iptables: add some missing rules

2021-03-21 12:01:56 +01:00 · 2021-03-21 12:01:56 +01:00 · 691c3e7bc2
commit 691c3e7bc2
parent 087bc4c669
2 changed files with 20 additions and 0 deletions
--- a/nodes/home/nas.py
+++ b/nodes/home/nas.py
@ -48,6 +48,15 @@ nodes['home.nas'] = {
        'groups': {
            'nas': {},
        },
+        'iptables': {
+            'custom_rules': [
+                # Dell ULNM
+                'iptables -A INPUT -p tcp --dport 4679 -j ACCEPT',
+                # mosquitto
+                'iptables_both -A INPUT -p tcp --dport 1883 -j ACCEPT',
+                'iptables_both -A INPUT -p tcp --dport 8083 -j ACCEPT',
+            ],
+        },
        'nfs-server': {
            'shares': {
                '/storage/nas': {
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@ -128,6 +128,17 @@ nodes['htz.ex42-1048908'] = {
                'iptables_both -A INPUT -p udp --dport 60000:61000 -j ACCEPT', # mosh
                'iptables_both -A INPUT -p tcp --dport 9001 -j ACCEPT', # weechat
                'iptables_both -A INPUT -p tcp --dport 113 -j ACCEPT', # oidentd
+
+                # libvirt rules. These are also added by libvirt itself,
+                # but they would be overridden by our own iptables
+                # management.
+                'iptables -A INPUT -i virbr0 -p udp --dport 53 -j ACCEPT',
+                'iptables -A INPUT -i virbr0 -p tcp --dport 53 -j ACCEPT',
+                'iptables -A INPUT -i virbr0 -p udp --dport 67:68 -j ACCEPT',
+                'iptables -A INPUT -i virbr0 -p tcp --dport 67:68 -j ACCEPT',
+                'iptables -A FORWARD -i virbr0 -j ACCEPT',
+                'iptables -A FORWARD -o virbr0 -j ACCEPT',
+                'iptables -t nat -A POSTROUTING -o enp0s31f6 -j MASQUERADE',
            ],
        },
        'letsencrypt': {