Set the list of iptables rules for better master node security.

Registered by Miroslav Anashkin on 2014-01-30

Feature Lead: Matthew Mosesohn
Mandatory Design Reviewers: Andrey Danin, Dmitry Ilyin, Lukasz Oles
Developers: Matthew Mosesohn
QA: Tatyana Leontovich

Great respect to Steve Stonebraker, the author of the following:

I verified these rules work on fuel 3.2.1. I was able to create an openstack environment and provision servers without any issues using the following iptables rules. This is a gift to you guys (if you want it).

# Generated by iptables-save v1.4.7 on Mon Dec 30 17:09:29 2013
*nat
:PREROUTING ACCEPT [63:5961]
:POSTROUTING ACCEPT [102:6120]
:OUTPUT ACCEPT [230:13678]
-A POSTROUTING -s 10.20.0.0/24 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Permit Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Established, Related
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Accept rules for eth0 (Admin PXE)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8140 -m comment --comment "puppet server" -j ACCEPT
-A INPUT -i eth0 -p udp -m multiport --ports 514 -m comment --comment "rsyslog" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 53 -m comment --comment "dnsmasq_tcp" -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 53 -m comment --comment "dnsmasq_udp" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8080 -m comment --comment "keystone" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 25150 -m comment --comment "syslog" -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 123 -m comment --comment "ntp" -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 4011 -m comment --comment "pxe" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -m multiport --dports 25151,80,443,69,3128 -m comment --comment "cobbler-xmlrpc_api-httpd-tftp-squid" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -m multiport --dports 41055,5672,55672 -m comment --comment "Mcollective, beam" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 61613 -m comment --comment "rabbitmq" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 8000 -m comment --comment "fuel" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 4369 -m comment --comment "erlang" -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 873 -m comment --comment "xinetd" -j ACCEPT

# Accept rules for admin subnet
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 8000 -m comment --comment "fuel" -j ACCEPT
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 61613 -m comment --comment "rabbitmq" -j ACCEPT
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 8080 -m comment --comment "keystone" -j ACCEPT
-A INPUT -s 10.20.0.0/24 -p tcp -m state --state NEW -m tcp --dport 873 -m comment --comment "xinetd" -j ACCEPT

# Accept PXE boot traffic on any interface
-A INPUT -p udp -m state --state NEW -m udp -m multiport --dports 67,68 -m comment --comment "cobbler-bootp" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 68,68 -m comment --comment "cobbler-bootp" -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -m comment --comment "tftp_cobbler_udp" -j ACCEPT

# Accept snmptrap traffic on eth4.172 (PUBLIC/FLOATING TRAFFIC)
-A INPUT -i eth4.172 -p udp -m state --state NEW -m udp --dport 162 -m comment --comment "snmptrap" -j ACCEPT

# permit example external host 192.168.168.120 to ssh to the server
-A INPUT -s 192.168.168.120 -p tcp -m state --state NEW -m tcp --dport 22 -m comment --comment "ssh" -j ACCEPT

# Drop everybody else (check /var/log/debug for drop info)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT

COMMIT

Blueprint information

Status:
Complete
Approver:
Mike Scherbakov
Priority:
Essential
Drafter:
Miroslav Anashkin
Direction:
Approved
Assignee:
Matthew Mosesohn
Definition:
Approved
Series goal:
Accepted for 5.1.x
Implementation:
Implemented
Milestone target:
milestone icon 5.1
Started by
Vladimir Kuklin on 2014-07-02
Completed by
Vladimir Kuklin on 2014-07-10

Related branches

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/master-node-iptables-ruleset,n,z

Addressed by: https://review.openstack.org/101964
    Improve firewall rules for Fuel Master

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.