| Dmitry Teselkin | 253fa80 | 2018-11-19 19:45:52 +0300 | [diff] [blame] | 1 | parameters: |
| 2 | iptables: |
| 3 | tables: |
| 4 | v4: |
| 5 | filter: |
| 6 | chains: |
| 7 | OUTPUT: |
| 8 | ruleset: |
| 9 | 10: |
| 10 | rule: -m owner --uid-owner horizon |
| 11 | action: HORIZON_ACCESS_RULES |
| 12 | HORIZON_ACCESS_RULES: |
| 13 | ruleset: |
| 14 | 10: |
| 15 | rule: -o lo |
| 16 | action: ACCEPT |
| 17 | # Slots 11-99 are reserved for the traffic that can be accepted based on its |
| 18 | # destination, e.g targeted to / via public interface "outside" |
| 19 | # |
| 20 | # Slots 100-999 are reserved for the traffic that should be filtered |
| 21 | # depending on its target port - this is all traffic that goes through internal |
| 22 | # interfaces. At least you should override 'rule' for slot 100 to specify |
| 23 | # internal interface on which the traffic should be filtered. |
| 24 | # |
| 25 | # These rules should be added / altered somewhere else where it is known what |
| 26 | # interfaces are public / private. |
| 27 | 100: |
| 28 | # Allow publicURL endpoint(s) |
| 29 | rule: -p tcp --dst ${_param:cluster_public_host} |
| 30 | action: HORIZON_OPENSTACK_ENDPOINTS |
| 31 | 101: |
| 32 | # Allow internalURL endpoint(s) |
| 33 | rule: -p tcp --dst ${_param:openstack_control_address} |
| 34 | action: HORIZON_OPENSTACK_ENDPOINTS |
| 35 | 120: |
| 36 | action: HORIZON_MEMCACHED_ENDPOINTS |
| 37 | 1000: |
| 38 | action: REJECT |
| 39 | HORIZON_OPENSTACK_ENDPOINTS: |
| 40 | ruleset: |
| 41 | 10: |
| 42 | # Identity service (keystone) public endpoint |
| 43 | rule: -p tcp --dport 5000 |
| 44 | action: ACCEPT |
| 45 | 20: |
| 46 | # Orchestration (heat) endpoint |
| 47 | rule: -p tcp --dport 8004 |
| 48 | action: ACCEPT |
| 49 | 30: |
| 50 | # Compute (nova) endpoint |
| 51 | rule: -p tcp --dport 8774 |
| 52 | action: ACCEPT |
| 53 | 40: |
| 54 | # Block Storage (cinder) endpoint |
| 55 | rule: -p tcp --dport 8776 |
| 56 | action: ACCEPT |
| 57 | 50: |
| 58 | # Image service (glance) endpoint |
| 59 | rule: -p tcp --dport 9292 |
| 60 | action: ACCEPT |
| 61 | 60: |
| 62 | # Networking (neutron) endpoint |
| 63 | rule: -p tcp --dport 9696 |
| 64 | action: ACCEPT |
| 65 | HORIZON_MEMCACHED_ENDPOINTS: |
| 66 | ruleset: |
| 67 | 10: |
| 68 | rule: -p tcp --dport 11211 |
| 69 | action: ACCEPT |
| 70 | 1000: |
| 71 | action: RETURN |