-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirewall.sh
63 lines (51 loc) · 2.72 KB
/
firewall.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/bin/sh
#----------------------------------------------------------------------------------------
# Credenciales admin TNT00 Project
# source /root/bin/admin-openrc.sh # Admin credentials
export OS_USERNAME=tnt00user
export OS_PASSWORD=password
export OS_PROJECT_NAME=TNT00
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
export OS_AUTH_TYPE=password
TNT00_project_id=$(openstack project show TNT00 -c id -f value)
default_secgroup_id=$(openstack security group list -f value | grep default | grep $TNT00_project_id | cut -d " " -f1)
#----------------------------------------------------------------------------------------
# Firewall (https://docs.openstack.org/newton/networking-guide/fwaas-v2-scenario.html#configure-firewall-as-a-service-v2)
# openstack server list
# SSH Admin Server traffic rule
string=$(openstack server show ServerAdmin -c addresses -f value)
string=$(echo "${string%%;*}")
string=$(echo "${string#Net1=}")
server_admin_internal_ip=$(echo "${string%%,*}") # The firewall is applied after the NAT so we need the internal IP
openstack firewall group rule create --protocol tcp \
--destination-ip-address $server_admin_internal_ip \
--destination-port 22 \
--action allow --name ssh_ingress
# HTTP Server traffic rule
load_balancer_internal_address=$(neutron lbaas-loadbalancer-show lb -c vip_address -f value)
openstack firewall group rule create --protocol tcp \
--destination-ip-address $load_balancer_internal_address \
--destination-port 80 \
--action allow --name http_ingress
# All internal traffic is allowed to egress
openstack firewall group rule create --protocol any \
--source-ip-address 10.103.82.0/24 \
--action allow --name egress
# Firewall policy
openstack firewall group policy create ingressfirewallpolicy
openstack firewall group policy add rule ingressfirewallpolicy ssh_ingress
openstack firewall group policy add rule ingressfirewallpolicy http_ingress
openstack firewall group policy create egressfirewallpolicy
openstack firewall group policy add rule egressfirewallpolicy egress
# FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.
string=$(openstack router show RTR1TNT82CL3 -c interfaces_info -f value)
string=$(echo "${string%%,*}")
string=$(echo "${string#*:}")
string=$(echo "${string#*"'"}")
string=$(echo "${string%"'"*}")
internal_router_port=$(echo "${string%"'"*}")
openstack firewall group create --port $internal_router_port --ingress-firewall-policy ingressfirewallpolicy --egress-firewall-policy egressfirewallpolicy --project TNT00 --name firewall