Support iptables for firewalled elabinelab

3a5d522f · Ryan Jackson · cfbcf2c4 · 3a5d522f · 3a5d522f · 3a5d522f
Commit 3a5d522f authored Feb 03, 2012 by Ryan Jackson
--- a/db/libdb.pm.in
+++ b/db/libdb.pm.in
@@ -2013,8 +2013,8 @@ sub TBNodeStateWait ($$$$@) {
 # XXX only returns true for experiments with VLAN-based firewalls.
 # XXX this will need to change if we support multiple firewalls per experiment.
 #
-sub TBExptFirewall ($$;$$$) {
-    my ($pid, $eid, $fwnodep, $fwvlanidp, $fwvlanp) = @_;
+sub TBExptFirewall ($$;$$$$) {
+    my ($pid, $eid, $fwnodep, $fwvlanidp, $fwvlanp, $fwtypep) = @_;
    my $query_result;

    #
@@ -2038,7 +2038,7 @@ sub TBExptFirewall ($$;$$$) {
    # will be NULL.
    #
    $query_result =
-	DBQueryWarn("select r.node_id,f.vlan,f.vlanid from ".
+	DBQueryWarn("select r.node_id,f.vlan,f.vlanid,v.type from ".
 		    "   virt_firewalls as v ".
 		    "left join firewalls as f on f.pid=v.pid and f.eid=v.eid ".
 		    "left join reserved as r on r.pid=v.pid and ".
@@ -2062,6 +2062,8 @@ sub TBExptFirewall ($$;$$$) {
 	if (defined($fwvlanp));
    $$fwvlanidp = $row[2]
 	if (defined($fwvlanidp));
+    $$fwtypep = $row[3]
+	if (defined($fwtypep));
    return 1;
 }


--- a/firewall/iptables-fw-rules
+++ b/firewall/iptables-fw-rules
@@ -96,6 +96,9 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
 iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
 iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB

+# DNS to NS (firewall)
+iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
+
 #
 # Nobody on the inside can talk to the firewall.
 # Prevents anyone spoofing "me", "boss", "ops", etc.
@@ -130,7 +133,6 @@ iptables -A INSIDE -d me -j DROP # BASIC,CLOSED,ELABINELAB
 #
 iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
 iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
-iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB

 #
 # Otherwise, nodes inside/outside of the firewall cannot talk to each other. 
@@ -138,11 +140,10 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB
 iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
 iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB

-# DNS to NS
+# DNS to NS (for firewalled nodes)
 # Note: elabinelab myops/myfs use myboss for NS
 iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
 iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
-iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

 # ssh from boss (for reboot, etc.) and others if appropriate
 iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
@@ -152,15 +153,6 @@ iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW
 iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
 iptables -A INPUT -p tcp -s boss -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED,ELABINELAB
 iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
-#
-# XXX early on in Emulab setup boss will ssh in and insert a rule at the
-# beginning to allow all traffic.  Later we ssh in again to remove that rule.
-# In order for the latter ssh command to complete, we have to make sure that
-# an established connection to boss continues to work.
-#
-#iptables -A OUTPUT -p tcp -s me --sport 22 -d boss -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
-#iptables -A INPUT -p tcp -s boss -d me --dport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
-

 # NTP to ntp servers
 # Note: elabinelab myops/myfs use myboss for NTP

--- a/tbsetup/elabinelab.in
+++ b/tbsetup/elabinelab.in
@@ -196,7 +196,8 @@ exit(0)
 # See if the experiment is firewalled
 #
 my $firewall;
-my $firewalled = TBExptFirewall($pid, $eid, \$firewall);
+my $fwtype;
+my $firewalled = TBExptFirewall($pid, $eid, \$firewall, undef, undef, \$fwtype);

 #
 # Presetup; turn off firewall.
@@ -207,7 +208,11 @@ if ($fwboot) {
    
    print "Turning off firewall rules on $firewall\n";
    $UID = 0;
-    system("$SSH -host $firewall ipfw add 1 allow all from any to any");
+    if ($fwtype =~ /^iptables/) {
+        system("$SSH -host $firewall iptables -I FORWARD 1 -j ACCEPT");
+    } else {
+        system("$SSH -host $firewall ipfw add 1 allow all from any to any");
+    }
    if ($?) {
 	die("*** $0:\n".
 	    "    Error turning off firewall rules ($firewall)!\n");
@@ -600,13 +605,20 @@ skipsetup:
 #
 #
 if ($firewalled) {
+    my $cmd;
+
+    if ($fwtype =~ /^iptables/) {
+        $cmd = "$SSH -host $firewall iptables -D FORWARD 1";
+    } else {
+        $cmd = "$SSH -host $firewall ipfw delete 1";
+    }
    print "Turning firewall back on\n";
    $UID = 0;
-    system("$SSH -host $firewall ipfw delete 1");
+    system($cmd);
    if ($?) {
 	print STDERR "*** Error turning back on firewall rules ($firewall)!\n".
 		     "    Will retry again.\n";
-	system("$SSH -host $firewall ipfw delete 1");
+	system($cmd);
 	if ($?) {
 	    die("*** $0:\n".
 		"    Error turning back on firewall rules! Retry failed.\n");