Add firewall rules for Ceph and monitoring

The firewall was blocking the monitoring traffic from hut and the Ceph traffic among OSDs. The rules only allow connecting from the specific host that they are supposed to be coming from. Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
2024-04-24 16:55:06 +02:00 · 2024-04-24 16:55:06 +02:00 · d2adc3a6d3
commit d2adc3a6d3
parent 76cd9ea47f
2 changed files with 18 additions and 0 deletions
--- a/m/bay/configuration.nix
+++ b/m/bay/configuration.nix
@ -23,6 +23,16 @@
      address = "10.0.42.40";
      prefixLength = 24;
    } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from lake2
+        iptables -A nixos-fw -p tcp -s lake2 -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut -m multiport --dport 9283,9002 -j nixos-fw-accept
+        # Accept all Ceph traffic from the local network
+        iptables -A nixos-fw -p tcp -s 10.0.40.0/24 -m multiport --dport 3300,6789,6800:7568 -j nixos-fw-accept
+      '';
+    };
  };

  services.ceph = {
--- a/m/lake2/configuration.nix
+++ b/m/lake2/configuration.nix
@ -45,6 +45,14 @@
      address = "10.0.42.42";
      prefixLength = 24;
    } ];
+    firewall = {
+      extraCommands = ''
+        # Accept all incoming TCP traffic from bay
+        iptables -A nixos-fw -p tcp -s bay -j nixos-fw-accept
+        # Accept monitoring requests from hut
+        iptables -A nixos-fw -p tcp -s hut --dport 9002 -j nixos-fw-accept
+      '';
+    };
  };

  # Missing service for volumes, see: