Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / reclass-system / 574469aee38c88e071099c95710d47c1fe4e482d / . / horizon / server / iptables.yml
blob: e25fad837bb769f651c6d54f4c1eb834c08d5c48 [file] [log] [blame]
Dmitry Teselkin253fa802018-11-19 19:45:52 +0300[diff] [blame]1parameters:
2 iptables:
3 tables:
4 v4:
5 filter:
6 chains:
7 OUTPUT:
8 ruleset:
Dmitry Teselkind0e0d002018-11-21 17:28:33 +0300[diff] [blame]9 100:
10 action: NAME_RESOLUTION
11 1000:
Dmitry Teselkin253fa802018-11-19 19:45:52 +0300[diff] [blame]12 rule: -m owner --uid-owner horizon
13 action: HORIZON_ACCESS_RULES
14 HORIZON_ACCESS_RULES:
15 ruleset:
Dmitry Teselkin253fa802018-11-19 19:45:52 +0300[diff] [blame]16 100:
17 # Allow publicURL endpoint(s)
18 rule: -p tcp --dst ${_param:cluster_public_host}
19 action: HORIZON_OPENSTACK_ENDPOINTS
20 101:
21 # Allow internalURL endpoint(s)
22 rule: -p tcp --dst ${_param:openstack_control_address}
23 action: HORIZON_OPENSTACK_ENDPOINTS
Dmitry Teselkind0e0d002018-11-21 17:28:33 +0300[diff] [blame]24 200:
25 # Allow memcached on localhost
26 rule: -o lo
Dmitry Teselkin253fa802018-11-19 19:45:52 +0300[diff] [blame]27 action: HORIZON_MEMCACHED_ENDPOINTS
Dmitry Teselkind0e0d002018-11-21 17:28:33 +0300[diff] [blame]28 201:
29 # Allow memchached on other hosts
30 # This rule should be altered (not here) if required to allow
31 # only specific hosts.
32 action: HORIZON_MEMCACHED_ENDPOINTS
33 500:
34 # Disable any other local traffic
35 rule: -o lo
Dmitry Teselkin253fa802018-11-19 19:45:52 +0300[diff] [blame]36 action: REJECT
Dmitry Teselkind0e0d002018-11-21 17:28:33 +0300[diff] [blame]37 501:
38 # 501-503 disable private networks
Oleksii Molchanovd68289f2020-11-18 16:48:44 +0200[diff] [blame]39 rule: --dst 10.0.0.0/8
Dmitry Teselkind0e0d002018-11-21 17:28:33 +0300[diff] [blame]40 action: REJECT
41 502:
42 rule: --dst 172.16.0.0/12
43 action: REJECT
44 503:
45 rule: --dst 192.168.0.0/16
46 action: REJECT
47 504:
48 # Disable APIPA
49 rule: --dst 169.254.0.0/16
50 action: REJECT
51 1000:
52 # Accept any other traffic
53 # It should be external traffic only
54 action: ACCEPT
Dmitry Teselkin253fa802018-11-19 19:45:52 +0300[diff] [blame]55 HORIZON_OPENSTACK_ENDPOINTS:
56 ruleset:
57 10:
58 # Identity service (keystone) public endpoint
59 rule: -p tcp --dport 5000
60 action: ACCEPT
61 20:
62 # Orchestration (heat) endpoint
63 rule: -p tcp --dport 8004
64 action: ACCEPT
65 30:
66 # Compute (nova) endpoint
67 rule: -p tcp --dport 8774
68 action: ACCEPT
69 40:
70 # Block Storage (cinder) endpoint
71 rule: -p tcp --dport 8776
72 action: ACCEPT
73 50:
74 # Image service (glance) endpoint
75 rule: -p tcp --dport 9292
76 action: ACCEPT
77 60:
78 # Networking (neutron) endpoint
79 rule: -p tcp --dport 9696
80 action: ACCEPT
81 HORIZON_MEMCACHED_ENDPOINTS:
82 ruleset:
83 10:
84 rule: -p tcp --dport 11211
85 action: ACCEPT
86 1000:
87 action: RETURN
Dmitry Teselkind0e0d002018-11-21 17:28:33 +0300[diff] [blame]88 NAME_RESOLUTION:
89 ruleset:
90 10:
91 rule: -p udp --dport 53
92 action: ACCEPT
93 1000:
94 action: RETURN