| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 1 | parameters: |
| 2 | iptables: |
| 3 | tables: |
| 4 | v4: |
| 5 | filter: |
| 6 | chains: |
| 7 | OUTPUT: |
| 8 | ruleset: |
| Dmitry Teselkin | d0e0d00 | 2018-11-21 17:28:33 +0300 | [diff] [blame] | 9 | 100: |
| 10 | action: NAME_RESOLUTION |
| 11 | 1000: |
| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 12 | rule: -m owner --uid-owner horizon |
| 13 | action: HORIZON_ACCESS_RULES |
| 14 | HORIZON_ACCESS_RULES: |
| 15 | ruleset: |
| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 16 | 100: |
| 17 | # Allow publicURL endpoint(s) |
| 18 | rule: -p tcp --dst ${_param:cluster_public_host} |
| 19 | action: HORIZON_OPENSTACK_ENDPOINTS |
| 20 | 101: |
| 21 | # Allow internalURL endpoint(s) |
| 22 | rule: -p tcp --dst ${_param:openstack_control_address} |
| 23 | action: HORIZON_OPENSTACK_ENDPOINTS |
| Dmitry Teselkin | d0e0d00 | 2018-11-21 17:28:33 +0300 | [diff] [blame] | 24 | 200: |
| 25 | # Allow memcached on localhost |
| 26 | rule: -o lo |
| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 27 | action: HORIZON_MEMCACHED_ENDPOINTS |
| Dmitry Teselkin | d0e0d00 | 2018-11-21 17:28:33 +0300 | [diff] [blame] | 28 | 201: |
| 29 | # Allow memchached on other hosts |
| 30 | # This rule should be altered (not here) if required to allow |
| 31 | # only specific hosts. |
| 32 | action: HORIZON_MEMCACHED_ENDPOINTS |
| 33 | 500: |
| 34 | # Disable any other local traffic |
| 35 | rule: -o lo |
| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 36 | action: REJECT |
| Dmitry Teselkin | d0e0d00 | 2018-11-21 17:28:33 +0300 | [diff] [blame] | 37 | 501: |
| 38 | # 501-503 disable private networks |
| 39 | rule: --dst 10.0.0.0/16 |
| 40 | action: REJECT |
| 41 | 502: |
| 42 | rule: --dst 172.16.0.0/12 |
| 43 | action: REJECT |
| 44 | 503: |
| 45 | rule: --dst 192.168.0.0/16 |
| 46 | action: REJECT |
| 47 | 504: |
| 48 | # Disable APIPA |
| 49 | rule: --dst 169.254.0.0/16 |
| 50 | action: REJECT |
| 51 | 1000: |
| 52 | # Accept any other traffic |
| 53 | # It should be external traffic only |
| 54 | action: ACCEPT |
| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 55 | HORIZON_OPENSTACK_ENDPOINTS: |
| 56 | ruleset: |
| 57 | 10: |
| 58 | # Identity service (keystone) public endpoint |
| 59 | rule: -p tcp --dport 5000 |
| 60 | action: ACCEPT |
| 61 | 20: |
| 62 | # Orchestration (heat) endpoint |
| 63 | rule: -p tcp --dport 8004 |
| 64 | action: ACCEPT |
| 65 | 30: |
| 66 | # Compute (nova) endpoint |
| 67 | rule: -p tcp --dport 8774 |
| 68 | action: ACCEPT |
| 69 | 40: |
| 70 | # Block Storage (cinder) endpoint |
| 71 | rule: -p tcp --dport 8776 |
| 72 | action: ACCEPT |
| 73 | 50: |
| 74 | # Image service (glance) endpoint |
| 75 | rule: -p tcp --dport 9292 |
| 76 | action: ACCEPT |
| 77 | 60: |
| 78 | # Networking (neutron) endpoint |
| 79 | rule: -p tcp --dport 9696 |
| 80 | action: ACCEPT |
| 81 | HORIZON_MEMCACHED_ENDPOINTS: |
| 82 | ruleset: |
| 83 | 10: |
| 84 | rule: -p tcp --dport 11211 |
| 85 | action: ACCEPT |
| 86 | 1000: |
| 87 | action: RETURN |
| Dmitry Teselkin | d0e0d00 | 2018-11-21 17:28:33 +0300 | [diff] [blame] | 88 | NAME_RESOLUTION: |
| 89 | ruleset: |
| 90 | 10: |
| 91 | rule: -p udp --dport 53 |
| 92 | action: ACCEPT |
| 93 | 1000: |
| 94 | action: RETURN |