-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathiptables.yml
94 lines (81 loc) · 2.69 KB
/
iptables.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Copyright (C) 2020 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation, either version 3 of the License, or (at your option) any later
# version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
# PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program. If not, see <https://www.gnu.org/licenses/>.
# Configure iptables on the cluster to only allow local private network
# traffic. We don't want the internet to have access to the cluster services.
# Although Ceph **is** configured to have its cluster_network/public_network on
# the Linode private LAN, some services still listen on all interfaces
# including grafana, prometheus, and the crash daemons.
- hosts: all
become: yes
tasks:
- name: install launcher packages
yum:
name: iptables-services
state: latest
# We disable firewalld because we don't want anything (like
# grafana/prometheus) to be accessible via the internet. cephadm opens up
# those ports if it detects firewalld. Also, if we leave this on and
# configure iptables, then the ceph cluster becomes inaccessible during
# cephadm bootstrap.
- name: disable firewalld
systemd:
name: firewalld.service
state: stopped
enabled: no
- name: enable iptables-services
systemd:
enabled: yes
name: iptables.service
state: started
- name: Set the policy for the INPUT chain to ACCEPT
iptables:
chain: INPUT
policy: ACCEPT
- name: clear iptables
iptables:
flush: yes
chain: INPUT
- name: accept ssh connections
iptables:
chain: INPUT
protocol: tcp
destination_port: 22
ctstate: NEW
syn: match
jump: ACCEPT
comment: Accept new SSH connections.
- name: accept existing connections
iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
comment: Accept existing connections.
- name: Match on IP ranges
iptables:
chain: INPUT
source: 192.168.0.0/16
jump: ACCEPT
comment: Allow private ip traffic.
- name: Match on localhost
iptables:
chain: INPUT
source: 127.0.0.0/8
jump: ACCEPT
comment: Allow localhost traffic.
- name: Set the policy for the INPUT chain to DROP
iptables:
chain: INPUT
policy: DROP
- name: save iptables rules
shell: /usr/libexec/iptables/iptables.init save