From 02421ca1cb31c33219ccea540f37d8dc6f1f9bde Mon Sep 17 00:00:00 2001 From: Dan Radez Date: Tue, 16 Aug 2016 14:32:43 -0400 Subject: Adding moch-detached rules to FORWARD table Forwarded traffic doesn't pass through the output table so adding http, https and dns traffic reject rules to forward table also for a mock-detached state Change-Id: Iab4b7f0f7c95068223636052979c4959db6feaa6 Signed-off-by: Dan Radez --- ci/util.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/ci/util.sh b/ci/util.sh index bcb3a3a7..8c09278a 100755 --- a/ci/util.sh +++ b/ci/util.sh @@ -91,19 +91,28 @@ parse_cmdline() { ;; mock-detached) if [ "$2" == "on" ]; then + echo "Ensuring we can talk to gerrit.opnfv.org" + iptables -A OUTPUT -p tcp -d gerrit.opnfv.org --dport 443 -j ACCEPT echo "Blocking output http (80) traffic" iptables -A OUTPUT -p tcp --dport 80 -j REJECT + iptables -A FORWARD -p tcp --dport 80 -j REJECT echo "Blocking output https (443) traffic" iptables -A OUTPUT -p tcp --dport 443 -j REJECT + iptables -A FORWARD -p tcp --dport 443 -j REJECT echo "Blocking output dns (53) traffic" - iptables -A OUTPUT -p tcp --dport 53 -j REJECT + iptables -A FORWARD -p tcp --dport 53 -j REJECT elif [ "$2" == "off" ]; then + echo "Cleaning gerrit.opnfv.org specific rule" + iptables -D OUTPUT -p tcp -d gerrit.opnfv.org --dport 443 -j ACCEPT echo "Allowing output http (80) traffic" iptables -D OUTPUT -p tcp --dport 80 -j REJECT + iptables -D FORWARD -p tcp --dport 80 -j REJECT echo "Allowing output https (443) traffic" iptables -D OUTPUT -p tcp --dport 443 -j REJECT + iptables -D FORWARD -p tcp --dport 443 -j REJECT echo "Allowing output dns (53) traffic" iptables -D OUTPUT -p tcp --dport 53 -j REJECT + iptables -D FORWARD -p tcp --dport 53 -j REJECT else display_usage fi -- cgit 1.2.3-korg