Set iptables forward drop by default

Docker wants to set FORWARD DROP but our existing rules set FORWARD
ACCEPT. To avoid these two services fighting over each other and to
simplify testing lets default to FORWARD DROP too.

None of our servers should act as routers currently. If we resurrect
infracloud or if we deploy k8s this may change but today this should be
fine and be a safer ruleset.

Change-Id: I5f19233129cf54eb70beb335c7b6224f0836096c
This commit is contained in:
Clark Boylan 2018-12-11 13:51:21 -08:00
parent a20990ace0
commit 94eb7e5d2b
3 changed files with 3 additions and 3 deletions

View File

@ -1,6 +1,6 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT

View File

@ -1,6 +1,6 @@
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT

View File

@ -64,7 +64,7 @@ def test_iptables(host):
start = [
'-P INPUT ACCEPT',
'-P FORWARD ACCEPT',
'-P FORWARD DROP',
'-P OUTPUT ACCEPT',
'-N openstack-INPUT',
'-A INPUT -j openstack-INPUT',