More tweaks for non-segmented control network. Also APT exception

to allow ssh from ops.emulab.net.

More tweaks for non-segmented control network. Also APT exception
to allow ssh from ops.emulab.net.
2da7373d · Leigh B Stoller · c3ed7492 · 2da7373d · 2da7373d
Commit 2da7373d authored Apr 03, 2014 by Leigh B Stoller
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 13 deletions

firewall/initfwvars.pl.in firewall/initfwvars.pl.in +19 -4

firewall/iptables-fw-domU-rules firewall/iptables-fw-domU-rules +12 -9

No files found.
--- a/firewall/initfwvars.pl.in
+++ b/firewall/initfwvars.pl.in
@@ -49,6 +49,12 @@ my $USERNODE_IP        = "@USERNODE_IP@";
 my $FSNODE_IP          = "@FSNODE_IP@";
 my $FRISBEE_MCASTADDR  = "@FRISEBEEMCASTADDR@";
 my $FRISBEE_MCASTPORT  = "@FRISEBEEMCASTPORT@";
+#
+# Sorry these are hardwired; boss/ops addresses on the virtual control
+# network, on non-segmented networks like the IG racks.
+#
+my $EMULAB_VCBOSS      = "172.17.254.254";
+my $EMULAB_VCOPS       = "172.17.253.254";
 #
 # Untaint the path
@@ -175,11 +181,8 @@ if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) {
 }
 #
-# Sorry these are hardwired. 
+# Boss/Ops on the virtual control network, non-segmented.
 #
-my $EMULAB_VCBOSS = "172.17.254.254";
-my $EMULAB_VCOPS  = "172.17.253.254";
 $str = "replace into default_firewall_vars values ".
    "('EMULAB_VCBOSS', '$EMULAB_VCBOSS'), ".
    "('EMULAB_VCOPS',  '$EMULAB_VCOPS')";
@@ -189,6 +192,18 @@ print "$str\n"
 DBQueryFatal($str)
    if ($doit);
+#
+# FS can have a virtual control network address, but ignore fs/ops
+# distinction. 
+#
+$str = "replace into default_firewall_vars values ".
+    "('EMULAB_FSIPS', '$FSNODE_IP,$EMULAB_VCOPS') ";
+print "$str\n"
+    if (!$doit);
+DBQueryFatal($str)
+    if ($doit);
 #
 # Create EMULAB_MCADDR and EMULAB_MCPORT variables
 #

--- a/firewall/iptables-fw-domU-rules
+++ b/firewall/iptables-fw-domU-rules
@@ -123,6 +123,9 @@ iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctsta
 iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
 # This is the alternate sshd rule for containers. 
 iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
+iptables -A OUTSIDE -p tcp -s boss,ops --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
+# For APT shellinabox, which comes in from Utah ops.
+iptables -A OUTSIDE -p tcp -s ops.emulab.net --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
 iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
 iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
 iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
@@ -147,15 +150,15 @@ iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
 # 8k read/write size.  Perhaps we should dial down the read/write size for
 # firewalled experiments.
 #
-iptables -A INSIDE -p udp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -p tcp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -p udp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -p tcp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -p udp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -p tcp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -p udp -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -p udp -d EMULAB_FSIPS \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
-iptables -A INSIDE -d fs -f -j ACCEPT # BASIC,CLOSED
+iptables -A INSIDE -d EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
-iptables -A OUTSIDE -s fs -f -j ACCEPT # BASIC,CLOSED
+iptables -A OUTSIDE -s EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
 # Special services