CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to DROP instead of ACCEPT

- In order to be able to access the routers via the link local interface, we have to add a rules with NEW and ESTABLISHED state
2015-08-27 15:21:30 +02:00 · 2015-08-27 15:21:30 +02:00 · f5e5f4d002
parent 8221ebd15f
commit f5e5f4d002
4 changed files with 28 additions and 10 deletions
--- a/systemvm/patches/debian/config/etc/iptables/iptables-router
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@ -36,7 +36,7 @@ COMMIT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
--- a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
@ -28,7 +28,7 @@ COMMIT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 COMMIT
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@ -585,7 +585,7 @@ class CsForwardingRules(CsDataBag):
                rule['protocol'],
                self.portsToString(rule['public_ports'], ':'),
              )
-        fw7 = "-A FORWARD -i %s -o %s -p %s -m %s --dport %s -m state --state NEW -j ACCEPT" % \
+        fw7 = "-A FORWARD -i %s -o %s -p %s -m %s --dport %s -m state --state NEW,ESTABLISHED -j ACCEPT" % \
              (
                self.getDeviceByIp(rule['public_ip']),
                self.getDeviceByIp(rule['internal_ip']),
@ -599,7 +599,7 @@ class CsForwardingRules(CsDataBag):
        self.fw.append(["nat", "", fw4])
        self.fw.append(["nat", "", fw5])
        self.fw.append(["nat", "", fw6])
-        self.fw.append(["", "", fw7])
+        self.fw.append(["filter", "", fw7])

    def forward_vpc(self, rule):
        fw_prerout_rule = "-A PREROUTING -d %s/32 -i %s" % (rule["public_ip"], self.getDeviceByIp(rule['public_ip']))
--- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py
@ -299,6 +299,10 @@ class CsIP:
            CsRpsrfs(self.dev).enable()
            self.post_config_change("add")

+        '''For isolated/redundant and dhcpsrvr routers, call this method after the post_config is complete '''
+        if not self.config.is_vpc():
+            self.setup_router_control()
+
    def check_is_up(self):
        """ Ensure device is up """
        cmd = "ip link show %s | grep 'state DOWN'" % self.getDevice()
@ -336,6 +340,19 @@ class CsIP:
            return self.address['public_ip']
        return "unknown"

+    def setup_router_control(self):
+        if self.config.is_vpc():
+            return
+        
+        self.fw.append(
+            ["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"])
+        self.fw.append(
+            ["filter", "", "-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT"])
+        
+        self.fw.append(["filter", "", "-P INPUT DROP"])
+        self.fw.append(["filter", "", "-P FORWARD DROP"])
+
+        
    def fw_router(self):
        if self.config.is_vpc():
            return
@ -402,11 +419,6 @@ class CsIP:
                            "-A PREROUTING -i %s -m state --state NEW " % self.dev +
                            "-j CONNMARK --set-xmark %s/0xffffffff" % self.dnum])

-        if self.get_type() in ["control"]:
-            self.fw.append(
-                ["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"])
-            self.fw.append(
-                ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 3922 -m state --state NEW -j ACCEPT" % self.dev])
        self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS'])
        self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS'])
        self.fw.append(['', 'front', '-A OUTPUT -j NETWORK_STATS'])
@ -414,7 +426,7 @@ class CsIP:
        self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0'])
        self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp'])
        self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp'])
-
+        
    def fw_vpcrouter(self):
        if not self.config.is_vpc():
            return
@ -480,6 +492,11 @@ class CsIP:
        self.fw.append(["", "", "-A NETWORK_STATS -i eth2 -o eth0 -p tcp"])
        self.fw.append(["", "", "-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp"])
        self.fw.append(["", "", "-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp"])
+        
+        self.fw.append(["filter", "", "-A INPUT -i eth0 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT"])
+        
+        self.fw.append(["filter", "", "-P INPUT DROP"])
+        self.fw.append(["filter", "", "-P FORWARD DROP"])

    def post_config_change(self, method):
        route = CsRoute()
@ -491,6 +508,7 @@ class CsIP:

        self.fw_router()
        self.fw_vpcrouter()
+
        # On deletion nw_type will no longer be known
        if self.get_type() in ["guest"] and self.config.is_vpc():