nova/tools/setup_iptables.sh

#!/usr/bin/env bash
# vim: tabstop=4 shiftwidth=4 softtabstop=4

# Copyright 2010 United States Government as represented by the
# Administrator of the National Aeronautics and Space Administration.
# All Rights Reserved.
#
#    Licensed under the Apache License, Version 2.0 (the "License"); you may
#    not use this file except in compliance with the License. You may obtain
#    a copy of the License at
#
#         http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
#    License for the specific language governing permissions and limitations
#    under the License.

# NOTE(vish): This script sets up some reasonable defaults for iptables and
#             creates nova-specific chains.  If you use this script you should
#             run nova-network and nova-compute with --use_nova_chains=True

# NOTE(vish): If you run nova-api on a different port, make sure to change
#             the port here
API_PORT=${API_PORT:-"8773"}
if [ -n "$1" ]; then
    CMD=$1
else
    CMD="all"
fi

if [ -n "$2" ]; then
    IP=$2
else
    # NOTE(vish): This will just get the first ip in the list, so if you
    #             have more than one eth device set up, this will fail, and
    #             you should explicitly pass in the ip of the instance
    IP=`ifconfig  | grep -m 1 'inet addr:'| cut -d: -f2 | awk '{print $1}'`
fi

if [ -n "$3" ]; then
    PRIVATE_RANGE=$3
else
    PRIVATE_RANGE="10.0.0.0/12"
fi


if [ -n "$4" ]; then
    # NOTE(vish): Management IP is the ip over which to allow ssh traffic.  It
    #             will also allow traffic to nova-api
    MGMT_IP=$4
else
    MGMT_IP="$IP"
fi
if [ "$CMD" == "clear" ]; then
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F
    iptables -t nat -F
    iptables -F nova_input
    iptables -F nova_output
    iptables -F nova_forward
    iptables -t nat -F nova_input
    iptables -t nat -F nova_output
    iptables -t nat -F nova_forward
    iptables -t nat -X
    iptables -X
fi

if [ "$CMD" == "base" ] || [ "$CMD" == "all" ]; then
    iptables -P INPUT DROP
    iptables -A INPUT -m state --state INVALID -j DROP
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT
    iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
    iptables -N nova_input
    iptables -A INPUT -j nova_input
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

    iptables -P FORWARD DROP
    iptables -A FORWARD -m state --state INVALID -j DROP
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    iptables -N nova_forward
    iptables -A FORWARD -j nova_forward

    # NOTE(vish): DROP on output is too restrictive for now.  We need to add
    #             in a bunch of more specific output rules to use it.
    # iptables -P OUTPUT DROP
    iptables -A OUTPUT -m state --state INVALID -j DROP
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -N nova_output
    iptables -A OUTPUT -j nova_output

    iptables -t nat -N nova_prerouting
    iptables -t nat -A PREROUTING -j nova_prerouting

    iptables -t nat -N nova_postrouting
    iptables -t nat -A POSTROUTING -j nova_postrouting

    iptables -t nat -N nova_output
    iptables -t nat -A OUTPUT -j nova_output
fi

if [ "$CMD" == "ganglia" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
    iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT
fi

if [ "$CMD" == "web" ] || [ "$CMD" == "all" ]; then
    # NOTE(vish): This opens up ports for web access, allowing web-based
    #             dashboards to work.
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
fi

if [ "$CMD" == "objectstore" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
fi

if [ "$CMD" == "api" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport $API_PORT -j ACCEPT
    if [ "$IP" != "$MGMT_IP" ]; then
        iptables -A nova_input -m tcp -p tcp -d $MGMT_IP --dport $API_PORT -j ACCEPT
    fi
fi

if [ "$CMD" == "redis" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
fi

if [ "$CMD" == "mysql" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
fi

if [ "$CMD" == "rabbitmq" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
fi

if [ "$CMD" == "dnsmasq" ] || [ "$CMD" == "all" ]; then
    # NOTE(vish): this could theoretically be setup per network
    #             for each host, but it seems like overkill
    iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
    iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
    iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT
fi

if [ "$CMD" == "ldap" ] || [ "$CMD" == "all" ]; then
    iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT
fi