etan39
/
cloudstack
mirror of https://github.com/apache/cloudstack.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-417: Handle passwd-srvr securely on VR, port 8080 

By default do not enable port 8080 in iptables-router. Since, the socat
server which serves the password is in an infinite loop, any incorrect
attempt is returned bad_request and passwd-srvr won't break.

When /etc/init.d/cloud-passwd-srvr is started:
  - It finds and removes any old rules on port 8080, eth0
  - It applies iptables rule that accepts only traffic from private cidr.

When cloud-passwd-srvr is stopped:
  - It removes iptables rules on port 8080, eth0

Signed-off-by: Rohit Yadav <bhaisaab@apache.org>
This commit is contained in:
Rohit Yadav 2012-10-26 21:33:25 +05:30
parent 6a9c588d33
commit dbe88c1ed3
2 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr
View File

@ -29,10 +29,43 @@
ENABLED=0
[ -e /etc/default/cloud-passwd-srvr ] && . /etc/default/cloud-passwd-srvr
add_iptables_rules()
{
#Delete any old iptables rule for port 8080 on eth0
remove_iptables_rules
#For all cidrs on eth0 for port 8080 accept only if source is withing that cidr
for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
do
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -s $cidr --dport 8080 -j ACCEPT
done
echo "Added cloud-passwd-srvr iptables rules" && return 0
}
remove_iptables_rules()
{
#Change the Internal Field Separator so the for loop, loops on lines and not spaces
OIFS="${IFS}"
NIFS=$'\n'
IFS="${NIFS}"
#Removed all iptable rules for port 8080 on eth0, they were added in start()
for srcdest in `iptables -L -n -v | grep eth0 | grep 8080 | grep ACCEPT | awk '{print "--source "$8" --destination "$9}'`;
do
eval "iptables -D INPUT -i eth0 -p tcp -m state --state NEW -m tcp $srcdest --dport 8080 -j ACCEPT";
done
#Restore IFS
IFS="${OIFS}"
echo "Removed cloud-passwd-srvr iptables rules" && return 0
}
start() {
[ "$ENABLED" != 0 ] || exit 0
pid=$(getpid)
[ "$pid" != "" ] && echo "Password server is already running (pid=$pid)" && return 0
add_iptables_rules
nohup bash /opt/cloud/bin/passwd_server &
}
@ -50,7 +83,8 @@ stop_socat() {
stop () {
stop_socat
pid=$(getpid)
[ "$pid" != "" ] && kill -9 $pid && echo "Stopped password server (pid=$pid)" && stop_socat && return 0
[ "$pid" != "" ] && kill -9 $pid && remove_iptables_rules && echo "Stopped password server (pid=$pid)" && stop_socat && return 0
echo "Password server is not running" && return 0
}

1
patches/systemvm/debian/config/etc/iptables/iptables-router
View File

@ -34,7 +34,6 @@ COMMIT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth2 -j ACCEPT