Comment 1 for bug 1524750

We have 'REJECT' rules in the end of INPUT and FORWARD chains:

[root@nailgun ~]# iptables -L INPUT -n -v | tail -2
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
    0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* 999 iptables denied */ limit: avg 5/min burst 5 LOG flags 0 level 7 prefix "iptables denied: "
[root@nailgun ~]# iptables -L FORWARD -n -v | tail -2
13927 45M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* 051 forward admin_net conntrack */ ctstate RELATED,ESTABLISHED
    0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

But as far as I know it came to Fuel with CentOS 7 support, so I'm also for setting default 'DROP' policy explicitly (by puppet) for those chains.

>1. Allow all necessary services to be reached only from ADMIN/PXE network segment (ADMIN/PXE network IP addressing as provided by user during Fuel menu installation phase). All other network segments should not be allowed to reach possibly sensitive services like RabbitMQ, Erlang, dnsmasq and similar.

Currently we allow such traffic from any IP, but restrict it only for admin/pxe L2 network (input interface) and we have a reason for that - new admin networks could be created after master node setup using Nailgun API. I'm talking about multi racks feature. So nodes from other racks also need access to the services on master node, but they have IP addresses which are not known by puppet during Fuel setup. That's why I think we should keep our current policy as is, but strongly recommend users do not allow access to hosts in admin/pxe network from the outside.