Commit d54da568 authored by Mike Hibler's avatar Mike Hibler

Linux firewall fixes inspired by Richard.

 * If firewall setup fails, don't fail completely open! Instead all full
   access to/from the firewall, but block all access to/from inside nodes.
 * Sort the rules by rule number so that user added rules get put in the
   correct place.
 * Fix the rules template for iptables so that user rules get inserted
   into an appropriate location.
 * Fix a bug in the anti-spoofing rules that would prevent any access from
   outside to the inside nodes.
parent 8dad6e5a
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
# Copyright (c) 2000-2016 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -1157,6 +1157,10 @@ sub runbootscript($$$$;@)
&& $manifest->{$script}{'FATAL'} == 1) {
fatal(" Failed running $script ($?)!");
}
# XXX failure of the firewall script is always fatal
elsif ($script eq "rc.firewall") {
fatal(" Failed running $script ($?)!");
}
else {
warn(" Failed running $script ($?)!");
}
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
# Copyright (c) 2000-2016 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -1508,6 +1508,9 @@ sub os_fwconfig_line($@) {
}
}
# Sort the rules by provided rule number (tmcd doesn't order them).
@fwrules = sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules;
# XXX This is ugly. Older version of iptables can't handle source or
# destination hosts or nets in the format a,b,c,d. Newer versions of
# iptables automatically expand this to separate rules for each host/net,
......@@ -1567,8 +1570,10 @@ sub os_fwconfig_line($@) {
}
@fwrules = @new_rules;
# For now, if a rule fails to load we want to fail open, not closed. Otherwise
# it may be difficult to debug things.
#
# For now, if a rule fails to load we fail partially open.
# We allow all access to the FW itself but nothing inside.
#
foreach my $rulestr (@fwrules) {
if ($rulestr =~ /^iptables\s+/) {
$upline .= " $rulestr || {\n";
......@@ -1576,6 +1581,7 @@ sub os_fwconfig_line($@) {
$upline .= " echo ' $rulestr'\n";
$upline .= " iptables -F\n"
if ($fwinfo->{TYPE} ne "iptables-dom0");
$upline .= " iptables -P FORWARD DROP\n";
$upline .= " iptables -P INPUT ACCEPT\n";
$upline .= " iptables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n";
......@@ -1586,6 +1592,7 @@ sub os_fwconfig_line($@) {
$upline .= " echo ' $rulestr'\n";
$upline .= " ebtables -F\n"
if ($fwinfo->{TYPE} ne "iptables-dom0");
$upline .= " ebtables -P FORWARD DROP\n";
$upline .= " ebtables -P INPUT ACCEPT\n";
$upline .= " ebtables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n";
......
......@@ -157,12 +157,17 @@ iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
# Otherwise, nodes inside/outside of the firewall cannot talk to each other.
#
iptables -A INSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -s EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
#
# DNS to NS (for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
#
# N.B. the specification of a rule number here! This allows us a gap into
# which user specified rules fall.
#
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # 60020: BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # 60020: ELABINELAB
# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment