 29418

playbooks/group_vars/graphite.yaml

@@ -0,0 +1,88 @@
+iptables_extra_allowed_hosts:
+  - hostname: git.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: firehose01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: mirror-update01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: logstash.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nodepool.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl02.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl03.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: nl04.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zuul01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm02.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm03.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm04.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm05.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm06.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm07.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: zm08.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze01.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze02.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze03.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze04.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze05.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze06.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze07.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze08.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze09.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze10.openstack.org
+    port: 8125
+    protocol: udp
+  - hostname: ze11.openstack.org
+    port: 8125
+    protocol: udp

playbooks/group_vars/kdc.yaml

@@ -0,0 +1,9 @@
+iptables_public_tcp_ports:
+  - 88
+  - 464
+  - 749
+  - 754
+iptables_public_udp_ports:
+  - 88
+  - 464
+  - 749

playbooks/group_vars/logstash.yaml

@@ -0,0 +1,103 @@
+iptables_public_tcp_ports:
+  - 80
+  - 3306
+iptables_rule_data:
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker01.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker02.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker03.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker04.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker05.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker06.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker07.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker08.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker09.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker10.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker11.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker12.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker13.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker14.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker15.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker16.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker17.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker18.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker19.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: logstash-worker20.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: subunit-worker01.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: subunit-worker02.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze01.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze02.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze03.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze04.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze05.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze06.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze07.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze08.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze09.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze10.openstack.org
+  - protocol: tcp
+    port: '4730'
+    hostname: ze11.openstack.org

playbooks/group_vars/mailman.yaml

@@ -2,3 +2,7 @@ exim_queue_interval: '1m'
 exim_queue_run_max: '50'
 exim_smtp_accept_max: '100'
 exim_smtp_accept_max_per_host: '10'
+iptables_public_tcp_ports:
+  - 25
+  - 80
+  - 465

playbooks/group_vars/mirror.yaml

@@ -0,0 +1,5 @@
+iptables_public_tcp_ports:
+  - 80
+  - 8080
+  - 8081
+  - 8082

playbooks/group_vars/nodepool.yaml

@@ -0,0 +1,26 @@
+iptables_extra_allowed_hosts:
+  - protocol: tcp
+    port: 2181
+    hostname: nb01.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nb02.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nb03.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl01.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl02.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl03.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: nl04.openstack.org
+  - protocol: tcp
+    port: 2181
+    hostname: zuul01.openstack.org
+

playbooks/group_vars/ns.yaml

@@ -0,0 +1,2 @@
+iptables_public_ports:
+  - 53

playbooks/group_vars/pbx.yaml

@@ -0,0 +1,7 @@
+# SIP signaling is either TCP or UDP port 5060.
+# RTP media (audio/video) uses a range of UDP ports.
+iptables_public_tcp_ports:
+  - 5060
+iptables_public_udp_ports:
+  - 5060
+  - 10000:20000

playbooks/group_vars/review-dev.yaml

@@ -1,2 +0,0 @@
-exim_extra_aliases:
-  gerrit2: root

playbooks/group_vars/review.yaml

@@ -1,2 +0,0 @@
-exim_extra_aliases:
-  gerrit2: root

playbooks/group_vars/webservers.yaml

@@ -0,0 +1,4 @@
+iptables_public_tcp_ports:
+  - 22
+  - 80
+  - 443

playbooks/group_vars/zookeeper.yaml

@@ -0,0 +1,17 @@
+iptables_extra_allowed_hosts:
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nb03.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl03.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'nl04.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2181', 'hostname': 'zuul01.openstack.org'}
+  # Zookeeper election
+  - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '2888', 'hostname': 'zk03.openstack.org'}
+  # Zookeeper leader
+  - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk01.openstack.org'}
+  - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk02.openstack.org'}
+  - {'protocol': 'tcp', 'port': '3888', 'hostname': 'zk03.openstack.org'}

playbooks/group_vars/zuul-executor.yaml

@@ -0,0 +1,3 @@
+iptables_public_tcp_ports:
+  - 79
+  - 7900

playbooks/group_vars/zuul-scheduler.yaml

@@ -0,0 +1,63 @@
+iptables_public_tcp_ports:
+  - 79
+  - 80
+  - 443
+iptables_extra_allowed_hosts:
+  - protocol: tcp
+    port: 4730
+    hostname: ze01.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze02.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze03.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze04.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze05.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze06.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze07.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze08.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze09.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze10.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: ze11.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm01.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm02.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm03.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm04.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm05.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm06.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm07.openstack.org
+  - protocol: tcp
+    port: 4730
+    hostname: zm08.openstack.org
+

playbooks/roles/iptables/README.rst

@@ -0,0 +1,44 @@
+Install and configure iptables
+
+**Role Variables**
+
+.. zuul:rolevar:: iptables_allowed_hosts
+   :default: []
+
+   A list of dictionaries, each item in the list is a rule to add for
+   a host/port combination.  The format of the dictionary is:
+
+   .. zuul:rolevar:: hostname
+
+      The hostname to allow.  It will automatically be resolved, and
+      all IP addresses will be added to the firewall.
+
+   .. zuul:rolevar:: protocol
+
+      One of "tcp" or "udp".
+
+   .. zuul:rolevar:: port
+
+      The port number.
+
+.. zuul:rolevar:: iptables_public_tcp_ports
+   :default: []
+
+   A list of public TCP ports to open.
+
+.. zuul:rolevar:: iptables_public_udp_ports
+   :default: []
+
+   A list of public UDP ports to open.
+
+.. zuul:rolevar:: iptables_rules_v4
+   :default: []
+
+   A list of iptables v4 rules.  Each item is a string containing the
+   iptables command line options for the rule.
+
+.. zuul:rolevar:: iptables_rules_v6
+   :default: []
+
+   A list of iptables v6 rules.  Each item is a string containing the
+   iptables command line options for the rule.

playbooks/roles/iptables/defaults/main.yaml

@@ -0,0 +1,7 @@
+iptables_allowed_hosts: []
+iptables_public_ports: []
+iptables_public_tcp_ports: '{{ iptables_public_ports }}'
+iptables_public_udp_ports: '{{ iptables_public_ports }}'
+iptables_rules: []
+iptables_rules_v4: '{{ iptables_rules }}'
+iptables_rules_v6: '{{ iptables_rules }}'

playbooks/roles/iptables/handlers/main.yaml

@@ -0,0 +1,11 @@
+- name: Reload iptables Debian
+  import_tasks: tasks/reload-debian.yaml
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'Debian'
+
+- name: Reload iptables RedHat
+  import_tasks: tasks/reload-redhat.yaml
+  when:
+    - not ansible_facts.is_chroot
+    - ansible_facts.os_family == 'RedHat'

playbooks/roles/iptables/tasks/RedHat.yaml

@@ -0,0 +1,11 @@
+- name: Disable firewalld
+  service:
+    name: firewalld
+    enabled: no
+    state: stopped
+  failed_when: false
+
+- name: Ensure firewalld is removed
+  package:
+    name: firewalld
+    state: absent

playbooks/roles/iptables/tasks/main.yaml

@@ -0,0 +1,54 @@
+- name: Include OS-specific variables
+  include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      paths:
+        - 'vars'
+
+- name: Install iptables
+  package:
+    name: '{{ package_name }}'
+    state: present
+
+- name: Ensure iptables rules directory
+  file:
+    state: directory
+    path: '{{ rules_dir }}'
+
+- name: Install IPv4 rules files
+  template:
+    src: rules.v4.j2
+    dest: '{{ ipv4_rules }}'
+    owner: root
+    group: root
+    mode: 0640
+    setype: '{{ setype | default(omit) }}'
+  notify:
+    - Reload iptables Debian
+    - Reload iptables RedHat
+
+- name: Install IPv6 rules files
+  template:
+    src: rules.v6.j2
+    dest: '{{ ipv6_rules }}'
+    owner: root
+    group: root
+    mode: 0640
+    setype: '{{ setype | default(omit) }}'
+  notify:
+    - Reload iptables Debian
+    - Reload iptables RedHat
+
+- name: Include OS specific tasks
+  include_tasks: "{{ item }}"
+  vars:
+    params:
+      files: "{{ distro_lookup_path }}"
+      skip: true
+  loop: "{{ query('first_found', params) }}"
+
+- name: Enable iptables service
+  service:
+    name: '{{ service_name }}'
+    enabled: true

playbooks/roles/iptables/tasks/reload-debian.yaml

@@ -0,0 +1,2 @@
+- name: Reload iptables (Debian)
+  command: '{{ reload_command }}'

playbooks/roles/iptables/tasks/reload-redhat.yaml

@@ -0,0 +1,5 @@
+- name: Reload iptables (Red Hat)
+  command: 'systemctl reload iptables'
+
+- name: Reload ip6tables (Red Hat)
+  command: 'systemctl reload ip6tables'

