|
|
|
|
@ -2,36 +2,36 @@
|
|
|
|
|
|
|
|
|
|
flush ruleset
|
|
|
|
|
|
|
|
|
|
table inet filter {
|
|
|
|
|
table ip filter {
|
|
|
|
|
chain input {
|
|
|
|
|
type filter hook input priority 0;
|
|
|
|
|
policy drop;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# allow already established connections (e.g. initiated by this host)
|
|
|
|
|
add rule ip filter INPUT ct state related,established counter accept
|
|
|
|
|
ct state related,established counter accept
|
|
|
|
|
|
|
|
|
|
# allow ICMP
|
|
|
|
|
add rule ip filter INPUT ip protocol icmp counter accept
|
|
|
|
|
ip protocol icmp counter accept
|
|
|
|
|
|
|
|
|
|
# allow anything on localhost
|
|
|
|
|
add rule ip filter INPUT iifname "lo" counter accept
|
|
|
|
|
iifname "lo" counter accept
|
|
|
|
|
|
|
|
|
|
# allow SSH for remote management
|
|
|
|
|
add rule ip filter INPUT tcp dport 22 counter accept
|
|
|
|
|
tcp dport 22 counter accept
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## docker
|
|
|
|
|
|
|
|
|
|
# cluster management communications
|
|
|
|
|
add rule ip filter INPUT tcp dport 2377 counter accept
|
|
|
|
|
tcp dport 2377 counter accept
|
|
|
|
|
|
|
|
|
|
# communication among nodes
|
|
|
|
|
add rule ip filter INPUT tcp dport 7946 counter accept
|
|
|
|
|
add rule ip filter INPUT udp dport 7946 counter accept
|
|
|
|
|
tcp dport 7946 counter accept
|
|
|
|
|
udp dport 7946 counter accept
|
|
|
|
|
|
|
|
|
|
# overlay network traffic
|
|
|
|
|
add rule ip filter INPUT udp dport 4789 counter accept
|
|
|
|
|
udp dport 4789 counter accept
|
|
|
|
|
}
|
|
|
|
|
chain forward {
|
|
|
|
|
type filter hook forward priority 0;
|
|
|
|
|
|
