andrewklau/ovirt-engine-vdsm-iptables

## ovirt-engine-vdsm-iptables

# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i lo -j ACCEPT

# engine
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5634:6166 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 49152:49216 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT


# vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT

# libvirt tls
-A INPUT -p tcp --dport 16514 -j ACCEPT

# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT

# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT

# glusterd
-A INPUT -p tcp -m tcp --dport 24007 -j ACCEPT

# portmapper
-A INPUT -p udp -m udp --dport 111   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 38465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 38466 -j ACCEPT

# nfs
-A INPUT -p tcp -m tcp --dport 111   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 38467 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049  -j ACCEPT

# status
-A INPUT -p tcp -m tcp --dport 39543 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 55863 -j ACCEPT

# nlockmgr
-A INPUT -p tcp -m tcp --dport 38468 -j ACCEPT
-A INPUT -p udp -m udp --dport 963   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 965   -j ACCEPT

# ctdbd
-A INPUT -p tcp -m tcp --dport 4379  -j ACCEPT

# smbd
-A INPUT -p tcp -m tcp --dport 139   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445   -j ACCEPT

# Ports for gluster volume bricks (default 100 ports)
-A INPUT -p tcp -m tcp --dport 24009:24108 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50152:50251 -j ACCEPT


# Reject any other input traffic
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
COMMIT

	# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	-A INPUT -i lo -j ACCEPT

	# engine
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
	-A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 662 -j ACCEPT
	-A INPUT -p udp -m state --state NEW -m udp --dport 662 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 875 -j ACCEPT
	-A INPUT -p udp -m state --state NEW -m udp --dport 875 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 892 -j ACCEPT
	-A INPUT -p udp -m state --state NEW -m udp --dport 892 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -j ACCEPT
	-A INPUT -p udp -m state --state NEW -m udp --dport 32769 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 32803 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 5634:6166 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 49152:49216 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT



	# vdsm
	-A INPUT -p tcp --dport 54321 -j ACCEPT
	# SSH
	-A INPUT -p tcp --dport 22 -j ACCEPT
	# snmp
	-A INPUT -p udp --dport 161 -j ACCEPT

	# libvirt tls
	-A INPUT -p tcp --dport 16514 -j ACCEPT

	# guest consoles
	-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT

	# migration
	-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT

	# glusterd
	-A INPUT -p tcp -m tcp --dport 24007 -j ACCEPT

	# portmapper
	-A INPUT -p udp -m udp --dport 111 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 38465 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 38466 -j ACCEPT

	# nfs
	-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 38467 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT

	# status
	-A INPUT -p tcp -m tcp --dport 39543 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 55863 -j ACCEPT

	# nlockmgr
	-A INPUT -p tcp -m tcp --dport 38468 -j ACCEPT
	-A INPUT -p udp -m udp --dport 963 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 965 -j ACCEPT

	# ctdbd
	-A INPUT -p tcp -m tcp --dport 4379 -j ACCEPT

	# smbd
	-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT

	# Ports for gluster volume bricks (default 100 ports)
	-A INPUT -p tcp -m tcp --dport 24009:24108 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 50152:50251 -j ACCEPT


	# Reject any other input traffic
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited
	COMMIT