thr3ads.net - Ovirt devel - [Ovirt-devel] [PATCH node-image] configure IPv6 firewall [May 2009]

If this information is useful, please help other people find it:
Share via:

Alan Pevec

2009-May-27 17:13 UTC

[Ovirt-devel] [PATCH node-image] configure IPv6 firewall

default is all ACCEPT

Signed-off-by: Alan Pevec <apevec at redhat.com>
---
 common-post.ks |   24 ++++++++++++++++++++++++
 1 files changed, 24 insertions(+), 0 deletions(-)

diff --git a/common-post.ks b/common-post.ks
index 2734004..8a4940a 100644
--- a/common-post.ks
+++ b/common-post.ks
@@ -80,6 +80,30 @@ cat > /etc/sysconfig/iptables << \EOF
 -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
icmp-host-prohibited
 COMMIT
 EOF
+# configure IPv6 firewall, default is all ACCEPT
+cat > /etc/sysconfig/ip6tables << \EOF
+# oVirt automatically generated firewall configuration
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+-A INPUT -p ipv6-icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+# libvirt
+-A INPUT -p tcp --dport 16509 -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# anyterm
+-A INPUT -p tcp --dport 81 -j ACCEPT
+# guest consoles
+-A INPUT -p tcp -m multiport --dports 5800:6000 -j ACCEPT
+# migration
+-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
+-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
icmp6-adm-prohibited
+COMMIT
+EOF
 
 # remove errors from /sbin/dhclient-script
 DHSCRIPT=/sbin/dhclient-script
-- 
1.6.0.6

Ovirt devel - May 2009 - [PATCH node-image] configure IPv6 firewall

[Ovirt-devel] [PATCH node-image] configure IPv6 firewall