3a418e3420
Replaces hardcoded functions to create iptables rules for Nailgun and Cobbler with firewall module managed rules. Restricts network access to Fuel Master for all services (except Fuel Web/API) to Admin Network, plus restricts postgres to localhost access only. blueprint master-node-iptables-ruleset Change-Id: Ib5d0c554bf97957c45b206b8bf4f6e64c9be109f
74 lines
1.8 KiB
Puppet
74 lines
1.8 KiB
Puppet
# Copyright 2013 Mirantis, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
class cobbler::iptables (
|
|
$chain = "INPUT",
|
|
) {
|
|
|
|
case $operatingsystem {
|
|
/(?i)(debian|ubuntu)/:{
|
|
file { "/etc/network/if-post-down.d/iptablessave":
|
|
content => template("cobbler/ubuntu/iptablessave.erb"),
|
|
owner => root,
|
|
group => root,
|
|
mode => 0755,
|
|
}
|
|
file { "/etc/network/if-pre-up.d/iptablesload":
|
|
content => template("cobbler/ubuntu/iptablesload.erb"),
|
|
owner => root,
|
|
group => root,
|
|
mode => 0755,
|
|
}
|
|
}
|
|
}
|
|
|
|
firewall { '101 dns_tcp':
|
|
chain => $chain,
|
|
port => '53',
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
firewall { '102 dns_udp':
|
|
chain => $chain,
|
|
port => '53',
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
firewall { '103 dhcp':
|
|
chain => $chain,
|
|
port => ['67','68'],
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
firewall { '104 tftp':
|
|
chain => $chain,
|
|
port => '69',
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
firewall { '110 squidproxy':
|
|
chain => $chain,
|
|
port => '3128',
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
firewall { '111 cobbler_web':
|
|
chain => $chain,
|
|
port => ['80','443'],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
}
|