Merge "Horizon iptables rules"
diff --git a/horizon/server/cluster.yml b/horizon/server/cluster.yml
index 0cd20d7..db0c7e5 100644
--- a/horizon/server/cluster.yml
+++ b/horizon/server/cluster.yml
@@ -1,6 +1,7 @@
 classes:
 - service.keepalived.cluster.single
 - service.horizon.server.cluster
+- system.horizon.server.iptables
 - service.haproxy.proxy.single
 - system.apache.server.single
 - system.haproxy.proxy.listen.openstack.horizon
diff --git a/horizon/server/iptables.yml b/horizon/server/iptables.yml
new file mode 100644
index 0000000..d28bce7
--- /dev/null
+++ b/horizon/server/iptables.yml
@@ -0,0 +1,71 @@
+parameters:
+  iptables:
+    tables:
+      v4:
+        filter:
+          chains:
+            OUTPUT:
+              ruleset:
+                10:
+                  rule: -m owner --uid-owner horizon
+                  action: HORIZON_ACCESS_RULES
+            HORIZON_ACCESS_RULES:
+              ruleset:
+                10:
+                  rule: -o lo
+                  action: ACCEPT
+# Slots 11-99 are reserved for the traffic that can be accepted based on its
+# destination, e.g targeted to / via public interface "outside"
+#
+# Slots 100-999 are reserved for the traffic that should be filtered
+# depending on its target port - this is all traffic that goes through internal
+# interfaces. At least you should override 'rule' for slot 100 to specify
+# internal interface on which the traffic should be filtered.
+#
+# These rules should be added / altered somewhere else where it is known what
+# interfaces are public / private.
+                100:
+                  # Allow publicURL endpoint(s)
+                  rule: -p tcp --dst ${_param:cluster_public_host}
+                  action: HORIZON_OPENSTACK_ENDPOINTS
+                101:
+                  # Allow internalURL endpoint(s)
+                  rule: -p tcp --dst ${_param:openstack_control_address}
+                  action: HORIZON_OPENSTACK_ENDPOINTS
+                120:
+                  action: HORIZON_MEMCACHED_ENDPOINTS
+                1000:
+                  action: REJECT
+            HORIZON_OPENSTACK_ENDPOINTS:
+              ruleset:
+                10:
+                  # Identity service (keystone) public endpoint
+                  rule: -p tcp --dport 5000
+                  action: ACCEPT
+                20:
+                  # Orchestration (heat) endpoint
+                  rule: -p tcp --dport 8004
+                  action: ACCEPT
+                30:
+                  # Compute (nova) endpoint
+                  rule: -p tcp --dport 8774
+                  action: ACCEPT
+                40:
+                  # Block Storage (cinder) endpoint
+                  rule: -p tcp --dport 8776
+                  action: ACCEPT
+                50:
+                  # Image service (glance) endpoint
+                  rule: -p tcp --dport 9292
+                  action: ACCEPT
+                60:
+                  # Networking (neutron) endpoint
+                  rule: -p tcp --dport 9696
+                  action: ACCEPT
+            HORIZON_MEMCACHED_ENDPOINTS:
+              ruleset:
+                10:
+                  rule: -p tcp --dport 11211
+                  action: ACCEPT
+                1000:
+                  action: RETURN
diff --git a/horizon/server/single.yml b/horizon/server/single.yml
index bd2ea7b..0ed0674 100644
--- a/horizon/server/single.yml
+++ b/horizon/server/single.yml
@@ -1,5 +1,6 @@
 classes:
 - service.horizon.server.single
+- system.horizon.server.iptables
 - system.apache.server.single
 - system.memcached.server.single
 parameters: