commit d0e0d00ba1c7f2e04989c8353d181e5321e21615
author Dmitry Teselkin <dteselkin@mirantis.com> Wed Nov 21 17:28:33 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Wed Nov 21 17:52:06 2018 +0300
tree 5c60f44709c3117c1da51fcdb79c9c27f640f101
parent c1f7437d9f47f524250b694234ddb6d964cd7c2f

Alter horizon iptables rules

This commit fixes the following:
* allow external URLs
* disable any local traffic except memcached
* allow DNS name resolution

Related-Prod: PROD-23525

Change-Id: Ib4498d5be3293f9aa747e328533e5cdde9e59980

horizon/server/iptables.yml

diff --git a/horizon/server/iptables.yml b/horizon/server/iptables.yml
index d28bce7..4836feb 100644
--- a/horizon/server/iptables.yml
+++ b/horizon/server/iptables.yml
@@ -6,24 +6,13 @@
           chains:
             OUTPUT:
               ruleset:
-                10:
+                100:
+                  action: NAME_RESOLUTION
+                1000:
                   rule: -m owner --uid-owner horizon
                   action: HORIZON_ACCESS_RULES
             HORIZON_ACCESS_RULES:
               ruleset:
-                10:
-                  rule: -o lo
-                  action: ACCEPT
-# Slots 11-99 are reserved for the traffic that can be accepted based on its
-# destination, e.g targeted to / via public interface "outside"
-#
-# Slots 100-999 are reserved for the traffic that should be filtered
-# depending on its target port - this is all traffic that goes through internal
-# interfaces. At least you should override 'rule' for slot 100 to specify
-# internal interface on which the traffic should be filtered.
-#
-# These rules should be added / altered somewhere else where it is known what
-# interfaces are public / private.
                 100:
                   # Allow publicURL endpoint(s)
                   rule: -p tcp --dst ${_param:cluster_public_host}
@@ -32,10 +21,37 @@
                   # Allow internalURL endpoint(s)
                   rule: -p tcp --dst ${_param:openstack_control_address}
                   action: HORIZON_OPENSTACK_ENDPOINTS
-                120:
+                200:
+                  # Allow memcached on localhost
+                  rule: -o lo
                   action: HORIZON_MEMCACHED_ENDPOINTS
-                1000:
+                201:
+                  # Allow memchached on other hosts
+                  # This rule should be altered (not here) if required to allow
+                  # only specific hosts.
+                  action: HORIZON_MEMCACHED_ENDPOINTS
+                500:
+                  # Disable any other local traffic
+                  rule: -o lo
                   action: REJECT
+                501:
+                  # 501-503 disable private networks
+                  rule: --dst 10.0.0.0/16
+                  action: REJECT
+                502:
+                  rule: --dst 172.16.0.0/12
+                  action: REJECT
+                503:
+                  rule: --dst 192.168.0.0/16
+                  action: REJECT
+                504:
+                  # Disable APIPA
+                  rule: --dst 169.254.0.0/16
+                  action: REJECT
+                1000:
+                  # Accept any other traffic
+                  # It should be external traffic only
+                  action: ACCEPT
             HORIZON_OPENSTACK_ENDPOINTS:
               ruleset:
                 10:
@@ -69,3 +85,10 @@
                   action: ACCEPT
                 1000:
                   action: RETURN
+            NAME_RESOLUTION:
+              ruleset:
+                10:
+                  rule: -p udp --dport 53
+                  action: ACCEPT
+                1000:
+                  action: RETURN