# {{ ansible_managed }} *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # allow ping and traceroute -A INPUT -p icmp -j ACCEPT # localhost is fine -A INPUT -i lo -j ACCEPT # Established connections allowed -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # if the blocked_ips is defined - drop them {% if blocked_ips is defined %} {% for ip in blocked_ips %} -A INPUT -s {{ ip }} -j DROP {% endfor %} {% endif %} # allow ssh - always -A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT # allow incoming gre # openstack needs this to handle external ips right -A INPUT -p gre -m comment --comment "001 neutron tunnel port incoming neutron_tunnel" -j ACCEPT # compute nodes need to allow vnc ports from the controller -A INPUT -s 172.24.0.9 -p tcp -m tcp --dport 5900:6900 -j ACCEPT # for nrpe - allow it from nocs -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.10 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 192.168.1.166 -j ACCEPT # FIXME - this is the global nat-ip and we need the noc01-specific ip -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.102 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 209.132.181.35 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.41 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5666 -s 10.5.126.241 -j ACCEPT # if the host/group defines incoming tcp_ports - allow them {% if tcp_ports is defined %} {% for port in tcp_ports %} -A INPUT -p tcp -m tcp --dport {{ port }} -j ACCEPT {% endfor %} {% endif %} # if the host/group defines incoming udp_ports - allow them {% if udp_ports is defined %} {% for port in udp_ports %} -A INPUT -p udp -m udp --dport {{ port }} -j ACCEPT {% endfor %} {% endif %} # if there are custom rules - put them in as-is {% if custom_rules is defined %} {% for rule in custom_rules %} {{ rule }} {% endfor %} {% endif %} # otherwise kick everything out -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT