Mike Burns
2011-Jul-22 21:21 UTC
[Ovirt-devel] [PATCH node 1/2] add firewall config to upstream recipe
Signed-off-by: Mike Burns <mburns at redhat.com> --- recipe/ovirt15-post.ks | 54 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 54 insertions(+), 0 deletions(-) diff --git a/recipe/ovirt15-post.ks b/recipe/ovirt15-post.ks index 8da83dd..421a2cc 100644 --- a/recipe/ovirt15-post.ks +++ b/recipe/ovirt15-post.ks @@ -85,3 +85,57 @@ WantedBy=multi-user.target EOF_firstboot systemctl enable ovirt-firstboot.service >/dev/null 2>&1 + + +echo "Configuring IPTables" +# here, we need to punch the appropriate holes in the firewall +cat > /etc/sysconfig/iptables << \EOF +# oVirt automatically generated firewall configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +# libvirt +-A INPUT -p tcp --dport 16509 -j ACCEPT +# SSH +-A INPUT -p tcp --dport 22 -j ACCEPT +# guest consoles +-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +# migration +-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +# snmp +-A INPUT -p udp --dport 161 -j ACCEPT +# +-A INPUT -j REJECT --reject-with icmp-host-prohibited +-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited +COMMIT +EOF +# configure IPv6 firewall, default is all ACCEPT +cat > /etc/sysconfig/ip6tables << \EOF +# oVirt automatically generated firewall configuration +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p ipv6-icmp -j ACCEPT +-A INPUT -i lo -j ACCEPT +# libvirt +-A INPUT -p tcp --dport 16509 -j ACCEPT +# SSH +-A INPUT -p tcp --dport 22 -j ACCEPT +# guest consoles +-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT +# migration +-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT +# snmp +-A INPUT -p udp --dport 161 -j ACCEPT +# unblock ipv6 dhcp response +-A INPUT -p udp --dport 546 -j ACCEPT +-A INPUT -j REJECT --reject-with icmp6-adm-prohibited +-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp6-adm-prohibited +COMMIT +EOF -- 1.7.4.4