openstack/project-config
Code Issues Proposed changes
Files
de75db6d95361f955ea14647cd3399e4c50f6caa
project-config/nodepool/elements/nodepool-base/install.d/20-iptables
Colleen Murphy 587b85ba36 Use iptables for openSUSE 
In openSUSE Tumbleweed, the SuSEfirewall2 package was removed in favor
of firewalld[1]. This commit updates the openSUSE nodeset to use plain
iptables rather than injecting iptables rules into the SuSEfirewall2
service. This will work on both Tumbleweed and Leap nodesets.

openSUSE provides no iptables-service package the way the RHEL family
does, so we can't fall back to that. Rather than try to convert iptables
rules to firewalld syntax, this change leverages init.d to ensure
iptables rules are loaded at boot. The 89-unbound script has been
coopted for this purpose since it already creates
/etc/init.d/boot.local. Switched from `dd` to `cat` which makes
conditionally composing the file more natural.

[1] https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html

Change-Id: Ia2b72e25078efa68019f1bf7c7a0b77e6ff702fd
2019-09-20 12:05:09 -07:00

93 lines
3.4 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
# implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
# dib-lint: disable=setu setpipefail
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -e
if [[ "$DISTRO_NAME" =~ (debian|ubuntu) ]] ; then
rules_dir=/etc/iptables
ipv4_rules=${rules_dir}/rules.v4
ipv6_rules=${rules_dir}/rules.v6
elif [[ "$DISTRO_NAME" =~ (centos|rhel7|fedora) ]] ; then
rules_dir=/etc/sysconfig
ipv4_rules=${rules_dir}/iptables
ipv6_rules=${rules_dir}/ip6tables
elif [[ "$DISTRO_NAME" =~ 'opensuse' ]] ; then
rules_dir=/etc/sysconfig
ipv4_rules=${rules_dir}/iptables
ipv6_rules=${rules_dir}/ip6tables
elif [[ "$DISTRO_NAME" =~ 'gentoo' ]] ; then
rules_dir=/var/lib/iptables # not needed, part of the package install
ipv4_rules=/var/lib/iptables/rules-save
ipv6_rules=/var/lib/ip6tables/rules-save
else
echo "Unsupported operating system $DISTRO_NAME"
exit 1
fi
mkdir -p $rules_dir
cat > $ipv4_rules << EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
# SSH from anywhere without -m state to avoid hanging connections on iptables-restore
-A openstack-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Public TCP ports
-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
# Ports 69 and 6385 allow to allow ironic VM nodes to reach tftp and
# the ironic API from the neutron public net
-A openstack-INPUT -s 172.24.4.0/23 -p udp -m udp --dport 69 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 6385 -j ACCEPT
# Ports 80, 8000, 8003, 8004 from the devstack neutron public net to allow
# nova servers to reach heat-api-cfn, heat-api-cloudwatch, heat-api
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 80 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8000 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8003 -j ACCEPT
-A openstack-INPUT -s 172.24.4.0/23 -p tcp -m tcp --dport 8004 -j ACCEPT
-A openstack-INPUT -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: "
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
EOF
cat > $ipv6_rules << EOF
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p ipv6-icmp -j ACCEPT
# SSH from anywhere without -m state to avoid hanging connections on iptables-restore
-A openstack-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
-A openstack-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Public TCP ports
-A openstack-INPUT -p tcp -m state --state NEW -m tcp --dport 19885 -j ACCEPT
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
EOF
View Git Blame Copy Permalink