opendev/puppet-iptables
Code Issues Proposed changes
puppet-iptables/templates/rules.erb
K Jonathan Harker d921031e8a Parameterize SNMP source hosts 
Downstream consumers of this module likely don't need or want to open
snmp access from cacti.openstack.org. Parameterize the hosts to allow
snmp from so that downstreams don't have to fork the module in order to
remove the access.

Change-Id: I9394982811f8dcf0d63eccb782de04bf4a047ec7
2016-08-29 16:28:54 -07:00

31 lines
1009 B
Plaintext
Raw Blame History

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:openstack-INPUT - [0:0]
-A INPUT -j openstack-INPUT
-A openstack-INPUT -i lo -j ACCEPT
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH from anywhere
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# SNMP
<% @snmp_v4hosts.each do |host| -%>
-A openstack-INPUT -m udp -p udp --dport 161 -s <%= host %> -j ACCEPT
<% end -%>
# Public TCP ports
<% @public_tcp_ports.each do |port| -%>
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
<% end -%>
# Public UDP ports
<% @public_udp_ports.each do |port| -%>
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
<% end -%>
# Per-host rules
<% @rules4.each do |rule| -%>
-A openstack-INPUT <%= rule %>
<% end -%>
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
View Git Blame Copy Permalink