Set iptables forward drop by default

Docker wants to set FORWARD DROP but our existing rules set FORWARD ACCEPT. To avoid these two services fighting over each other and to simplify testing lets default to FORWARD DROP too. None of our servers should act as routers currently. If we resurrect infracloud or if we deploy k8s this may change but today this should be fine and be a safer ruleset. Change-Id: I5f19233129cf54eb70beb335c7b6224f0836096c
2018-12-11 13:51:21 -08:00 · 2018-12-11 13:51:21 -08:00 · 94eb7e5d2b
commit 94eb7e5d2b
parent a20990ace0
3 changed files with 3 additions and 3 deletions
--- a/playbooks/roles/iptables/templates/rules.v4.j2
+++ b/playbooks/roles/iptables/templates/rules.v4.j2
@ -1,6 +1,6 @@
 *filter
 :INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
 -A INPUT -j openstack-INPUT
--- a/playbooks/roles/iptables/templates/rules.v6.j2
+++ b/playbooks/roles/iptables/templates/rules.v6.j2
@ -1,6 +1,6 @@
 *filter
 :INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
+:FORWARD DROP [0:0]
 :OUTPUT ACCEPT [0:0]
 :openstack-INPUT - [0:0]
 -A INPUT -j openstack-INPUT
--- a/testinfra/test_base.py
+++ b/testinfra/test_base.py
@ -64,7 +64,7 @@ def test_iptables(host):

    start = [
        '-P INPUT ACCEPT',
-        '-P FORWARD ACCEPT',
+        '-P FORWARD DROP',
        '-P OUTPUT ACCEPT',
        '-N openstack-INPUT',
        '-A INPUT -j openstack-INPUT',