From f5e5f4d0026f8ffd6f3aa7e8e4c7be0cd809d6c9 Mon Sep 17 00:00:00 2001 From: wilderrodrigues Date: Thu, 27 Aug 2015 15:21:30 +0200 Subject: [PATCH] CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to DROP instead of ACCEPT - In order to be able to access the routers via the link local interface, we have to add a rules with NEW and ESTABLISHED state --- .../config/etc/iptables/iptables-router | 2 +- .../config/etc/iptables/iptables-vpcrouter | 2 +- .../debian/config/opt/cloud/bin/configure.py | 4 +-- .../config/opt/cloud/bin/cs/CsAddress.py | 30 +++++++++++++++---- 4 files changed, 28 insertions(+), 10 deletions(-) diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-router b/systemvm/patches/debian/config/etc/iptables/iptables-router index 0f82d20cd2a..b49b6b2f244 100644 --- a/systemvm/patches/debian/config/etc/iptables/iptables-router +++ b/systemvm/patches/debian/config/etc/iptables/iptables-router @@ -36,7 +36,7 @@ COMMIT -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT --A INPUT -i eth1 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT +-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT diff --git a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter index 18a3510f120..1c40493917b 100644 --- a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter +++ b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter @@ -28,7 +28,7 @@ COMMIT -A INPUT -d 225.0.0.50/32 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT --A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT +-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW,ESTABLISHED --dport 3922 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT COMMIT diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index a591737beff..c25f892a1d1 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -585,7 +585,7 @@ class CsForwardingRules(CsDataBag): rule['protocol'], self.portsToString(rule['public_ports'], ':'), ) - fw7 = "-A FORWARD -i %s -o %s -p %s -m %s --dport %s -m state --state NEW -j ACCEPT" % \ + fw7 = "-A FORWARD -i %s -o %s -p %s -m %s --dport %s -m state --state NEW,ESTABLISHED -j ACCEPT" % \ ( self.getDeviceByIp(rule['public_ip']), self.getDeviceByIp(rule['internal_ip']), @@ -599,7 +599,7 @@ class CsForwardingRules(CsDataBag): self.fw.append(["nat", "", fw4]) self.fw.append(["nat", "", fw5]) self.fw.append(["nat", "", fw6]) - self.fw.append(["", "", fw7]) + self.fw.append(["filter", "", fw7]) def forward_vpc(self, rule): fw_prerout_rule = "-A PREROUTING -d %s/32 -i %s" % (rule["public_ip"], self.getDeviceByIp(rule['public_ip'])) diff --git a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py index d49c47a8a72..767e7488242 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/cs/CsAddress.py @@ -299,6 +299,10 @@ class CsIP: CsRpsrfs(self.dev).enable() self.post_config_change("add") + '''For isolated/redundant and dhcpsrvr routers, call this method after the post_config is complete ''' + if not self.config.is_vpc(): + self.setup_router_control() + def check_is_up(self): """ Ensure device is up """ cmd = "ip link show %s | grep 'state DOWN'" % self.getDevice() @@ -336,6 +340,19 @@ class CsIP: return self.address['public_ip'] return "unknown" + def setup_router_control(self): + if self.config.is_vpc(): + return + + self.fw.append( + ["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"]) + self.fw.append( + ["filter", "", "-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT"]) + + self.fw.append(["filter", "", "-P INPUT DROP"]) + self.fw.append(["filter", "", "-P FORWARD DROP"]) + + def fw_router(self): if self.config.is_vpc(): return @@ -402,11 +419,6 @@ class CsIP: "-A PREROUTING -i %s -m state --state NEW " % self.dev + "-j CONNMARK --set-xmark %s/0xffffffff" % self.dnum]) - if self.get_type() in ["control"]: - self.fw.append( - ["filter", "", "-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT"]) - self.fw.append( - ["filter", "", "-A INPUT -i %s -p tcp -m tcp --dport 3922 -m state --state NEW -j ACCEPT" % self.dev]) self.fw.append(['', 'front', '-A FORWARD -j NETWORK_STATS']) self.fw.append(['', 'front', '-A INPUT -j NETWORK_STATS']) self.fw.append(['', 'front', '-A OUTPUT -j NETWORK_STATS']) @@ -414,7 +426,7 @@ class CsIP: self.fw.append(['', '', '-A NETWORK_STATS -i eth2 -o eth0']) self.fw.append(['', '', '-A NETWORK_STATS -o eth2 ! -i eth0 -p tcp']) self.fw.append(['', '', '-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp']) - + def fw_vpcrouter(self): if not self.config.is_vpc(): return @@ -480,6 +492,11 @@ class CsIP: self.fw.append(["", "", "-A NETWORK_STATS -i eth2 -o eth0 -p tcp"]) self.fw.append(["", "", "-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp"]) self.fw.append(["", "", "-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp"]) + + self.fw.append(["filter", "", "-A INPUT -i eth0 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT"]) + + self.fw.append(["filter", "", "-P INPUT DROP"]) + self.fw.append(["filter", "", "-P FORWARD DROP"]) def post_config_change(self, method): route = CsRoute() @@ -491,6 +508,7 @@ class CsIP: self.fw_router() self.fw_vpcrouter() + # On deletion nw_type will no longer be known if self.get_type() in ["guest"] and self.config.is_vpc():