Ask Your Question
0

Is it possible to tune UFW on Ubuntu 14.04 (12.04) to support IceHouse ?

asked 2014-05-27 21:52:51 -0500

dbaxps gravatar image
I don't have Ubuntu boxes to check it for myself. However, I still think , that if UFW is frontend for iptables it maybe tuned via CLI to have corresponding iptables rules make ports open for openstack services and neutron in particular.
Or situation is "UFW versus IPTABLES firewall", like "firewalld versus ipv4 iptables firewall" on Fedora
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-05-27 22:04:03 -0500

don gravatar image

I found that, since ufw creates rules on all interfaces, it was unsuitable for use on hosts running linuxbridge or openvswitch. It places your firewall rules on the internal networks causing trouble.

Instead I did this:

$ cat /etc/iptables.rules 
#!/bin/sh
iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# mosh
iptables -A INPUT -i eth0 -p udp -m multiport --dports 60000:60100 -j ACCEPT
# all icmp
iptables -A INPUT -i eth0 -p icmp -j ACCEPT
# our ssl port
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
# our ssh port
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
# drop the rest
iptables -A INPUT -i eth0 -j DROP

$ cat /etc/network/in
cat: /etc/network/in: No such file or directory
don@vk-3:/var/www/html/stacks$ cat /etc/network/interfaces
# The primary network interface
auto eth0
iface eth0 inet static
        address MYIP
        netmask 255.255.255.248
        gateway MYGW
        dns-nameservers MYDNS
        pre-up /etc/iptables.rules

now when my eth0 comes up, it firewalls, but only on that interface (-i eth0).

edit flag offensive delete link more

Comments

It's OK. How about this :-

-A INPUT -s 192.168.1.127/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.1.127" -j ACCEPT
-A INPUT -s 192.168.1.137/32 -p tcp -m multiport --dports 5671,5672 -m comment --comment "001 amqp incoming amqp_192.168.1.137" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 8777 -m comment --comment "001 ceilometer-api incoming ceilometer_api" -j ACCEPT
-A INPUT -s 192.168.1.127/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.1.127" -j ACCEPT
-A INPUT -s 192.168.1.137/32 -p tcp -m multiport --dports 3260,8776 -m comment --comment "001 cinder incoming cinder_192.168.1.137" -j ACCEPT
-A INPUT -s 192.168.1.127/32 -p tcp -m multiport --dports 9292 -m comment --comment "001 glance ...
(more)
dbaxps gravatar imagedbaxps ( 2014-05-27 22:17:08 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-05-27 21:52:51 -0500

Seen: 731 times

Last updated: May 27 '14