# # Copyright (c) 2005-2014 University of Utah and the Flux Group. # # {{{EMULAB-LICENSE # # This file is part of the Emulab network testbed software. # # This file is free software: you can redistribute it and/or modify it # under the terms of the GNU Affero General Public License as published by # the Free Software Foundation, either version 3 of the License, or (at # your option) any later version. # # This file is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public # License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this file. If not, see . # # }}} # # # Firewall rule template. # # Each line consists of an iptables or ebtables rule, a '#' denoted "comment" # at the end of the line indicates a rule number to use, a comma separated # list of styles to which the rule applies, and an optional qualifier that # indicates the types of firewalled nodes to which the rule should apply. # # Styles: # # OPEN allows everything # CLOSED allows only Emulab infrastructure services # BASIC CLOSED + ssh from anywhere # ELABINELAB Elab-in-elab, eliminates many Emulab services # # Qualifiers: # # WINDOWS For nodes running some variant of Windows # SAMENET For nodes that are on the same subnet as any # "control" host (boss, subbosses, ops, fs). # # Note that currently, we do not support the qualifier. Rules with a # qualifier are applied unconditionally to the style which they are a part of. # # Variables expanded by rc.firewall script that can be used here: # # EMULAB_GWIP IP address of gateway # EMULAB_VGWIP IP address of gateway on virtual node network # EMULAB_NS IP address of name server # EMULAB_CNET Node control network in CIDR notation # EMULAB_VCNET Virtual node control network in CIDR notation # EMULAB_MCADDR Multicast address range used by frisbee # EMULAB_MCPORT Port range used by frisbee # EMULAB_BOSSES Comma separated list of subbosses (including "boss"), # used for services that subbosses provide # (dhcp/tftp/frisbee). # EMULAB_SERVERS Comma separated list of all servers # (EMULAB_BOSSES + "ops" + "fs") # # Currently these are sufficient for rules we use. Note that you can # safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1" # and "ntp2" as they are all guaranteed to resolve, either via the local # hosts file or via DNS (assuming the firewall is not yet up or allows # DNS traffic, which it should at that point in time). # # For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs" # are also valid for naming the respective inner servers. # # Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced # with the physical control net device, the VLAN device, and the firewall's # control net IP address respectively. # # # NOTE!!! The basic firewall rules are set up on client during # container setup. # # Allow everything from the gateway, since the gateway may be part of the node control net iptables -A OUTSIDE -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB # On a non-segmented control network (like an IG rack), boss/ops # have aliases on the virtual node network. Allows these though. iptables -A OUTSIDE -s EMULAB_VCBOSS,EMULAB_VCOPS -j ACCEPT # BASIC,CLOSED,ELABINELAB # # No one on the inside can talk to other experiments' nodes and visa-versa. # # XXX currently we only do this for the heavier weight firewalls because # the user cannot override this. # # Note that this does not apply to nodes within this experiment because # those packets never come to the firewall. # # Note also that EMULAB_CNET is only the "node control net" and does not # include the public/private nets for boss, ops, etc. # # XXX yuk! The gateway *is* part of EMULAB_CNET, and assorted packets do # come from it: # * IGMP and PIM traffic # * DHCP replies from boss appear to have come from the gateway # (due to the helper function). # so for now we allow any IP traffic from the gateway. # # # XXX yuk 2! In a non-segmented control network or in a configuration with # subbosses, some or all of the server machines will be a part of "the node # control net" so we cannot unconditionally block all traffic to/from outside # control net addresses. Here we allow through all traffic involving the known # servers and let later rules further limit it. # iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET #iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET # DNS to NS (for firewalled nodes) # Note: elabinelab myops/myfs use myboss for NS iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB # ssh from boss (for reboot, etc.) and others if appropriate iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC # This is the alternate sshd rule for containers. iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC iptables -A OUTSIDE -p tcp -s boss,ops --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED # For APT shellinabox, which comes in from Utah ops. iptables -A OUTSIDE -p tcp -s ops.emulab.net --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB # NTP to ntp server # Note: elabinelab myops/myfs use myboss for NTP iptables -A INSIDE -p udp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB iptables -A INSIDE -p tcp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB # syslog with ops iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED # # NFS # DANGER WILL ROBINSON!!! # Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs # # Note that we have to allow IP fragments through due to the default # 8k read/write size. Perhaps we should dial down the read/write size for # firewalled experiments. # iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_FSIPS \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -d EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED iptables -A OUTSIDE -s EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED # Special services # pubsubd to ops (unicast TCP and multicast UDP) iptables -A INSIDE -p udp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED # And to the local proxy. iptables -A INSIDE -p udp -d me --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p tcp -d me --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED # slothd to boss iptables -A INSIDE -p udp -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED # The inner boss also needs to SSLXMLRPC to real boss to start frisbeed # for image transfer. Note that this rule must be before other XMLRPC rule # (blocking connections from inside). iptables -A INSIDE -p tcp -s myboss -d boss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB # HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside iptables -A OUTSIDE -p tcp -d myboss --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # ,ELABINELAB iptables -A OUTSIDE -p tcp -d myboss --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB iptables -A OUTSIDE -p tcp -d myboss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB # Ping, IPoD from boss and dom0 # should we allow all ICMP in general? iptables -A INSIDE -p icmp -j ACCEPT # BASIC iptables -A OUTSIDE -p icmp -j ACCEPT # BASIC iptables -A OUTSIDE -p icmp -s boss --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB iptables -A OUTSIDE -p icmp -s boss --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB iptables -A INSIDE -p icmp -d boss --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB iptables -A OUTSIDE -p icmp -s me --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB iptables -A OUTSIDE -p icmp -s me --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB iptables -A INSIDE -p icmp -d me --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB # Boot time only services (DHCP, TFTP, bootinfo, TMCC). # # TMCC rules are established on the fly on the physical host, since each # container gets its own tmcc proxy on a different port. # # DHCP requests from, and replies to, inside requests are always broadcast, # replies may be broadcast or unicast iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB iptables -A OUTSIDE -p udp --sport 67 -s EMULAB_BOSSES -d EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB # # Explicit drop rules so that we do not return to the calling chain. # We need these in case dom0 is not doing firewalls too, in which # case the default chain policy is ACCEPT instead of DROP. # iptables -A INSIDE -j DROP # BASIC,CLOSED,ELABINELAB iptables -A OUTSIDE -j DROP # BASIC,CLOSED,ELABINELAB