mirror of https://github.com/apache/cloudstack.git
bug 11103: create firewall chains on ipassoc
status 11103: resolved fixed bug 11106: this is somehow fixed / cannot reproduced status 11106: resolved fixed
This commit is contained in:
Chiradeep Vittal
parent
78849c2959
commit
5bd0ffa80a
|
|
@ -142,10 +142,10 @@ fw_chain_for_ip() {
|
|||
local pubIp=$1
|
||||
if iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
|
||||
then
|
||||
logger -t cloud "created a fw chain for $pubIp to DROP by default"
|
||||
logger -t cloud "$(basename $0): created a firewall chain for $pubIp"
|
||||
(sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) &&
|
||||
(sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) &&
|
||||
(sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp)
|
||||
(sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp)
|
||||
return $?
|
||||
fi
|
||||
logger -t cloud "fw chain for $pubIp already exists"
|
||||
|
|
|
|||
|
|
@ -29,17 +29,18 @@ usage() {
|
|||
fw_remove_backup() {
|
||||
local pubIp=$1
|
||||
sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -D PREROUTING -j _FIREWALL_$pubIp -d $pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -D PREROUTING -d $pubIp -j _FIREWALL_$pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null
|
||||
}
|
||||
|
||||
fw_restore() {
|
||||
local pubIp=$1
|
||||
sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -D PREROUTING -j FIREWALL_$pubIp -d $pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null
|
||||
sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null
|
||||
}
|
||||
|
||||
fw_chain_for_ip () {
|
||||
local pubIp=$1
|
||||
fw_remove_backup $1
|
||||
|
|
@ -49,7 +50,8 @@ fw_chain_for_ip () {
|
|||
sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
|
||||
# ensure outgoing connections are maintained (first rule in chain)
|
||||
sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
|
||||
sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp
|
||||
#ensure that this table is after VPN chain
|
||||
sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
|
||||
}
|
||||
|
||||
fw_entry_for_public_ip() {
|
||||
|
|
|
|||
|
|
@ -30,6 +30,69 @@ usage() {
|
|||
printf " %s -D -l <public-ip-address> -c <dev> [-f] \n" $(basename $0) >&2
|
||||
}
|
||||
|
||||
add_fw_chain_for_ip () {
|
||||
local pubIp=$(echo $1 | awk -F'/' '{print $1}')
|
||||
if sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): created firewall chain for $pubIp"
|
||||
#drop if no rules match (this will be the last rule in the chain)
|
||||
sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null
|
||||
#ensure outgoing connections are maintained (first rule in chain)
|
||||
sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null
|
||||
#ensure that this table is after VPN chain
|
||||
sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp
|
||||
return $?
|
||||
fi
|
||||
logger -t cloud "$(basename $0): firewall chain for $pubIp already exists"
|
||||
}
|
||||
|
||||
add_vpn_chain_for_ip () {
|
||||
local pubIp=$(echo $1 | awk -F'/' '{print $1}')
|
||||
if sudo iptables -t mangle -N VPN_$pubIp &> /dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): created VPN chain for $pubIp"
|
||||
#ensure outgoing connections are maintained (first rule in chain)
|
||||
sudo iptables -t mangle -I VPN_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT
|
||||
sudo iptables -t mangle -A VPN_$pubIp -j RETURN
|
||||
#ensure that this table is the first
|
||||
sudo iptables -t mangle -I PREROUTING 1 -d $pubIp -j VPN_$pubIp
|
||||
return $?
|
||||
fi
|
||||
logger -t cloud "$(basename $0): VPN chain for $pubIp already exists"
|
||||
}
|
||||
|
||||
del_fw_chain_for_ip () {
|
||||
local pubIp=$(echo $1 | awk -F'/' '{print $1}')
|
||||
if ! sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): destroying firewall chain for $pubIp"
|
||||
sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp
|
||||
sudo iptables -t mangle -F FIREWALL_$pubIp
|
||||
sudo iptables -t mangle -X FIREWALL_$pubIp
|
||||
return $?
