Set iptables forward drop by default
Docker wants to set FORWARD DROP but our existing rules set FORWARD ACCEPT. To avoid these two services fighting over each other and to simplify testing lets default to FORWARD DROP too. None of our servers should act as routers currently. If we resurrect infracloud or if we deploy k8s this may change but today this should be fine and be a safer ruleset. Change-Id: I5f19233129cf54eb70beb335c7b6224f0836096c
This commit is contained in:
parent
a20990ace0
commit
94eb7e5d2b
@ -1,6 +1,6 @@
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:openstack-INPUT - [0:0]
|
||||
-A INPUT -j openstack-INPUT
|
||||
|
@ -1,6 +1,6 @@
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:FORWARD DROP [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:openstack-INPUT - [0:0]
|
||||
-A INPUT -j openstack-INPUT
|
||||
|
@ -64,7 +64,7 @@ def test_iptables(host):
|
||||
|
||||
start = [
|
||||
'-P INPUT ACCEPT',
|
||||
'-P FORWARD ACCEPT',
|
||||
'-P FORWARD DROP',
|
||||
'-P OUTPUT ACCEPT',
|
||||
'-N openstack-INPUT',
|
||||
'-A INPUT -j openstack-INPUT',
|
||||
|
Loading…
Reference in New Issue
Block a user