Commit d54da568 authored by Mike Hibler's avatar Mike Hibler

Linux firewall fixes inspired by Richard.

 * If firewall setup fails, don't fail completely open! Instead all full
   access to/from the firewall, but block all access to/from inside nodes.
 * Sort the rules by rule number so that user added rules get put in the
   correct place.
 * Fix the rules template for iptables so that user rules get inserted
   into an appropriate location.
 * Fix a bug in the anti-spoofing rules that would prevent any access from
   outside to the inside nodes.
parent 8dad6e5a
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# Copyright (c) 2000-2015 University of Utah and the Flux Group. # Copyright (c) 2000-2016 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -1157,6 +1157,10 @@ sub runbootscript($$$$;@) ...@@ -1157,6 +1157,10 @@ sub runbootscript($$$$;@)
&& $manifest->{$script}{'FATAL'} == 1) { && $manifest->{$script}{'FATAL'} == 1) {
fatal(" Failed running $script ($?)!"); fatal(" Failed running $script ($?)!");
} }
# XXX failure of the firewall script is always fatal
elsif ($script eq "rc.firewall") {
fatal(" Failed running $script ($?)!");
}
else { else {
warn(" Failed running $script ($?)!"); warn(" Failed running $script ($?)!");
} }
......
#!/usr/bin/perl -wT #!/usr/bin/perl -wT
# #
# Copyright (c) 2000-2015 University of Utah and the Flux Group. # Copyright (c) 2000-2016 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -1508,6 +1508,9 @@ sub os_fwconfig_line($@) { ...@@ -1508,6 +1508,9 @@ sub os_fwconfig_line($@) {
} }
} }
# Sort the rules by provided rule number (tmcd doesn't order them).
@fwrules = sort { $a->{RULENO} <=> $b->{RULENO}} @fwrules;
# XXX This is ugly. Older version of iptables can't handle source or # XXX This is ugly. Older version of iptables can't handle source or
# destination hosts or nets in the format a,b,c,d. Newer versions of # destination hosts or nets in the format a,b,c,d. Newer versions of
# iptables automatically expand this to separate rules for each host/net, # iptables automatically expand this to separate rules for each host/net,
...@@ -1567,8 +1570,10 @@ sub os_fwconfig_line($@) { ...@@ -1567,8 +1570,10 @@ sub os_fwconfig_line($@) {
} }
@fwrules = @new_rules; @fwrules = @new_rules;
# For now, if a rule fails to load we want to fail open, not closed. Otherwise #
# it may be difficult to debug things. # For now, if a rule fails to load we fail partially open.
# We allow all access to the FW itself but nothing inside.
#
foreach my $rulestr (@fwrules) { foreach my $rulestr (@fwrules) {
if ($rulestr =~ /^iptables\s+/) { if ($rulestr =~ /^iptables\s+/) {
$upline .= " $rulestr || {\n"; $upline .= " $rulestr || {\n";
...@@ -1576,6 +1581,7 @@ sub os_fwconfig_line($@) { ...@@ -1576,6 +1581,7 @@ sub os_fwconfig_line($@) {
$upline .= " echo ' $rulestr'\n"; $upline .= " echo ' $rulestr'\n";
$upline .= " iptables -F\n" $upline .= " iptables -F\n"
if ($fwinfo->{TYPE} ne "iptables-dom0"); if ($fwinfo->{TYPE} ne "iptables-dom0");
$upline .= " iptables -P FORWARD DROP\n";
$upline .= " iptables -P INPUT ACCEPT\n"; $upline .= " iptables -P INPUT ACCEPT\n";
$upline .= " iptables -P OUTPUT ACCEPT\n"; $upline .= " iptables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n"; $upline .= " exit 1\n";
...@@ -1586,6 +1592,7 @@ sub os_fwconfig_line($@) { ...@@ -1586,6 +1592,7 @@ sub os_fwconfig_line($@) {
$upline .= " echo ' $rulestr'\n"; $upline .= " echo ' $rulestr'\n";
$upline .= " ebtables -F\n" $upline .= " ebtables -F\n"
if ($fwinfo->{TYPE} ne "iptables-dom0"); if ($fwinfo->{TYPE} ne "iptables-dom0");
$upline .= " ebtables -P FORWARD DROP\n";
$upline .= " ebtables -P INPUT ACCEPT\n"; $upline .= " ebtables -P INPUT ACCEPT\n";
$upline .= " ebtables -P OUTPUT ACCEPT\n"; $upline .= " ebtables -P OUTPUT ACCEPT\n";
$upline .= " exit 1\n"; $upline .= " exit 1\n";
......
...@@ -157,12 +157,17 @@ iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET ...@@ -157,12 +157,17 @@ iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
# Otherwise, nodes inside/outside of the firewall cannot talk to each other. # Otherwise, nodes inside/outside of the firewall cannot talk to each other.
# #
iptables -A INSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB iptables -A INSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB iptables -A OUTSIDE -s EMULAB_CNET,EMULAB_VCNET -j DROP # CLOSED,ELABINELAB
#
# DNS to NS (for firewalled nodes) # DNS to NS (for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS # Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED #
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB # N.B. the specification of a rule number here! This allows us a gap into
# which user specified rules fall.
#
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # 60020: BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # 60020: ELABINELAB
# ssh from boss (for reboot, etc.) and others if appropriate # ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment