Commit 2da7373d authored by Leigh Stoller's avatar Leigh Stoller

More tweaks for non-segmented control network. Also APT exception

to allow ssh from ops.emulab.net.
parent c3ed7492
......@@ -49,6 +49,12 @@ my $USERNODE_IP = "@USERNODE_IP@";
my $FSNODE_IP = "@FSNODE_IP@";
my $FRISBEE_MCASTADDR = "@FRISEBEEMCASTADDR@";
my $FRISBEE_MCASTPORT = "@FRISEBEEMCASTPORT@";
#
# Sorry these are hardwired; boss/ops addresses on the virtual control
# network, on non-segmented networks like the IG racks.
#
my $EMULAB_VCBOSS = "172.17.254.254";
my $EMULAB_VCOPS = "172.17.253.254";
#
# Untaint the path
......@@ -175,11 +181,8 @@ if ($VIRTNODE_NETWORK =~ /^(\d+\.\d+\.\d+)\.0$/) {
}
#
# Sorry these are hardwired.
# Boss/Ops on the virtual control network, non-segmented.
#
my $EMULAB_VCBOSS = "172.17.254.254";
my $EMULAB_VCOPS = "172.17.253.254";
$str = "replace into default_firewall_vars values ".
"('EMULAB_VCBOSS', '$EMULAB_VCBOSS'), ".
"('EMULAB_VCOPS', '$EMULAB_VCOPS')";
......@@ -189,6 +192,18 @@ print "$str\n"
DBQueryFatal($str)
if ($doit);
#
# FS can have a virtual control network address, but ignore fs/ops
# distinction.
#
$str = "replace into default_firewall_vars values ".
"('EMULAB_FSIPS', '$FSNODE_IP,$EMULAB_VCOPS') ";
print "$str\n"
if (!$doit);
DBQueryFatal($str)
if ($doit);
#
# Create EMULAB_MCADDR and EMULAB_MCPORT variables
#
......
......@@ -123,6 +123,9 @@ iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctsta
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
# This is the alternate sshd rule for containers.
iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
iptables -A OUTSIDE -p tcp -s boss,ops --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
# For APT shellinabox, which comes in from Utah ops.
iptables -A OUTSIDE -p tcp -s ops.emulab.net --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
......@@ -147,15 +150,15 @@ iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
# 8k read/write size. Perhaps we should dial down the read/write size for
# firewalled experiments.
#
iptables -A INSIDE -p udp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d fs -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s fs -f -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d EMULAB_FSIPS --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d EMULAB_FSIPS \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s EMULAB_FSIPS -f -j ACCEPT # BASIC,CLOSED
# Special services
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment