Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
emulab
emulab-devel
Commits
3a5d522f
Commit
3a5d522f
authored
Feb 03, 2012
by
Ryan Jackson
Browse files
Support iptables for firewalled elabinelab
parent
cfbcf2c4
Changes
3
Hide whitespace changes
Inline
Side-by-side
db/libdb.pm.in
View file @
3a5d522f
...
...
@@ -2013,8 +2013,8 @@ sub TBNodeStateWait ($$$$@) {
#
XXX
only
returns
true
for
experiments
with
VLAN
-
based
firewalls
.
#
XXX
this
will
need
to
change
if
we
support
multiple
firewalls
per
experiment
.
#
sub
TBExptFirewall
($$;$$$)
{
my
($
pid
,
$
eid
,
$
fwnodep
,
$
fwvlanidp
,
$
fwvlanp
)
=
@
_
;
sub
TBExptFirewall
($$;$$$
$
)
{
my
($
pid
,
$
eid
,
$
fwnodep
,
$
fwvlanidp
,
$
fwvlanp
,
$
fwtypep
)
=
@
_
;
my
$
query_result
;
#
...
...
@@ -2038,7 +2038,7 @@ sub TBExptFirewall ($$;$$$) {
#
will
be
NULL
.
#
$
query_result
=
DBQueryWarn
(
"select r.node_id,f.vlan,f.vlanid from "
.
DBQueryWarn
(
"select r.node_id,f.vlan,f.vlanid
,v.type
from "
.
" virt_firewalls as v "
.
"left join firewalls as f on f.pid=v.pid and f.eid=v.eid "
.
"left join reserved as r on r.pid=v.pid and "
.
...
...
@@ -2062,6 +2062,8 @@ sub TBExptFirewall ($$;$$$) {
if
(
defined
($
fwvlanp
));
$$
fwvlanidp
=
$
row
[
2
]
if
(
defined
($
fwvlanidp
));
$$
fwtypep
=
$
row
[
3
]
if
(
defined
($
fwtypep
));
return
1
;
}
...
...
firewall/iptables-fw-rules
View file @
3a5d522f
...
...
@@ -96,6 +96,9 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
# DNS to NS (firewall)
iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# Nobody on the inside can talk to the firewall.
# Prevents anyone spoofing "me", "boss", "ops", etc.
...
...
@@ -130,7 +133,6 @@ iptables -A INSIDE -d me -j DROP # BASIC,CLOSED,ELABINELAB
#
iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB
#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other.
...
...
@@ -138,11 +140,10 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
# DNS to NS
# DNS to NS
(for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
...
...
@@ -152,15 +153,6 @@ iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW
iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p tcp -s boss -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
#
# XXX early on in Emulab setup boss will ssh in and insert a rule at the
# beginning to allow all traffic. Later we ssh in again to remove that rule.
# In order for the latter ssh command to complete, we have to make sure that
# an established connection to boss continues to work.
#
#iptables -A OUTPUT -p tcp -s me --sport 22 -d boss -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
#iptables -A INPUT -p tcp -s boss -d me --dport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
# NTP to ntp servers
# Note: elabinelab myops/myfs use myboss for NTP
...
...
tbsetup/elabinelab.in
View file @
3a5d522f
...
...
@@ -196,7 +196,8 @@ exit(0)
# See if the experiment is firewalled
#
my
$firewall
;
my
$firewalled
=
TBExptFirewall
(
$pid
,
$eid
,
\
$firewall
);
my
$fwtype
;
my
$firewalled
=
TBExptFirewall
(
$pid
,
$eid
,
\
$firewall
,
undef
,
undef
,
\
$fwtype
);
#
# Presetup; turn off firewall.
...
...
@@ -207,7 +208,11 @@ if ($fwboot) {
print
"
Turning off firewall rules on
$firewall
\n
";
$UID
=
0
;
system
("
$SSH
-host
$firewall
ipfw add 1 allow all from any to any
");
if
(
$fwtype
=~
/^iptables/
)
{
system
("
$SSH
-host
$firewall
iptables -I FORWARD 1 -j ACCEPT
");
}
else
{
system
("
$SSH
-host
$firewall
ipfw add 1 allow all from any to any
");
}
if
(
$?
)
{
die
("
*** $0:
\n
"
.
"
Error turning off firewall rules (
$firewall
)!
\n
");
...
...
@@ -600,13 +605,20 @@ skipsetup:
#
#
if
(
$firewalled
)
{
my
$cmd
;
if
(
$fwtype
=~
/^iptables/
)
{
$cmd
=
"
$SSH
-host
$firewall
iptables -D FORWARD 1
";
}
else
{
$cmd
=
"
$SSH
-host
$firewall
ipfw delete 1
";
}
print
"
Turning firewall back on
\n
";
$UID
=
0
;
system
(
"
$SSH
-host
$firewall
ipfw delete 1
"
);
system
(
$cmd
);
if
(
$?
)
{
print
STDERR
"
*** Error turning back on firewall rules (
$firewall
)!
\n
"
.
"
Will retry again.
\n
";
system
(
"
$SSH
-host
$firewall
ipfw delete 1
"
);
system
(
$cmd
);
if
(
$?
)
{
die
("
*** $0:
\n
"
.
"
Error turning back on firewall rules! Retry failed.
\n
");
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment