stulevine/gist:6282415

## gistfile1.txt
Now fixed via NJ Router ACL additions this morning and my iptables lbaas1 additions below (lbaas2 & 3 need these as well):

root@lbaas1.lga11 /home/slevine # iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 74.63.39.138/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.170.149.250/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 173.231.130.227/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9070 -j ACCEPT
-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9070 -j ACCEPT
-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9070 -j ACCEPT
-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9090 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i eth1 -p tcp -j ACCEPT
-A INPUT -i lo -p tcp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

So, when you create your LBaaS magic sauce script, please include these additions.  BTW, I wonder how difficult it would be to install and use the multiport module for iptables.  If it is installed, then you can specify multiple ports via --dports and consolidate multiple lines into one.  so for example, we could consolidate the first five lines for hapi1 via:

-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dports 80,443,9070,9080,9090 -j ACCEPT

Your thoughts?

Stuart
	Now fixed via NJ Router ACL additions this morning and my iptables lbaas1 additions below (lbaas2 & 3 need these as well):

	root@lbaas1.lga11 /home/slevine # iptables -S
	-P INPUT ACCEPT
	-P FORWARD ACCEPT
	-P OUTPUT ACCEPT
	-A INPUT -s 74.63.39.138/32 -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -s 192.170.149.250/32 -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -s 173.231.130.227/32 -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 80 -j ACCEPT
	-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 443 -j ACCEPT
	-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9070 -j ACCEPT
	-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9080 -j ACCEPT
	-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9090 -j ACCEPT
	-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 80 -j ACCEPT
	-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 443 -j ACCEPT
	-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9070 -j ACCEPT
	-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9080 -j ACCEPT
	-A INPUT -s 74.201.59.62/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9090 -j ACCEPT
	-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 80 -j ACCEPT
	-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 443 -j ACCEPT
	-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9070 -j ACCEPT
	-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9080 -j ACCEPT
	-A INPUT -s 74.201.59.63/32 -d 192.170.150.66/32 -p tcp -m tcp --dport 9090 -j ACCEPT
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i eth1 -p tcp -j ACCEPT
	-A INPUT -i lo -p tcp -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -j DROP
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

	So, when you create your LBaaS magic sauce script, please include these additions. BTW, I wonder how difficult it would be to install and use the multiport module for iptables. If it is installed, then you can specify multiple ports via --dports and consolidate multiple lines into one. so for example, we could consolidate the first five lines for hapi1 via:

	-A INPUT -s 74.201.59.61/32 -d 192.170.150.66/32 -p tcp -m tcp --dports 80,443,9070,9080,9090 -j ACCEPT

	Your thoughts?

	Stuart