iptables-fw-domU-rules 10.3 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
#

#
# Firewall rule template.
#
# Each line consists of an iptables or ebtables rule, a '#' denoted "comment"
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
#
# Qualifiers:
#
#	WINDOWS		For nodes running some variant of Windows
#	SAMENET		For nodes that are on the same subnet as any
#			"control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
#
# Variables expanded by rc.firewall script that can be used here:
#
#	EMULAB_GWIP	IP address of gateway
#	EMULAB_VGWIP	IP address of gateway on virtual node network
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
#	EMULAB_VCNET	Virtual node control network in CIDR notation
#	EMULAB_MCADDR	Multicast address range used by frisbee
#	EMULAB_MCPORT	Port range used by frisbee
#	EMULAB_BOSSES	Comma separated list of subbosses (including "boss"),
#			used for services that subbosses provide
#			(dhcp/tftp/frisbee).
#	EMULAB_SERVERS	Comma separated list of all servers
#			(EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use.  Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced
# with the physical control net device, the VLAN device, and the firewall's
# control net IP address respectively.
#
#
# NOTE!!! The basic firewall rules are set up on client during
#         container setup.
#

# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A OUTSIDE -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB

84 85
# On a non-segmented control network (like an IG rack), boss/ops
# have aliases on the virtual node network. Allows these though.
86
iptables -A OUTSIDE -s EMULAB_VCBOSS,EMULAB_VCOPS -j ACCEPT # BASIC,CLOSED,ELABINELAB
87

88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125
#
# No one on the inside can talk to other experiments' nodes and visa-versa.
#
# XXX currently we only do this for the heavier weight firewalls because
# the user cannot override this.
#
# Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall.
#
# Note also that EMULAB_CNET is only the "node control net" and does not
# include the public/private nets for boss, ops, etc.
#
# XXX yuk!  The gateway *is* part of EMULAB_CNET, and assorted packets do
# come from it:
#  * IGMP and PIM traffic
#  * DHCP replies from boss appear to have come from the gateway
#    (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
#
# XXX yuk 2!  In a non-segmented control network or in a configuration with
# subbosses, some or all of the server machines will be a part of "the node
# control net" so we cannot unconditionally block all traffic to/from outside
# control net addresses. Here we allow through all traffic involving the known
# servers and let later rules further limit it.
#
iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
#iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET

# DNS to NS (for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
# This is the alternate sshd rule for containers. 
iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
126 127 128
iptables -A OUTSIDE -p tcp -s boss,ops --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
# For APT shellinabox, which comes in from Utah ops.
iptables -A OUTSIDE -p tcp -s ops.emulab.net --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152
iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# NTP to ntp server
# Note: elabinelab myops/myfs use myboss for NTP
iptables -A INSIDE -p udp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# syslog with ops
iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED

#
# NFS
# DANGER WILL ROBINSON!!!
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
153 154 155 156 157 158 159 160 161
iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214

# Special services

# pubsubd to ops (unicast TCP and multicast UDP)
iptables -A INSIDE -p udp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
# And to the local proxy.
iptables -A INSIDE -p udp -d me --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d me --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED

# slothd to boss
iptables -A INSIDE -p udp -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED

# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer.  Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
iptables -A INSIDE -p tcp -s myboss -d boss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
iptables -A OUTSIDE -p tcp -d myboss --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # ,ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# Ping, IPoD from boss and dom0
# should we allow all ICMP in general?
iptables -A INSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -s boss --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s boss --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -p icmp -d boss --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s me --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s me --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -p icmp -d me --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB

# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
#
# TMCC rules are established on the fly on the physical host, since each
# container gets its own tmcc proxy on a different port.
#

# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 -s EMULAB_BOSSES -d EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Explicit drop rules so that we do not return to the calling chain.
# We need these in case dom0 is not doing firewalls too, in which
# case the default chain policy is ACCEPT instead of DROP.
#
iptables -A INSIDE -j DROP # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -j DROP # BASIC,CLOSED,ELABINELAB