forked from AppScale/gts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall.conf
executable file
·49 lines (38 loc) · 1.87 KB
/
firewall.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/bash
# Flush any current firewall settings
iptables -F
# Allow all established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all loopback traffic
iptables -I INPUT 1 -i lo -j ACCEPT
# Allow all SSH traffic
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# Allow for all traffic from anywhere for the following services
iptables -A INPUT -p tcp --dport 80 -j ACCEPT # nginx
iptables -A INPUT -p tcp --dport 443 -j ACCEPT # nginx (SSL)
iptables -A INPUT -p tcp --dport 2812 -j ACCEPT # monit dashboard
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT # ejabberd
iptables -A INPUT -p tcp --dport 5555 -j ACCEPT # Celery Flower
iptables -A INPUT -p tcp --dport 8080:8100 -j ACCEPT # nginx -> Google App Engine
iptables -A INPUT -p tcp --dport 4380:4400 -j ACCEPT # nginx -> Google App Engine (SSL)
iptables -A INPUT -p tcp --dport 17443 -j ACCEPT # AppController
iptables -A INPUT -p tcp --dport 4343 -j ACCEPT # UserAppServer
# Dashboard
# Note: If you are using Shibboleth for authentication, uncomment and edit the
# following two lines to restrict access to the dashboard.
# APPSCALE_DNS=dns-for-your-appscale-instance.com
# SHIBBOLETH_CONNECTOR=your-shibboleth-connector.com
if [ -n "$APPSCALE_DNS" ] && [ -n "$SHIBBOLETH_CONNECTOR" ]; then
DASHBOARD_SOURCE="-s ${APPSCALE_DNS},${SHIBBOLETH_CONNECTOR}"
fi
iptables -A INPUT ${DASHBOARD_SOURCE} -p tcp --dport 1080 -j ACCEPT
iptables -A INPUT ${DASHBOARD_SOURCE} -p tcp --dport 1443 -j ACCEPT
ALL_IPS_FILE=/etc/appscale/all_ips
MASTER_FILE=/etc/appscale/masters
SLAVES_FILE=/etc/appscale/slaves
# Allow any connections between AppScale nodes
cat $ALL_IPS_FILE $MASTER_FILE $SLAVES_FILE 2> /dev/null | sort -u | while read line; do
test -n "$line" && iptables -A INPUT -s ${line} -j ACCEPT
done
# Drop all other connections
iptables -A INPUT -j DROP