Commit 2da7373d authored by Leigh B Stoller's avatar Leigh B Stoller

More tweaks for non-segmented control network. Also APT exception

to allow ssh from ops.emulab.net.
parent c3ed7492
...@@ -49,6 +49,12 @@ my $USERNODE_IP = "@USERNODE_IP@"; ...@@ -49,6 +49,12 @@ my $USERNODE_IP = "@USERNODE_IP@";
my $FSNODE_IP = "@FSNODE_IP@"; my $FSNODE_IP = "@FSNODE_IP@";
my $FRISBEE_MCASTADDR = "@FRISEBEEMCASTADDR@"; my $FRISBEE_MCASTADDR = "@FRISEBEEMCASTADDR@";
my $FRISBEE_MCASTPORT = "@FRISEBEEMCASTPORT@"; my $FRISBEE_MCASTPORT = "@FRISEBEEMCASTPORT@";
#
# Sorry these are hardwired; boss/ops addresses on the virtual control
# network, on non-segmented networks like the IG racks.
#
my $EMULAB_VCBOSS = "172.17.254.254";
my $EMULAB_VCOPS = "172.17.253.254";
# #
# Untaint the path # Untaint the path
...@@ -175,11 +181,8 @@ if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) { ...@@ -175,11 +181,8 @@ if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) {
} }
# #
# Sorry these are hardwired. # Boss/Ops on the virtual control network, non-segmented.
# #
my $EMULAB_VCBOSS = "172.17.254.254";
my $EMULAB_VCOPS = "172.17.253.254";
$str = "replace into default_firewall_vars values ". $str = "replace into default_firewall_vars values ".
"('EMULAB_VCBOSS', '$EMULAB_VCBOSS'), ". "('EMULAB_VCBOSS', '$EMULAB_VCBOSS'), ".
"('EMULAB_VCOPS', '$EMULAB_VCOPS')"; "('EMULAB_VCOPS', '$EMULAB_VCOPS')";
...@@ -189,6 +192,18 @@ print "$str\n" ...@@ -189,6 +192,18 @@ print "$str\n"
DBQueryFatal($str) DBQueryFatal($str)
if ($doit); if ($doit);
#
# FS can have a virtual control network address, but ignore fs/ops
# distinction.
#
$str = "replace into default_firewall_vars values ".
"('EMULAB_FSIPS', '$FSNODE_IP,$EMULAB_VCOPS') ";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
# #
# Create EMULAB_MCADDR and EMULAB_MCPORT variables # Create EMULAB_MCADDR and EMULAB_MCPORT variables
# #
......
...@@ -123,6 +123,9 @@ iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctsta ...@@ -123,6 +123,9 @@ iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctsta
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
# This is the alternate sshd rule for containers. # This is the alternate sshd rule for containers.
iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
iptables -A OUTSIDE -p tcp -s boss,ops --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
# For APT shellinabox, which comes in from Utah ops.
iptables -A OUTSIDE -p tcp -s ops.emulab.net --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
...@@ -147,15 +150,15 @@ iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED ...@@ -147,15 +150,15 @@ iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
# 8k read/write size. Perhaps we should dial down the read/write size for # 8k read/write size. Perhaps we should dial down the read/write size for
# firewalled experiments. # firewalled experiments.
# #
iptables -A INSIDE -p udp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d fs -f -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -d EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s fs -f -j ACCEPT # BASIC,CLOSED iptables -A OUTSIDE -s EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
# Special services # Special services
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment