Attachment 902597 Details for Bug 1105248 – iptables

iptables

myiptables.txt (text/plain), 7.76 KB, created by yfried on 2014-06-05 16:48:30 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: yfried

Created: 2014-06-05 16:48:30 UTC

Size: 7.76 KB

patch

obsolete

># Generated by iptables-save v1.4.21 on Thu Jun  5 19:44:53 2014
>*mangle
>:PREROUTING ACCEPT [3612155:3275080434]
>:INPUT ACCEPT [3584445:3271541140]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [3504755:3180241049]
>:POSTROUTING ACCEPT [3504757:3180241181]
>:nova-api-POSTROUTING - [0:0]
>-A POSTROUTING -j nova-api-POSTROUTING
>COMMIT
># Completed on Thu Jun  5 19:44:53 2014
># Generated by iptables-save v1.4.21 on Thu Jun  5 19:44:53 2014
>*nat
>:PREROUTING ACCEPT [43745:5722024]
>:INPUT ACCEPT [5928:362217]
>:OUTPUT ACCEPT [46527:2832430]
>:POSTROUTING ACCEPT [46527:2832430]
>:neutron-openvswi-OUTPUT - [0:0]
>:neutron-openvswi-POSTROUTING - [0:0]
>:neutron-openvswi-PREROUTING - [0:0]
>:neutron-openvswi-float-snat - [0:0]
>:neutron-openvswi-snat - [0:0]
>:neutron-postrouting-bottom - [0:0]
>:nova-api-OUTPUT - [0:0]
>:nova-api-POSTROUTING - [0:0]
>:nova-api-PREROUTING - [0:0]
>:nova-api-float-snat - [0:0]
>:nova-api-snat - [0:0]
>:nova-postrouting-bottom - [0:0]
>-A PREROUTING -j neutron-openvswi-PREROUTING
>-A PREROUTING -j nova-api-PREROUTING
>-A OUTPUT -j neutron-openvswi-OUTPUT
>-A OUTPUT -j nova-api-OUTPUT
>-A POSTROUTING -j neutron-openvswi-POSTROUTING
>-A POSTROUTING -j neutron-postrouting-bottom
>-A POSTROUTING -j nova-api-POSTROUTING
>-A POSTROUTING -j nova-postrouting-bottom
>-A neutron-openvswi-snat -j neutron-openvswi-float-snat
>-A neutron-postrouting-bottom -j neutron-openvswi-snat
>-A nova-api-snat -j nova-api-float-snat
>-A nova-postrouting-bottom -j nova-api-snat
>COMMIT
># Completed on Thu Jun  5 19:44:53 2014
># Generated by iptables-save v1.4.21 on Thu Jun  5 19:44:53 2014
>*filter
>:INPUT DROP [815:246916]
>:FORWARD ACCEPT [0:0]
>:OUTPUT ACCEPT [764958:653232043]
>:neutron-filter-top - [0:0]
>:neutron-openvswi-FORWARD - [0:0]
>:neutron-openvswi-INPUT - [0:0]
>:neutron-openvswi-OUTPUT - [0:0]
>:neutron-openvswi-local - [0:0]
>:neutron-openvswi-sg-chain - [0:0]
>:neutron-openvswi-sg-fallback - [0:0]
>:nova-api-FORWARD - [0:0]
>:nova-api-INPUT - [0:0]
>:nova-api-OUTPUT - [0:0]
>:nova-api-local - [0:0]
>:nova-filter-top - [0:0]
>-A INPUT -j neutron-openvswi-INPUT
>-A INPUT -j nova-api-INPUT
>-A INPUT -p udp -m udp --dport 4789 -j ACCEPT
>-A INPUT -p tcp -m tcp --dport 22 -m comment --comment "001 QA incoming SSH" -j ACCEPT
>-A INPUT -s 10.35.160.21/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.35.160.21" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_10.35.160.27" -j ACCEPT
>-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_10.35.160.27" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance incoming glance_10.35.160.27" -j ACCEPT
>-A INPUT -p tcp -m multiport --dports 80 -m comment --comment "001 horizon 80  incoming" -j ACCEPT
>-A INPUT -p tcp -m multiport --dports 5000,35357 -m comment --comment "001 keystone incoming keystone" -j ACCEPT
>-A INPUT -s 10.35.160.21/32 -p tcp -m multiport --dports 27017 -m comment --comment "001 mongodb-server incoming swift_storage_and_rsync_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.21/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.35.160.21" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p tcp -m multiport --dports 3306 -m comment --comment "001 mysql incoming mysql_10.35.160.27" -j ACCEPT
>-A INPUT -s 10.35.160.21/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_server_10.35.160.21_10.35.160.21" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_server_10.35.160.21_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_server_10.35.160.21_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_server_10.35.160.21_10.35.160.27" -j ACCEPT
>-A INPUT -s 10.35.160.21/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.21_10.35.160.21" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.21_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.21_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p udp -m multiport --dports 4789 -m comment --comment "001 neutron tunnel port incoming neutron_tunnel_10.35.160.21_10.35.160.27" -j ACCEPT
>-A INPUT -p tcp -m multiport --dports 8773,8774,8775 -m comment --comment "001 novaapi incoming" -j ACCEPT
>-A INPUT -p tcp -m multiport --dports 6080 -m comment --comment "001 novncproxy incoming" -j ACCEPT
>-A INPUT -p tcp -m multiport --dports 8080 -m comment --comment "001 swift proxy incoming" -j ACCEPT
>-A INPUT -s 10.35.160.21/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.21" -j ACCEPT
>-A INPUT -s 10.35.160.23/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.23" -j ACCEPT
>-A INPUT -s 10.35.160.25/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.25" -j ACCEPT
>-A INPUT -s 10.35.160.27/32 -p tcp -m multiport --dports 6000,6001,6002,873 -m comment --comment "001 swift storage and rsync incoming swift_storage_and_rsync_10.35.160.27" -j ACCEPT
>-A INPUT -p icmp -m comment --comment "002 QA incoming ICMP" -j ACCEPT
>-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "003 QA incoming related session exist the host" -j ACCEPT
>-A INPUT -i lo -m comment --comment "004 QA incoming loopback" -j ACCEPT
>-A INPUT -p udp -m udp --sport 53 -m comment --comment "005 QA incoming DNS" -j ACCEPT
>-A INPUT -p udp -m udp --sport 123 -m comment --comment "006 QA incoming NTP" -j ACCEPT
>-A FORWARD -j neutron-filter-top
>-A FORWARD -j neutron-openvswi-FORWARD
>-A FORWARD -j nova-filter-top
>-A FORWARD -j nova-api-FORWARD
>-A OUTPUT -j neutron-filter-top
>-A OUTPUT -j neutron-openvswi-OUTPUT
>-A OUTPUT -j nova-filter-top
>-A OUTPUT -j nova-api-OUTPUT
>-A neutron-filter-top -j neutron-openvswi-local
>-A neutron-openvswi-sg-fallback -j DROP
>-A nova-api-INPUT -d 10.35.160.21/32 -p tcp -m tcp --dport 8775 -j ACCEPT
>-A nova-filter-top -j nova-api-local
>COMMIT
># Completed on Thu Jun  5 19:44:53 2014

Actions: View

Attachments on bug 1105248: 902597