playbooks/roles/iptables/templates/rules.v4.j2

@@ -0,0 +1,31 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
+#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+{% for port in iptables_public_tcp_ports -%}
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Public UDP ports
+{% for port in iptables_public_udp_ports -%}
+-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Per-host rules
+{% for rule in iptables_rules_v4 -%}
+-A openstack-INPUT {{ rule }}
+{% endfor -%}
+{% for host in iptables_allowed_hosts -%}
+{% for addr in host.hostname | dns_a -%}
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+{% endfor -%}
+{% endfor -%}
+-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT

playbooks/roles/iptables/templates/rules.v6.j2

@@ -0,0 +1,30 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmpv6 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# Public TCP ports
+{% for port in iptables_public_tcp_ports -%}
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Public UDP ports
+{% for port in iptables_public_udp_ports -%}
+-A openstack-INPUT -m udp -p udp --dport {{ port }} -j ACCEPT
+{% endfor -%}
+# Per-host rules
+{% for rule in iptables_rules_v6 -%}
+-A openstack-INPUT {{ rule }}
+{% endfor -%}
+{% for host in iptables_allowed_hosts -%}
+{% for addr in host.hostname | dns_aaaa -%}
+-A openstack-INPUT {% if host.protocol == 'tcp' %}-m state --state NEW {% endif %} -m {{ host.protocol }} -p {{ host.protocol }} -s {{ addr }} --dport {{ host.port }} -j ACCEPT
+{% endfor -%}
+{% endfor -%}
+-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
+COMMIT

playbooks/roles/iptables/vars/Debian.yaml

@@ -0,0 +1,6 @@
+package_name: iptables-persistent
+service_name: netfilter-persistent
+rules_dir: /etc/iptables
+ipv4_rules: /etc/iptables/rules.v4
+ipv6_rules: /etc/iptables/rules.v6
+reload_command: /usr/sbin/netfilter-persistent start

playbooks/roles/iptables/vars/RedHat.yaml

@@ -0,0 +1,6 @@
+package_name: iptables-services
+service_name: iptables
+rules_dir: /etc/sysconfig
+ipv4_rules: /etc/sysconfig/iptables
+ipv6_rules: /etc/sysconfig/ip6tables
+setype: 'etc_t'

playbooks/roles/iptables/vars/Ubuntu.trusty.yaml

@@ -0,0 +1,6 @@
+package_name: iptables-persistent
+service_name: iptables-persistent
+rules_dir: /etc/iptables
+ipv4_rules: /etc/iptables/rules.v4
+ipv6_rules: /etc/iptables/rules.v6
+reload_command: /etc/init.d/iptables-persistent reload

testinfra/test_base.py

@@ -12,6 +12,20 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import socket
+
+
+def get_ips(value, family=None):
+    ret = set()
+    try:
+        addr_info = socket.getaddrinfo(value, None, family)
+    except socket.gaierror:
+        return ret
+    for addr in addr_info:
+        ret.add(addr[4][0])
+    return ret
+
+
 def test_exim_is_installed(host):
     if host.system_info.distribution in ['ubuntu', 'debian']:
         exim = host.package("exim4-base")
@@ -21,3 +35,36 @@ def test_exim_is_installed(host):
 
     cmd = host.run("exim -bt root")
     assert cmd.rc == 0
+
+
+def test_iptables(host):
+    rules = host.iptables.rules()
+    rules = [x.strip() for x in rules]
+
+    start = [
+        '-P INPUT ACCEPT',
+        '-P FORWARD ACCEPT',
+        '-P OUTPUT ACCEPT',
+        '-N openstack-INPUT',
+        '-A INPUT -j openstack-INPUT',
+        '-A openstack-INPUT -i lo -j ACCEPT',
+        '-A openstack-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT',
+        '-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
+        '-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT',
+    ]
+    assert rules[:len(start)] == start
+
+    reject = '-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited'
+    assert reject in rules
+
+    # Make sure that the zuul console stream rule has been removed
+    # from the test node
+    zuul = ('-A openstack-INPUT -p tcp -m state --state NEW'
+            ' -m tcp --dport 19885 -j ACCEPT')
+    assert zuul not in rules
+
+    # Ensure all IPv4 addresses for cacti are allowed
+    for ip in get_ips('cacti.openstack.org', socket.AF_INET):
+        snmp = ('-A openstack-INPUT -s %s/32 -p udp -m udp'
+                ' --dport 161 -j ACCEPT' % ip)
+        assert snmp in rules