diff --git a/patches/systemvm/debian/config/root/firewall.sh b/patches/systemvm/debian/config/root/firewall.sh index a4b60b55378..e9d5abb5cdb 100755 --- a/patches/systemvm/debian/config/root/firewall.sh +++ b/patches/systemvm/debian/config/root/firewall.sh @@ -142,10 +142,10 @@ fw_chain_for_ip() { local pubIp=$1 if iptables -t mangle -N FIREWALL_$pubIp &> /dev/null then - logger -t cloud "created a fw chain for $pubIp to DROP by default" + logger -t cloud "$(basename $0): created a firewall chain for $pubIp" (sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP) && (sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT ) && - (sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp) + (sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp) return $? fi logger -t cloud "fw chain for $pubIp already exists" diff --git a/patches/systemvm/debian/config/root/firewall_rule.sh b/patches/systemvm/debian/config/root/firewall_rule.sh index f0f8c0c1e2d..41d3927315a 100755 --- a/patches/systemvm/debian/config/root/firewall_rule.sh +++ b/patches/systemvm/debian/config/root/firewall_rule.sh @@ -29,17 +29,18 @@ usage() { fw_remove_backup() { local pubIp=$1 sudo iptables -t mangle -F _FIREWALL_$pubIp 2> /dev/null - sudo iptables -t mangle -D PREROUTING -j _FIREWALL_$pubIp -d $pubIp 2> /dev/null + sudo iptables -t mangle -D PREROUTING -d $pubIp -j _FIREWALL_$pubIp 2> /dev/null sudo iptables -t mangle -X _FIREWALL_$pubIp 2> /dev/null } fw_restore() { local pubIp=$1 sudo iptables -t mangle -F FIREWALL_$pubIp 2> /dev/null - sudo iptables -t mangle -D PREROUTING -j FIREWALL_$pubIp -d $pubIp 2> /dev/null + sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp 2> /dev/null sudo iptables -t mangle -X FIREWALL_$pubIp 2> /dev/null sudo iptables -t mangle -E _FIREWALL_$pubIp FIREWALL_$pubIp 2> /dev/null } + fw_chain_for_ip () { local pubIp=$1 fw_remove_backup $1 @@ -49,7 +50,8 @@ fw_chain_for_ip () { sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null # ensure outgoing connections are maintained (first rule in chain) sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null - sudo iptables -t mangle -I PREROUTING -d $pubIp -j FIREWALL_$pubIp + #ensure that this table is after VPN chain + sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp } fw_entry_for_public_ip() { diff --git a/patches/systemvm/debian/config/root/ipassoc.sh b/patches/systemvm/debian/config/root/ipassoc.sh index 949b8ac4671..afc9fb5b71d 100644 --- a/patches/systemvm/debian/config/root/ipassoc.sh +++ b/patches/systemvm/debian/config/root/ipassoc.sh @@ -30,6 +30,69 @@ usage() { printf " %s -D -l -c [-f] \n" $(basename $0) >&2 } +add_fw_chain_for_ip () { + local pubIp=$(echo $1 | awk -F'/' '{print $1}') + if sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null + then + logger -t cloud "$(basename $0): created firewall chain for $pubIp" + #drop if no rules match (this will be the last rule in the chain) + sudo iptables -t mangle -A FIREWALL_$pubIp -j DROP> /dev/null + #ensure outgoing connections are maintained (first rule in chain) + sudo iptables -t mangle -I FIREWALL_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT> /dev/null + #ensure that this table is after VPN chain + sudo iptables -t mangle -I PREROUTING 2 -d $pubIp -j FIREWALL_$pubIp + return $? + fi + logger -t cloud "$(basename $0): firewall chain for $pubIp already exists" +} + +add_vpn_chain_for_ip () { + local pubIp=$(echo $1 | awk -F'/' '{print $1}') + if sudo iptables -t mangle -N VPN_$pubIp &> /dev/null + then + logger -t cloud "$(basename $0): created VPN chain for $pubIp" + #ensure outgoing connections are maintained (first rule in chain) + sudo iptables -t mangle -I VPN_$pubIp -m state --state RELATED,ESTABLISHED -j ACCEPT + sudo iptables -t mangle -A VPN_$pubIp -j RETURN + #ensure that this table is the first + sudo iptables -t mangle -I PREROUTING 1 -d $pubIp -j VPN_$pubIp + return $? + fi + logger -t cloud "$(basename $0): VPN chain for $pubIp already exists" +} + +del_fw_chain_for_ip () { + local pubIp=$(echo $1 | awk -F'/' '{print $1}') + if ! sudo iptables -t mangle -N FIREWALL_$pubIp &> /dev/null + then + logger -t cloud "$(basename $0): destroying firewall chain for $pubIp" + sudo iptables -t mangle -D PREROUTING -d $pubIp -j FIREWALL_$pubIp + sudo iptables -t mangle -F FIREWALL_$pubIp + sudo iptables -t mangle -X FIREWALL_$pubIp + return $? + fi + # firewall chain got created as a result of testing for the chain, cleanup + sudo iptables -t mangle -F FIREWALL_$pubIp + sudo iptables -t mangle -X FIREWALL_$pubIp + logger -t cloud "$(basename $0): firewall chain did not exist for $pubIp, cleaned up" +} + +del_vpn_chain_for_ip () { + local pubIp=$(echo $1 | awk -F'/' '{print $1}') + if ! sudo iptables -t mangle -N VPN_$pubIp &> /dev/null + then + logger -t cloud "$(basename $0): destroying vpn chain for $pubIp" + sudo iptables -t mangle -D PREROUTING -d $pubIp -j VPN_$pubIp + sudo iptables -t mangle -F VPN_$pubIp + sudo iptables -t mangle -X VPN_$pubIp + return $? + fi + # vpn chain got created as a result of testing for the chain, cleanup + sudo iptables -t mangle -F VPN_$pubIp + sudo iptables -t mangle -X VPN_$pubIp + logger -t cloud "$(basename $0): vpn chain did not exist for $pubIp, cleaned up" +} + add_nat_entry() { local pubIp=$1 logger -t cloud "$(basename $0):Adding nat entry for ip $pubIp on interface $ethDev" @@ -195,25 +258,31 @@ fi if [ "$fflag" == "1" ] && [ "$Aflag" == "1" ] then - add_nat_entry $publicIp + add_nat_entry $publicIp && + add_vpn_chain_for_ip $publicIp && + add_fw_chain_for_ip $publicIp exit $? fi if [ "$Aflag" == "1" ] then - add_an_ip $publicIp + add_an_ip $publicIp && + add_fw_chain_for_ip $publicIp exit $? fi if [ "$fflag" == "1" ] && [ "$Dflag" == "1" ] then - del_nat_entry $publicIp + del_nat_entry $publicIp && + del_fw_chain_for_ip $publicIp && + del_vpn_chain_for_ip $publicIp exit $? fi if [ "$Dflag" == "1" ] then - remove_an_ip $publicIp + remove_an_ip $publicIp && + del_fw_chain_for_ip $publicIp exit $? fi diff --git a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh index fdafdac5b37..80815783760 100755 --- a/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh +++ b/patches/systemvm/debian/vpn/opt/cloud/bin/vpn_l2tp.sh @@ -53,16 +53,16 @@ iptables_() { sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $subnet_ip - if sudo iptables -t mangle -N FIREWALL_$public_ip &> /dev/null + if sudo iptables -t mangle -N VPN_$public_ip &> /dev/null then - logger -t cloud "$(basename $0): created firewall chain in PREROUTING mangle" + logger -t cloud "$(basename $0): created VPN chain in PREROUTING mangle" + sudo iptables -t mangle -I PREROUTING -d $public_ip -j VPN_$public_ip + sudo iptables -t mangle -A VPN_$public_ip -j RETURN fi op2="-D" [ "$op" == "-A" ] && op2="-I" - sudo iptables -t mangle $op FIREWALL_$public_ip -p ah -j ACCEPT - sudo iptables -t mangle $op FIREWALL_$public_ip -p esp -j ACCEPT - - + sudo iptables -t mangle $op VPN_$public_ip -p ah -j ACCEPT + sudo iptables -t mangle $op VPN_$public_ip -p esp -j ACCEPT } ipsec_server() {