|
||||
fi
|
||||
# firewall chain got created as a result of testing for the chain, cleanup
|
||||
sudo iptables -t mangle -F FIREWALL_$pubIp
|
||||
sudo iptables -t mangle -X FIREWALL_$pubIp
|
||||
logger -t cloud "$(basename $0): firewall chain did not exist for $pubIp, cleaned up"
|
||||
}
|
||||
|
||||
del_vpn_chain_for_ip () {
|
||||
local pubIp=$(echo $1 | awk -F'/' '{print $1}')
|
||||
if ! sudo iptables -t mangle -N VPN_$pubIp &> /dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): destroying vpn chain for $pubIp"
|
||||
sudo iptables -t mangle -D PREROUTING -d $pubIp -j VPN_$pubIp
|
||||
sudo iptables -t mangle -F VPN_$pubIp
|
||||
sudo iptables -t mangle -X VPN_$pubIp
|
||||
return $?
|
||||
fi
|
||||
# vpn chain got created as a result of testing for the chain, cleanup
|
||||
sudo iptables -t mangle -F VPN_$pubIp
|
||||
sudo iptables -t mangle -X VPN_$pubIp
|
||||
logger -t cloud "$(basename $0): vpn chain did not exist for $pubIp, cleaned up"
|
||||
}
|
||||
|
||||
add_nat_entry() {
|
||||
local pubIp=$1
|
||||
logger -t cloud "$(basename $0):Adding nat entry for ip $pubIp on interface $ethDev"
|
||||
|
|
@ -195,25 +258,31 @@ fi
|
|||
|
||||
if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ]
|
||||
then
|
||||
add_nat_entry $publicIp
|
||||
add_nat_entry $publicIp &&
|
||||
add_vpn_chain_for_ip $publicIp &&
|
||||
add_fw_chain_for_ip $publicIp
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [ "$Aflag" == "1" ]
|
||||
then
|
||||
add_an_ip $publicIp
|
||||
add_an_ip $publicIp &&
|
||||
add_fw_chain_for_ip $publicIp
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ]
|
||||
then
|
||||
del_nat_entry $publicIp
|
||||
del_nat_entry $publicIp &&
|
||||
del_fw_chain_for_ip $publicIp &&
|
||||
del_vpn_chain_for_ip $publicIp
|
||||
exit $?
|
||||
fi
|
||||
|
||||
if [ "$Dflag" == "1" ]
|
||||
then
|
||||
remove_an_ip $publicIp
|
||||
remove_an_ip $publicIp &&
|
||||
del_fw_chain_for_ip $publicIp
|
||||
exit $?
|
||||
fi
|
||||
|
||||
|
|
|
|||
|
|
@ -53,16 +53,16 @@ iptables_() {
|
|||
sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
|
||||
sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $subnet_ip
|
||||
|
||||
if sudo iptables -t mangle -N FIREWALL_$public_ip &> /dev/null
|
||||
if sudo iptables -t mangle -N VPN_$public_ip &> /dev/null
|
||||
then
|
||||
logger -t cloud "$(basename $0): created firewall chain in PREROUTING mangle"
|
||||
logger -t cloud "$(basename $0): created VPN chain in PREROUTING mangle"
|
||||
sudo iptables -t mangle -I PREROUTING -d $public_ip -j VPN_$public_ip
|
||||
sudo iptables -t mangle -A VPN_$public_ip -j RETURN
|
||||
fi
|
||||
op2="-D"
|
||||
[ "$op" == "-A" ] && op2="-I"
|
||||
sudo iptables -t mangle $op FIREWALL_$public_ip -p ah -j ACCEPT
|
||||
sudo iptables -t mangle $op FIREWALL_$public_ip -p esp -j ACCEPT
|
||||
|
||||
|
||||
sudo iptables -t mangle $op VPN_$public_ip -p ah -j ACCEPT
|
||||
sudo iptables -t mangle $op VPN_$public_ip -p esp -j ACCEPT
|
||||
}
|
||||
|
||||
ipsec_server() {
|
||||
|
|
|
|||
Loading…
Reference in New Issue