iptables-fw-dom0-rules 8.04 KB
Newer Older
1
#
2
# Copyright (c) 2005-2016 University of Utah and the Flux Group.
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126
# 
# {{{EMULAB-LICENSE
# 
# This file is part of the Emulab network testbed software.
# 
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
# 
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public
# License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this file.  If not, see <http://www.gnu.org/licenses/>.
# 
# }}}
#

#
# Firewall rule template.
#
# Each line consists of an iptables or ebtables rule, a '#' denoted "comment"
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
#
# Qualifiers:
#
#	WINDOWS		For nodes running some variant of Windows
#	SAMENET		For nodes that are on the same subnet as any
#			"control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
#
# Variables expanded by rc.firewall script that can be used here:
#
#	EMULAB_GWIP	IP address of gateway
#	EMULAB_VGWIP	IP address of gateway on virtual node network
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
#	EMULAB_VCNET	Virtual node control network in CIDR notation
#	EMULAB_MCADDR	Multicast address range used by frisbee
#	EMULAB_MCPORT	Port range used by frisbee
#	EMULAB_BOSSES	Comma separated list of subbosses (including "boss"),
#			used for services that subbosses provide
#			(dhcp/tftp/frisbee).
#	EMULAB_SERVERS	Comma separated list of all servers
#			(EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use.  Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users" and "ntp1"
# as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced
# with the physical control net device, the VLAN device, and the firewall's
# control net IP address respectively.
#

#
# Match existing dynamic rules very early
#
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # OPEN,BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # OPEN,BASIC,CLOSED,ELABINELAB

# Can talk to myself.  Does this do anything?
# This appears to be used by elvind?
iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# So my approach is that dom0 can interact with the infrastructure
# in any way it wants.
#
iptables -A INPUT -d me -s EMULAB_SERVERS -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -s me -d EMULAB_SERVERS -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Frisbee multicast with boss
#  * nodes mcast everything to boss (joins, leaves and requests): 60046
#  * boss mcasts blocks to same mcaddr/port: 60047
#  * boss unicasts join replies to same port: 60048
#  * node and switch need to IGMP: 60049
#
# Elabinelab should only do this to download an image from real boss to
# the inner boss.  Re-imaging anything else from outside would be a disaster.
# But note that the image is still mcast, so we cannot really differentiate
# in 60047.
#
# NOTE: the unicast join replies (60048) make our life miserable. We cannot
# use a keep-state rule because the request was multicast and not directed to
# boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#
iptables -A OUTPUT -p udp -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED
iptables -A INPUT -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT --dport EMULAB_MCPORT -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED

iptables -A INPUT -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB

# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A INPUT -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
127
# In BASIC, we allow ssh from anywhere on port 22, but we rate limit it.
128
#
129 130 131
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSH # BASIC
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP # BASIC
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # BASIC
132 133 134 135 136 137

#
# Allow outgoing http so we can update packages.
#
iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
138 139 140 141 142 143

#
# GRE tunnels.
#
iptables -A INPUT -p gre -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p gre -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
144 145 146 147 148

#
# TOPD monitoring port.
#
iptables -A INPUT -p tcp -d me --dport 4097 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
149

150 151 152 153 154 155 156 157
#
# Event Proxy. So we do not actually need this on XEN dom0, but we use these
# rules on openvz too (no prerouting rule). We might want to try restricting
# these to just the local node, but probably not worth the effort.
#
iptables -A INPUT -p tcp -d me -s EMULAB_CNET --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -d me -s EMULAB_VCNET --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173
#
# Set up default policies for the standard chains
# For all but the wide-open case, the default should
# be to DROP.
#
# Do this here to avoid DNS failure when inserting above rules.
#
iptables -P INPUT DROP # BASIC,CLOSED,ELABINELAB
iptables -P OUTPUT DROP # BASIC,CLOSED,ELABINELAB

#
# Drop some logging in for debugging.
#
#iptables -A INPUT -j LOG --log-prefix "INPUT: " --log-level 5 # BASIC,CLOSED,ELABINELAB
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT: " --log-level 5 # BASIC,CLOSED,ELABINELAB

174 175 176 177 178 179 180 181 182 183 184
#
# Control access to the rpcbind port.
# XXX these were added straight to the DB by someone.
#
iptables -A FORWARD -s 127.0.0.1/32 -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_VCNET -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_VCNET -p udp -m physdev --physdev-in eth0 -m udp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_CNET  -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -s EMULAB_CNET  -p udp -m physdev --physdev-in eth0 -m udp --dport 111 -j ACCEPT # BASIC,CLOSED
iptables -A FORWARD -p tcp -m physdev --physdev-in eth0 -m tcp --dport 111 -j DROP # BASIC,CLOSED
iptables -A FORWARD -p udp -m physdev --physdev-in eth0 -m udp --dport 111 -j DROP # BASIC,CLOSED