Set the list of iptables rules for better master node security.
Feature Lead: Matthew Mosesohn
Mandatory Design Reviewers: Andrey Danin, Dmitry Ilyin, Lukasz Oles
Developers: Matthew Mosesohn
QA: Tatyana Leontovich
Great respect to Steve Stonebraker, the author of the following:
I verified these rules work on fuel 3.2.1. I was able to create an openstack environment and provision servers without any issues using the following iptables rules. This is a gift to you guys (if you want it).
# Generated by iptables-save v1.4.7 on Mon Dec 30 17:09:29 2013
*nat
:PREROUTING ACCEPT [63:5961]
:POSTROUTING ACCEPT [102:6120]
:OUTPUT ACCEPT [230:13678]
-A POSTROUTING -s 10.20.0.0/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Permit Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Established, Related
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept rules for eth0 (Admin PXE)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8140 -m comment --comment "puppet server" -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --ports 514 -m comment --comment "rsyslog" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -m comment --comment "dnsmasq_tcp" -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 53 -m comment --comment "dnsmasq_udp" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8080 -m comment --comment "keystone" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25150 -m comment --comment "syslog" -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 4011 -m comment --comment "pxe" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -m multiport --dports 25151,80,
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -m multiport --dports 41055,5672,55672 -m comment --comment "Mcollective, beam" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 61613 -m comment --comment "rabbitmq" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8000 -m comment --comment "fuel" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 4369 -m comment --comment "erlang" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 873 -m comment --comment "xinetd" -j ACCEPT
# Accept rules for admin subnet
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 8000 -m comment --comment "fuel" -j ACCEPT
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 61613 -m comment --comment "rabbitmq" -j ACCEPT
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 8080 -m comment --comment "keystone" -j ACCEPT
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 873 -m comment --comment "xinetd" -j ACCEPT
# Accept PXE boot traffic on any interface
-A INPUT -p udp -m state --state NEW -m udp -m multiport --dports 67,68 -m comment --comment "cobbler-bootp" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 68,68 -m comment --comment "cobbler-bootp" -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -m comment --comment "tftp_cobbler_udp" -j ACCEPT
# Accept snmptrap traffic on eth4.172 (PUBLIC/FLOATING TRAFFIC)
-A INPUT -i eth4.172 -p udp -m state --state NEW -m udp --dport 162 -m comment --comment "snmptrap" -j ACCEPT
# permit example external host 192.168.168.120 to ssh to the server
-A INPUT -s 192.168.168.120 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT
# Drop everybody else (check /var/log/debug for drop info)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT
COMMIT
Blueprint information
- Status:
- Complete
- Approver:
- Mike Scherbakov
- Priority:
- Essential
- Drafter:
- Miroslav Anashkin
- Direction:
- Approved
- Assignee:
- Matthew Mosesohn
- Definition:
- Approved
- Series goal:
- Accepted for 5.1.x
- Implementation:
- Implemented
- Milestone target:
- 5.1
- Started by
- Vladimir Kuklin
- Completed by
- Vladimir Kuklin
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Improve firewall rules for Fuel Master
Work Items
Dependency tree
* Blueprints in grey have been implemented.