255 lines
6.1 KiB
Puppet
255 lines
6.1 KiB
Puppet
|
|
class openstack::firewall (
|
|
$ssh_port = 22,
|
|
$http_port = 80,
|
|
$https_port = 443,
|
|
$mysql_port = 3306,
|
|
$mysql_backend_port = 3307,
|
|
$mysql_gcomm_port = 4567,
|
|
$galera_ist_port = 4568,
|
|
$galera_clustercheck_port = 49000,
|
|
$swift_proxy_check_port = 49001,
|
|
$keystone_public_port = 5000,
|
|
$swift_proxy_port = 8080,
|
|
$swift_object_port = 6000,
|
|
$swift_container_port = 6001,
|
|
$swift_account_port = 6002,
|
|
$keystone_admin_port = 35357,
|
|
$glance_api_port = 9292,
|
|
$glance_reg_port = 9191,
|
|
$glance_nova_api_ec2_port = 8773,
|
|
$nova_api_compute_port = 8774,
|
|
$nova_api_metadata_port = 8775,
|
|
$nova_api_volume_port = 8776,
|
|
$nova_vncproxy_port = 6080,
|
|
$nova_vnc_ip_range = '0.0.0.0/0',
|
|
$erlang_epmd_port = 4369,
|
|
$erlang_rabbitmq_port = 5672,
|
|
$erlang_rabbitmq_backend_port = 5673,
|
|
$erlang_inet_dist_port = 41055,
|
|
$memcached_port = 11211,
|
|
$rsync_port = 873,
|
|
$iscsi_port = 3260,
|
|
$neutron_api_port = 9696,
|
|
$dns_server_port = 53,
|
|
$dhcp_server_port = 67,
|
|
$ntp_server_port = 123,
|
|
$corosync_input_port = 5404,
|
|
$corosync_output_port = 5405,
|
|
$pcsd_port = 2224,
|
|
$openvswitch_db_port = 58882,
|
|
$libvirt_port = 16509,
|
|
$nrpe_server_port = 5666,
|
|
$ceilometer_port = 8777,
|
|
$mongodb_port = 27017,
|
|
) {
|
|
|
|
# file {"iptables":
|
|
# path => $operatingsystem ? {
|
|
# /(Debian|Ubuntu)/ => '/etc/network/rules.v4',
|
|
# /(RedHat|CentOS)/ => '/etc/sysconfig/iptables',
|
|
# },
|
|
# source => "puppet:///modules/openstack/iptables"
|
|
# }->
|
|
#
|
|
# exec { 'startup-firewall':
|
|
# command => $operatingsystem ? {
|
|
# /(Debian|Ubuntu)/ => '/sbin/iptables-restore /etc/network/rules.v4',
|
|
# /(RedHat|CentOS)/ => '/sbin/iptables-restore /etc/sysconfig/iptables',
|
|
# }
|
|
# }
|
|
# }
|
|
|
|
class {'::firewall':}
|
|
|
|
firewall { "000 accept all icmp requests":
|
|
proto => 'icmp',
|
|
action => 'accept',
|
|
}->
|
|
|
|
firewall { '001 accept all to lo interface':
|
|
proto => 'all',
|
|
iniface => 'lo',
|
|
action => 'accept',
|
|
}->
|
|
|
|
firewall { '002 accept related established rules':
|
|
proto => 'all',
|
|
state => ['RELATED', 'ESTABLISHED'],
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'020 ssh':
|
|
port => $ssh_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
|
|
firewall { '100 http':
|
|
port => [$http_port, $https_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'101 mysql':
|
|
port => [$mysql_port, $mysql_backend_port, $mysql_gcomm_port, $galera_ist_port, $galera_clustercheck_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'102 keystone':
|
|
port => [$keystone_public_port,$keystone_admin_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'103 swift':
|
|
port => [$swift_proxy_port, $swift_object_port, $swift_container_port,
|
|
$swift_account_port, $swift_proxy_check_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'104 glance':
|
|
port => [$glance_api_port, $glance_reg_port, $glance_nova_api_ec2_port,],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'105 nova ':
|
|
port => [$nova_api_compute_port,$nova_api_metadata_port,$nova_api_volume_port, $nova_vncproxy_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'106 rabbitmq ':
|
|
port => [$erlang_epmd_port, $erlang_rabbitmq_port, $erlang_rabbitmq_backend_port, $erlang_inet_dist_port],
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'107 memcached tcp':
|
|
port => $memcached_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'107 memcached udp':
|
|
port => $memcached_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'108 rsync':
|
|
port => $rsync_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'109 iscsi ':
|
|
port => $iscsi_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'110 neutron ':
|
|
port => $neutron_api_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'111 dns-server':
|
|
port => $dns_server_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'111 dhcp-server':
|
|
port => $dhcp_server_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'112 ntp-server':
|
|
port => $ntp_server_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'113 corosync-input':
|
|
port => $corosync_input_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'114 corosync-output':
|
|
port => $corosync_output_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'115 pcsd-server':
|
|
port => $pcsd_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'116 openvswitch db':
|
|
port => $openvswitch_db_port,
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'117 nrpe-server':
|
|
port => $nrpe_server_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'118 libvirt':
|
|
port => $libvirt_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'119 libvirt migration':
|
|
port => '49152-49215',
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'120 vnc ports':
|
|
port => '5900-6100',
|
|
proto => 'tcp',
|
|
source => $nova_vnc_ip_range,
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall {'121 ceilometer':
|
|
port => $ceilometer_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '333 notrack gre':
|
|
chain => 'PREROUTING',
|
|
table => 'raw',
|
|
proto => 'gre',
|
|
jump => 'NOTRACK',
|
|
}
|
|
|
|
firewall { '334 accept gre':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'gre',
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '999 drop all other requests':
|
|
proto => 'all',
|
|
chain => 'INPUT',
|
|
action => 'drop',
|
|
}
|
|
}
|