From c8160122b3819049c0b5ca4c5a43c5ff583ff44f Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Wed, 24 Apr 2024 16:55:06 +0200 Subject: [PATCH] Add firewall rules for Ceph and monitoring The firewall was blocking the monitoring traffic from hut and the Ceph traffic among OSDs. The rules only allow connecting from the specific host that they are supposed to be coming from. Reviewed-by: Aleix Roca Nonell --- m/bay/configuration.nix | 10 ++++++++++ m/lake2/configuration.nix | 8 ++++++++ 2 files changed, 18 insertions(+) diff --git a/m/bay/configuration.nix b/m/bay/configuration.nix index 70b71653..ac34f698 100644 --- a/m/bay/configuration.nix +++ b/m/bay/configuration.nix @@ -23,6 +23,16 @@ address = "10.0.42.40"; prefixLength = 24; } ]; + firewall = { + extraCommands = '' + # Accept all incoming TCP traffic from lake2 + iptables -A nixos-fw -p tcp -s lake2 -j nixos-fw-accept + # Accept monitoring requests from hut + iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept + # Accept all Ceph traffic from the local network + iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept + ''; + }; }; services.ceph = { diff --git a/m/lake2/configuration.nix b/m/lake2/configuration.nix index aacf5b93..934f6f78 100644 --- a/m/lake2/configuration.nix +++ b/m/lake2/configuration.nix @@ -45,6 +45,14 @@ address = "10.0.42.42"; prefixLength = 24; } ]; + firewall = { + extraCommands = '' + # Accept all incoming TCP traffic from bay + iptables -A nixos-fw -p tcp -s bay -j nixos-fw-accept + # Accept monitoring requests from hut + iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept + ''; + }; }; # Missing service for volumes, see: