Commit 24f185f7 authored by Ryan Jackson's avatar Ryan Jackson

Fix IP filter for packets from inside firewall

Since the default FORWARD policy is to DROP, only send packets to the
INSIDE chain if:

A) they come in on the vlan interface and
B) they have src IPs in the control net (or brodcast IP)

Packets that match the first but not the second will fall through and
be dropped.
parent 5a10c448
...@@ -82,7 +82,9 @@ iptables -N INSIDE # BASIC,CLOSED,ELABINELAB ...@@ -82,7 +82,9 @@ iptables -N INSIDE # BASIC,CLOSED,ELABINELAB
iptables -F INSIDE # BASIC,CLOSED,ELABINELAB iptables -F INSIDE # BASIC,CLOSED,ELABINELAB
iptables -N OUTSIDE # BASIC,CLOSED,ELABINELAB iptables -N OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in vlandev -j INSIDE # BASIC,CLOSED,ELABINELAB
# Inside nodes cannot spoof other IP addresses
iptables -A FORWARD -m physdev --physdev-in vlandev -s EMULAB_CNET,0.0.0.0/32,255.255.255.255 -j INSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB
# Can talk to myself. Does this do anything? # Can talk to myself. Does this do anything?
...@@ -133,17 +135,6 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB ...@@ -133,17 +135,6 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
#
# Inside nodes cannot spoof other IP addresses.
#
# Beyond this rule we no longer have to check to make sure that source
# hosts like "boss" and "ops" come in the correct interface.
#
iptables -A INSIDE -s 0.0.0.0 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -s 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -s EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -j DROP # BASIC,CLOSED,ELABINELAB
# DNS to NS # DNS to NS
# Note: elabinelab myops/myfs use myboss for NS # Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
...@@ -316,7 +307,7 @@ iptables -A INPUT -p udp --dport 1434 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS ...@@ -316,7 +307,7 @@ iptables -A INPUT -p udp --dport 1434 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS
# DHCP requests from, and replies to, inside requests are always broadcast, # DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast # replies may be broadcast or unicast
iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 0;269;0c-j ACCEPT # BASIC,CLOSED,ELABINELAB
# #
# TFTP with boss or ops # TFTP with boss or ops
...@@ -341,6 +332,3 @@ iptables -A INSIDE -p tcp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACC ...@@ -341,6 +332,3 @@ iptables -A INSIDE -p tcp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACC
iptables -A INSIDE -p udp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED iptables -A INSIDE -p udp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB iptables -A OUTPUT -p tcp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB iptables -A OUTPUT -p udp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
# BRIDGE-SPECIFIC RULES
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment