CS-16049 : VPC, VR provides metadata and user data through port 80, this port should be only open for targeting to this VR ip

patches/systemvm/debian/config/opt/cloud/bin/vpc_guestnw.sh

@@ -66,6 +66,7 @@ setup_apache2() {
   sed -i -e "s/Listen .*:80/Listen $ip:80/g" /etc/apache2/conf.d/vhost$dev.conf
   sed -i -e "s/Listen .*:443/Listen $ip:443/g" /etc/apache2/conf.d/vhost$dev.conf
   service apache2 restart
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
   sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 80 -j ACCEPT
 }
 
@@ -103,11 +104,14 @@ desetup_dnsmasq() {
 
 setup_passwdsvcs() {
   logger -t cloud "Setting up password service for network $ip/$mask, eth $dev "
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
   nohup bash /opt/cloud/bin/vpc_passwd_server $ip >/dev/null 2>&1 &
 }
 
 desetup_passwdsvcs() {
   logger -t cloud "Desetting up password service for network $ip/$mask, eth $dev "
+  sudo iptables -D INPUT -i $dev -d $ip -p tcp -m state --state NEW --dport 8080 -j ACCEPT
   pid=`ps -ef | grep socat | grep $ip | grep -v grep | awk '{print $2}'`
   if [ -n "$pid" ]
   then
@@ -122,17 +126,15 @@ create_guest_network() {
   sudo ip link set $dev up
   sudo arping -c 3 -I $dev -A -U -s $ip $ip
   # setup rules to allow dhcp/dns request
-  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
-  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
-  sudo iptables -A INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
-  sudo iptables -A INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
-  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
-  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
-  sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
-  sudo iptables -A INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -A INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
   # restore mark from  connection mark
   local tableName="Table_$dev"
   sudo ip route add $subnet/$mask dev $dev table $tableName proto static
+  sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
+  sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
   sudo iptables -t mangle -A PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
   # set up hairpin
   sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
@@ -146,12 +148,10 @@ destroy_guest_network() {
   logger -t cloud " $(basename $0): Create network on interface $dev,  gateway $gw, network $ip/$mask "
 
   sudo ip addr del dev $dev $ip/$mask
-  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 67 -j ACCEPT
-  sudo iptables -D INPUT -i $dev -p udp -m udp --dport 53 -j ACCEPT
-  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 8080 -j ACCEPT
-  sudo iptables -D INPUT -i $dev -p tcp -m state --state NEW --dport 80 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 67 -j ACCEPT
+  sudo iptables -D INPUT -i $dev -d $ip -p udp -m udp --dport 53 -j ACCEPT
   sudo iptables -t mangle -D PREROUTING -i $dev -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
-  sudo iptables -t nat -A POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
+  sudo iptables -t nat -D POSTROUTING -s $subnet/$mask -o $dev -j SNAT --to-source $ip
   destroy_acl_chain
   desetup_dnsmasq
   desetup_apache2