iptables-fw-rules 16.9 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# All rights reserved.
#

#
# Firewall rule template.
#
# Each line consists of an iptables or ebtables rule, a '#' denoted "comment"
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
#
# Qualifiers:
#
#	WINDOWS		For nodes running some variant of Windows
#	SAMENET		For nodes that are on the same subnet as any
#			"control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
#
# Variables expanded by rc.firewall script that can be used here:
#
#	EMULAB_GWIP	IP address of gateway
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
#	EMULAB_MCADDR	Multicast address range used by frisbee
#	EMULAB_MCPORT	Port range used by frisbee
#	EMULAB_BOSSES	Comma separated list of subbosses (including "boss"),
#			used for services that subbosses provide
#			(dhcp/tftp/frisbee).
#	EMULAB_SERVERS	Comma separated list of all servers
#			(EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use.  Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced
# with the physical control net device, the VLAN device, and the firewall's
# control net IP address respectively.
#

#
# Set up default policies for the standard chains
# For all but the wide-open case, the default should
# be to DROP.
#
iptables -P INPUT DROP # BASIC,CLOSED,ELABINELAB
iptables -P OUTPUT DROP # BASIC,CLOSED,ELABINELAB
iptables -P FORWARD DROP # BASIC,CLOSED,ELABINELAB

#
# Match existing dynamic rules very early
#
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Create a chain for forwarded/bridged packets coming
# from nodes on the vlan.  If it already exists, flush
# it.  Likewise for packets coming from nodes outside
# the vlan.  Note that these don't affect packets sent
# to the firewall itself.
#
iptables -N INSIDE # BASIC,CLOSED,ELABINELAB
iptables -F INSIDE # BASIC,CLOSED,ELABINELAB
iptables -N OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB
85 86 87

# Inside nodes cannot spoof other IP addresses
iptables -A FORWARD -m physdev --physdev-in vlandev -s EMULAB_CNET,0.0.0.0/32,255.255.255.255 -j INSIDE # BASIC,CLOSED,ELABINELAB
88 89
iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB

90 91 92
# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB

93 94 95
# Can talk to myself.  Does this do anything?
# This appears to be used by elvind?
#iptables -A INPUT -s me -d me -j ACCEPT # BASIC,CLOSED,ELABINELAB
96 97
iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
98

99 100 101
# DNS to NS (firewall)
iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142
#
# Nobody on the inside can talk to the firewall.
# Prevents anyone spoofing "me", "boss", "ops", etc.
#
iptables -A INSIDE -d me -j DROP # BASIC,CLOSED,ELABINELAB

#
# No one on the inside can talk to other experiments' nodes and visa-versa.
#
# XXX currently we only do this for the heavier weight firewalls because
# the user cannot override this.
#
# Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall.
#
# Note also that EMULAB_CNET is only the "node control net" and does not
# include the public/private nets for boss, ops, etc.
#
# XXX yuk!  The gateway *is* part of EMULAB_CNET, and assorted packets do
# come from it:
#  * IGMP and PIM traffic
#  * DHCP replies from boss appear to have come from the gateway
#    (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
#
# XXX yuk 2!  In a non-segmented control network or in a configuration with
# subbosses, some or all of the server machines will be a part of "the node
# control net" so we cannot unconditionally block all traffic to/from outside
# control net addresses. Here we allow through all traffic involving the known
# servers and let later rules further limit it.
#
iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET

#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other. 
#
iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB

143
# DNS to NS (for firewalled nodes)
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p tcp -s boss -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC

# NTP to ntp servers
# Note: elabinelab myops/myfs use myboss for NTP
iptables -A INSIDE -p udp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p udp -s me -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -s me -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -p udp -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p udp -s me -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -s me -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# syslog with ops
iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p udp -s me --sport 514 -d ops --dport 514 -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# NFS
# DANGER WILL ROBINSON!!!
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
iptables -A INSIDE -p udp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d fs -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s fs -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p udp -s me -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p tcp -s me -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p tcp -s me -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p tcp -s me -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -s me -d fs -f -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -s fs -d me -f -j ACCEPT # BASIC,CLOSED,ELABINELAB

# Special services

# cvsup to boss
iptables -A INSIDE -p tcp -d boss --dport 5999 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d boss --dport 5999 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# elvind or pubsubd to ops (unicast TCP and multicast UDP)
iptables -A INSIDE -p udp -d ops --dport 2917 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ops --dport 2917 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# slothd to boss
iptables -A INSIDE -p udp -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p udp -s me -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED,ELABINELAB

# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer.  Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
iptables -A INSIDE -p tcp -s myboss -d boss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
iptables -A OUTSIDE -p tcp -d myboss --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

#
# Frisbee master server from boss
# elabinelab: boss to myboss
#
iptables -A INSIDE -p tcp -d EMULAB_BOSSES --dport 64494 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -s myboss -d EMULAB_BOSSES --dport 64494 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

#
# Frisbee multicast with boss
#  * nodes mcast everything to boss (joins, leaves and requests): 60046
#  * boss mcasts blocks to same mcaddr/port: 60047
#  * boss unicasts join replies to same port: 60048
#  * node and switch need to IGMP: 60049
#
# Elabinelab should only do this to download an image from real boss to
# the inner boss.  Re-imaging anything else from outside would be a disaster.
# But note that the image is still mcast, so we cannot really differentiate
# in 60047.
#
# NOTE: the unicast join replies (60048) make our life miserable. We cannot
# use a keep-state rule because the request was multicast and not directed to
# boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#

iptables -A INSIDE -p udp -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT --dport EMULAB_MCPORT -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d myboss --dport EMULAB_MCPORT -j ACCEPT # ELABINELAB

iptables -A INSIDE -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB

# Ping, IPoD from boss
# should we allow all ICMP in general?
iptables -A INSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -s boss --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s boss --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -p icmp -d boss --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -s boss -d me -p icmp --icmp-type 6 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -s boss -d me -p icmp --icmp-type 8 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -s me -d boss -p icmp --icmp-type 0 -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Windows
# allow http, https (80,443) outbound for windows/cygwin updates
# SMB (445) with fs
# rdesktop (3389) to nodes
#
iptables -A INSIDE -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS
iptables -A INSIDE -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS
iptables -A INSIDE -p tcp -d fs --dport 445 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS
iptables -A OUTSIDE -p tcp \! --sport 0:1023 --dport 3389 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS


#
# Windows
# Explicitly stop blaster (135,4444) and slammer (1434)
#
iptables -A INPUT -p tcp --dport 135 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS
iptables -A INPUT -p tcp --dport 4444 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS
iptables -A INPUT -p udp --dport 1434 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS

# Boot time only services (DHCP, TFTP, bootinfo, TMCC).

# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB
Ryan Jackson's avatar
Ryan Jackson committed
305
iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
306
iptables -A OUTSIDE -p udp --sport 67 -s EMULAB_BOSSES -d EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB
307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330

#
# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
# so we have to open wide.
#
# Note that for elabinelab, inside nodes still need to be able to talk to
# real boss for PXE boot.
#
iptables -A INSIDE -p udp -d EMULAB_BOSSES,ops --dport 69 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES,ops \! --sport 0:1023 \! --dport 0:1023 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Emulab bootinfo with boss (nodes request/receive info or boss does PXEWAKEUP)
# XXX do we really need this for elabinelab inner nodes?
#
iptables -A INSIDE -p udp -d boss --dport 6969 --sport 9696 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s boss --sport 6970 --dport 9696 -j ACCEPT # BASIC,CLOSED,ELABINELAB

# TMCC (udp or tcp) with boss
iptables -A INSIDE -p tcp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB