Commit 3a5d522f authored by Ryan Jackson's avatar Ryan Jackson

Support iptables for firewalled elabinelab

parent cfbcf2c4
......@@ -2013,8 +2013,8 @@ sub TBNodeStateWait ($$$$@) {
# XXX only returns true for experiments with VLAN-based firewalls.
# XXX this will need to change if we support multiple firewalls per experiment.
#
sub TBExptFirewall ($$;$$$) {
my ($pid, $eid, $fwnodep, $fwvlanidp, $fwvlanp) = @_;
sub TBExptFirewall ($$;$$$$) {
my ($pid, $eid, $fwnodep, $fwvlanidp, $fwvlanp, $fwtypep) = @_;
my $query_result;
#
......@@ -2038,7 +2038,7 @@ sub TBExptFirewall ($$;$$$) {
# will be NULL.
#
$query_result =
DBQueryWarn("select r.node_id,f.vlan,f.vlanid from ".
DBQueryWarn("select r.node_id,f.vlan,f.vlanid,v.type from ".
" virt_firewalls as v ".
"left join firewalls as f on f.pid=v.pid and f.eid=v.eid ".
"left join reserved as r on r.pid=v.pid and ".
......@@ -2062,6 +2062,8 @@ sub TBExptFirewall ($$;$$$) {
if (defined($fwvlanp));
$$fwvlanidp = $row[2]
if (defined($fwvlanidp));
$$fwtypep = $row[3]
if (defined($fwtypep));
return 1;
}
......
......@@ -96,6 +96,9 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
# DNS to NS (firewall)
iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# Nobody on the inside can talk to the firewall.
# Prevents anyone spoofing "me", "boss", "ops", etc.
......@@ -130,7 +133,6 @@ iptables -A INSIDE -d me -j DROP # BASIC,CLOSED,ELABINELAB
#
iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB
#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other.
......@@ -138,11 +140,10 @@ iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
# DNS to NS
# DNS to NS (for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
......@@ -152,15 +153,6 @@ iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW
iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p tcp -s boss -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
#
# XXX early on in Emulab setup boss will ssh in and insert a rule at the
# beginning to allow all traffic. Later we ssh in again to remove that rule.
# In order for the latter ssh command to complete, we have to make sure that
# an established connection to boss continues to work.
#
#iptables -A OUTPUT -p tcp -s me --sport 22 -d boss -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
#iptables -A INPUT -p tcp -s boss -d me --dport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
# NTP to ntp servers
# Note: elabinelab myops/myfs use myboss for NTP
......
......@@ -196,7 +196,8 @@ exit(0)
# See if the experiment is firewalled
#
my $firewall;
my $firewalled = TBExptFirewall($pid, $eid, \$firewall);
my $fwtype;
my $firewalled = TBExptFirewall($pid, $eid, \$firewall, undef, undef, \$fwtype);
#
# Presetup; turn off firewall.
......@@ -207,7 +208,11 @@ if ($fwboot) {
print "Turning off firewall rules on $firewall\n";
$UID = 0;
system("$SSH -host $firewall ipfw add 1 allow all from any to any");
if ($fwtype =~ /^iptables/) {
system("$SSH -host $firewall iptables -I FORWARD 1 -j ACCEPT");
} else {
system("$SSH -host $firewall ipfw add 1 allow all from any to any");
}
if ($?) {
die("*** $0:\n".
" Error turning off firewall rules ($firewall)!\n");
......@@ -600,13 +605,20 @@ skipsetup:
#
#
if ($firewalled) {
my $cmd;
if ($fwtype =~ /^iptables/) {
$cmd = "$SSH -host $firewall iptables -D FORWARD 1";
} else {
$cmd = "$SSH -host $firewall ipfw delete 1";
}
print "Turning firewall back on\n";
$UID = 0;
system("$SSH -host $firewall ipfw delete 1");
system($cmd);
if ($?) {
print STDERR "*** Error turning back on firewall rules ($firewall)!\n".
" Will retry again.\n";
system("$SSH -host $firewall ipfw delete 1");
system($cmd);
if ($?) {
die("*** $0:\n".
" Error turning back on firewall rules! Retry failed.\n");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment