Horizon iptables rules
Releated-Prod: PROD-23525
Change-Id: Ib562b1d4cfa7d8df87b06b60d8d7ccf5ff4db4c3
diff --git a/horizon/server/cluster.yml b/horizon/server/cluster.yml
index 0cd20d7..db0c7e5 100644
--- a/horizon/server/cluster.yml
+++ b/horizon/server/cluster.yml
@@ -1,6 +1,7 @@
classes:
- service.keepalived.cluster.single
- service.horizon.server.cluster
+- system.horizon.server.iptables
- service.haproxy.proxy.single
- system.apache.server.single
- system.haproxy.proxy.listen.openstack.horizon
diff --git a/horizon/server/iptables.yml b/horizon/server/iptables.yml
new file mode 100644
index 0000000..d28bce7
--- /dev/null
+++ b/horizon/server/iptables.yml
@@ -0,0 +1,71 @@
+parameters:
+ iptables:
+ tables:
+ v4:
+ filter:
+ chains:
+ OUTPUT:
+ ruleset:
+ 10:
+ rule: -m owner --uid-owner horizon
+ action: HORIZON_ACCESS_RULES
+ HORIZON_ACCESS_RULES:
+ ruleset:
+ 10:
+ rule: -o lo
+ action: ACCEPT
+# Slots 11-99 are reserved for the traffic that can be accepted based on its
+# destination, e.g targeted to / via public interface "outside"
+#
+# Slots 100-999 are reserved for the traffic that should be filtered
+# depending on its target port - this is all traffic that goes through internal
+# interfaces. At least you should override 'rule' for slot 100 to specify
+# internal interface on which the traffic should be filtered.
+#
+# These rules should be added / altered somewhere else where it is known what
+# interfaces are public / private.
+ 100:
+ # Allow publicURL endpoint(s)
+ rule: -p tcp --dst ${_param:cluster_public_host}
+ action: HORIZON_OPENSTACK_ENDPOINTS
+ 101:
+ # Allow internalURL endpoint(s)
+ rule: -p tcp --dst ${_param:openstack_control_address}
+ action: HORIZON_OPENSTACK_ENDPOINTS
+ 120:
+ action: HORIZON_MEMCACHED_ENDPOINTS
+ 1000:
+ action: REJECT
+ HORIZON_OPENSTACK_ENDPOINTS:
+ ruleset:
+ 10:
+ # Identity service (keystone) public endpoint
+ rule: -p tcp --dport 5000
+ action: ACCEPT
+ 20:
+ # Orchestration (heat) endpoint
+ rule: -p tcp --dport 8004
+ action: ACCEPT
+ 30:
+ # Compute (nova) endpoint
+ rule: -p tcp --dport 8774
+ action: ACCEPT
+ 40:
+ # Block Storage (cinder) endpoint
+ rule: -p tcp --dport 8776
+ action: ACCEPT
+ 50:
+ # Image service (glance) endpoint
+ rule: -p tcp --dport 9292
+ action: ACCEPT
+ 60:
+ # Networking (neutron) endpoint
+ rule: -p tcp --dport 9696
+ action: ACCEPT
+ HORIZON_MEMCACHED_ENDPOINTS:
+ ruleset:
+ 10:
+ rule: -p tcp --dport 11211
+ action: ACCEPT
+ 1000:
+ action: RETURN
diff --git a/horizon/server/single.yml b/horizon/server/single.yml
index bd2ea7b..0ed0674 100644
--- a/horizon/server/single.yml
+++ b/horizon/server/single.yml
@@ -1,5 +1,6 @@
classes:
- service.horizon.server.single
+- system.horizon.server.iptables
- system.apache.server.single
- system.memcached.server.single
parameters: