commit 253fa80760a563d06f19c5d9a16004415cb1fda2
author Dmitry Teselkin <dteselkin@mirantis.com> Mon Nov 19 19:45:52 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Tue Nov 20 17:39:04 2018 +0300
tree a12ec48ba4ea2ee82d91cfcaaf6ef421c20b9f46
parent 2fa59a0c19bd4fd514447561fd42d4664e9a28ee

Horizon iptables rules

Releated-Prod: PROD-23525

Change-Id: Ib562b1d4cfa7d8df87b06b60d8d7ccf5ff4db4c3

horizon/server/iptables.yml

diff --git a/horizon/server/iptables.yml b/horizon/server/iptables.yml
new file mode 100644
index 0000000..d28bce7
--- /dev/null
+++ b/horizon/server/iptables.yml
@@ -0,0 +1,71 @@
+parameters:
+  iptables:
+    tables:
+      v4:
+        filter:
+          chains:
+            OUTPUT:
+              ruleset:
+                10:
+                  rule: -m owner --uid-owner horizon
+                  action: HORIZON_ACCESS_RULES
+            HORIZON_ACCESS_RULES:
+              ruleset:
+                10:
+                  rule: -o lo
+                  action: ACCEPT
+# Slots 11-99 are reserved for the traffic that can be accepted based on its
+# destination, e.g targeted to / via public interface "outside"
+#
+# Slots 100-999 are reserved for the traffic that should be filtered
+# depending on its target port - this is all traffic that goes through internal
+# interfaces. At least you should override 'rule' for slot 100 to specify
+# internal interface on which the traffic should be filtered.
+#
+# These rules should be added / altered somewhere else where it is known what
+# interfaces are public / private.
+                100:
+                  # Allow publicURL endpoint(s)
+                  rule: -p tcp --dst ${_param:cluster_public_host}
+                  action: HORIZON_OPENSTACK_ENDPOINTS
+                101:
+                  # Allow internalURL endpoint(s)
+                  rule: -p tcp --dst ${_param:openstack_control_address}
+                  action: HORIZON_OPENSTACK_ENDPOINTS
+                120:
+                  action: HORIZON_MEMCACHED_ENDPOINTS
+                1000:
+                  action: REJECT
+            HORIZON_OPENSTACK_ENDPOINTS:
+              ruleset:
+                10:
+                  # Identity service (keystone) public endpoint
+                  rule: -p tcp --dport 5000
+                  action: ACCEPT
+                20:
+                  # Orchestration (heat) endpoint
+                  rule: -p tcp --dport 8004
+                  action: ACCEPT
+                30:
+                  # Compute (nova) endpoint
+                  rule: -p tcp --dport 8774
+                  action: ACCEPT
+                40:
+                  # Block Storage (cinder) endpoint
+                  rule: -p tcp --dport 8776
+                  action: ACCEPT
+                50:
+                  # Image service (glance) endpoint
+                  rule: -p tcp --dport 9292
+                  action: ACCEPT
+                60:
+                  # Networking (neutron) endpoint
+                  rule: -p tcp --dport 9696
+                  action: ACCEPT
+            HORIZON_MEMCACHED_ENDPOINTS:
+              ruleset:
+                10:
+                  rule: -p tcp --dport 11211
+                  action: ACCEPT
+                1000:
+                  action: RETURN