andrewklau/ovirt-hosted-engine-iptables

## ovirt-hosted-engine-iptables
# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A INPUT -i lo -j ACCEPT

# vdsm
-A INPUT -p tcp --dport 54321 -j ACCEPT
# SSH
-A INPUT -p tcp --dport 22 -j ACCEPT
# snmp
-A INPUT -p udp --dport 161 -j ACCEPT

# libvirt tls
-A INPUT -p tcp --dport 16514 -j ACCEPT

# guest consoles
-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT

# VNC hosted-engine
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT

# migration
-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT

# glusterd
-A INPUT -p tcp -m multiport --dport 24007:24008 -j ACCEPT

# gluster nfs
-A INPUT -p tcp -m multiport --dport 34865:34867 -j ACCEPT

# portmapper
-A INPUT -p udp -m udp --dport 111   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 38465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 38466 -j ACCEPT

# nfs
-A INPUT -p tcp -m tcp --dport 111   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 38467 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049  -j ACCEPT

# status
-A INPUT -p tcp -m tcp --dport 39543 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 55863 -j ACCEPT

# nlockmgr
-A INPUT -p tcp -m tcp --dport 38468 -j ACCEPT
-A INPUT -p udp -m udp --dport 963   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 965   -j ACCEPT

# ctdbd
-A INPUT -p tcp -m tcp --dport 4379  -j ACCEPT

# smbd
-A INPUT -p tcp -m tcp --dport 139   -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445   -j ACCEPT

# Ports for gluster volume bricks (default 100 ports)
-A INPUT -p tcp -m tcp --dport 24009:24108 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50152:50251 -j ACCEPT

# Allow keepalived protocol
-I INPUT -p vrrp -j ACCEPT
	# oVirt default firewall configuration. Automatically generated by vdsm bootstrap script.
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	-A INPUT -i lo -j ACCEPT

	# vdsm
	-A INPUT -p tcp --dport 54321 -j ACCEPT
	# SSH
	-A INPUT -p tcp --dport 22 -j ACCEPT
	# snmp
	-A INPUT -p udp --dport 161 -j ACCEPT

	# libvirt tls
	-A INPUT -p tcp --dport 16514 -j ACCEPT

	# guest consoles
	-A INPUT -p tcp -m multiport --dports 5634:6166 -j ACCEPT

	# VNC hosted-engine
	-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT

	# migration
	-A INPUT -p tcp -m multiport --dports 49152:49216 -j ACCEPT

	# glusterd
	-A INPUT -p tcp -m multiport --dport 24007:24008 -j ACCEPT

	# gluster nfs
	-A INPUT -p tcp -m multiport --dport 34865:34867 -j ACCEPT

	# portmapper
	-A INPUT -p udp -m udp --dport 111 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 38465 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 38466 -j ACCEPT

	# nfs
	-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 38467 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT

	# status
	-A INPUT -p tcp -m tcp --dport 39543 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 55863 -j ACCEPT

	# nlockmgr
	-A INPUT -p tcp -m tcp --dport 38468 -j ACCEPT
	-A INPUT -p udp -m udp --dport 963 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 965 -j ACCEPT

	# ctdbd
	-A INPUT -p tcp -m tcp --dport 4379 -j ACCEPT

	# smbd
	-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT

	# Ports for gluster volume bricks (default 100 ports)
	-A INPUT -p tcp -m tcp --dport 24009:24108 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 50152:50251 -j ACCEPT

	# Allow keepalived protocol
	-I INPUT -p vrrp -j ACCEPT