Commit d8c8e738 authored by Leigh Stoller's avatar Leigh Stoller

Add dom0 and domU firewall sets for firewalling individual

containers.
parent c7884cd8
# #
# Copyright (c) 2000-2011 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -29,8 +29,13 @@ TBDB = @TBDBNAME@ ...@@ -29,8 +29,13 @@ TBDB = @TBDBNAME@
MDOPTS = --compact --skip-extended-insert --no-create-info --skip-set-charset MDOPTS = --compact --skip-extended-insert --no-create-info --skip-set-charset
FW_SCRIPTS = initfwvars.pl FW_SCRIPTS = initfwvars.pl
FW_FILES = open.sql closed.sql basic.sql elabinelab.sql iptables-open.sql iptables-closed.sql \ FW_FILES = open.sql closed.sql basic.sql elabinelab.sql \
iptables-basic.sql iptables-elabinelab.sql iptables-vlan-open.sql iptables-vlan-closed.sql \
iptables-vlan-basic.sql iptables-vlan-elabinelab.sql \
iptables-domU-open.sql iptables-domU-closed.sql \
iptables-domU-basic.sql \
iptables-dom0-open.sql iptables-dom0-closed.sql \
iptables-dom0-basic.sql
include $(OBJDIR)/Makeconf include $(OBJDIR)/Makeconf
...@@ -42,9 +47,15 @@ all: $(FW_SCRIPTS) $(FW_FILES) ...@@ -42,9 +47,15 @@ all: $(FW_SCRIPTS) $(FW_FILES)
include $(TESTBED_SRCDIR)/GNUmakerules include $(TESTBED_SRCDIR)/GNUmakerules
iptables-%.sql: genconfig-iptables.pl iptables-vlan-%.sql: genconfig-iptables.pl
$(SRCDIR)/genconfig-iptables.pl -f $(SRCDIR)/iptables-fw-rules -M $* > $@ $(SRCDIR)/genconfig-iptables.pl -f $(SRCDIR)/iptables-fw-rules -M $* > $@
iptables-dom0-%.sql: genconfig-iptables.pl iptables-fw-dom0-rules
$(SRCDIR)/genconfig-iptables.pl -t iptables-dom0 -f $(SRCDIR)/iptables-fw-dom0-rules -M $* > $@
iptables-domU-%.sql: genconfig-iptables.pl iptables-fw-domU-rules
$(SRCDIR)/genconfig-iptables.pl -t iptables-domU -f $(SRCDIR)/iptables-fw-domU-rules -M $* > $@
%.sql: genconfig.pl %.sql: genconfig.pl
$(SRCDIR)/genconfig.pl -f $(SRCDIR)/fw-rules -M $* > $@ $(SRCDIR)/genconfig.pl -f $(SRCDIR)/fw-rules -M $* > $@
......
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
#
# Firewall rule template.
#
# Each line consists of an iptables or ebtables rule, a '#' denoted "comment"
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
#
# Styles:
#
# OPEN allows everything
# CLOSED allows only Emulab infrastructure services
# BASIC CLOSED + ssh from anywhere
# ELABINELAB Elab-in-elab, eliminates many Emulab services
#
# Qualifiers:
#
# WINDOWS For nodes running some variant of Windows
# SAMENET For nodes that are on the same subnet as any
# "control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
#
# Variables expanded by rc.firewall script that can be used here:
#
# EMULAB_GWIP IP address of gateway
# EMULAB_VGWIP IP address of gateway on virtual node network
# EMULAB_NS IP address of name server
# EMULAB_CNET Node control network in CIDR notation
# EMULAB_VCNET Virtual node control network in CIDR notation
# EMULAB_MCADDR Multicast address range used by frisbee
# EMULAB_MCPORT Port range used by frisbee
# EMULAB_BOSSES Comma separated list of subbosses (including "boss"),
# used for services that subbosses provide
# (dhcp/tftp/frisbee).
# EMULAB_SERVERS Comma separated list of all servers
# (EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use. Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users" and "ntp1"
# as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced
# with the physical control net device, the VLAN device, and the firewall's
# control net IP address respectively.
#
#
# Match existing dynamic rules very early
#
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # OPEN,BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # OPEN,BASIC,CLOSED,ELABINELAB
# Can talk to myself. Does this do anything?
# This appears to be used by elvind?
iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# So my approach is that dom0 can interact with the infrastructure
# in any way it wants.
#
iptables -A INPUT -d me -s EMULAB_SERVERS -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -s me -d EMULAB_SERVERS -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# Frisbee multicast with boss
# * nodes mcast everything to boss (joins, leaves and requests): 60046
# * boss mcasts blocks to same mcaddr/port: 60047
# * boss unicasts join replies to same port: 60048
# * node and switch need to IGMP: 60049
#
# Elabinelab should only do this to download an image from real boss to
# the inner boss. Re-imaging anything else from outside would be a disaster.
# But note that the image is still mcast, so we cannot really differentiate
# in 60047.
#
# NOTE: the unicast join replies (60048) make our life miserable. We cannot
# use a keep-state rule because the request was multicast and not directed to
# boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#
iptables -A OUTPUT -p udp -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED
iptables -A INPUT -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT --dport EMULAB_MCPORT -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INPUT -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB
# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A INPUT -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# In BASIC, we allow ssh from anywhere on port 22.
#
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
#
# GRE tunnels.
#
iptables -A INPUT -p gre -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p gre -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
#
# Set up default policies for the standard chains
# For all but the wide-open case, the default should
# be to DROP.
#
# Do this here to avoid DNS failure when inserting above rules.
#
iptables -P INPUT DROP # BASIC,CLOSED,ELABINELAB
iptables -P OUTPUT DROP # BASIC,CLOSED,ELABINELAB
#
# Drop some logging in for debugging.
#
#iptables -A INPUT -j LOG --log-prefix "INPUT: " --log-level 5 # BASIC,CLOSED,ELABINELAB
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT: " --log-level 5 # BASIC,CLOSED,ELABINELAB
#
# Copyright (c) 2005-2014 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
# This file is part of the Emulab network testbed software.
#
# This file is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or (at
# your option) any later version.
#
# This file is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
# License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this file. If not, see <http://www.gnu.org/licenses/>.
#
# }}}
#
#
# Firewall rule template.
#
# Each line consists of an iptables or ebtables rule, a '#' denoted "comment"
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
#
# Styles:
#
# OPEN allows everything
# CLOSED allows only Emulab infrastructure services
# BASIC CLOSED + ssh from anywhere
# ELABINELAB Elab-in-elab, eliminates many Emulab services
#
# Qualifiers:
#
# WINDOWS For nodes running some variant of Windows
# SAMENET For nodes that are on the same subnet as any
# "control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
#
# Variables expanded by rc.firewall script that can be used here:
#
# EMULAB_GWIP IP address of gateway
# EMULAB_VGWIP IP address of gateway on virtual node network
# EMULAB_NS IP address of name server
# EMULAB_CNET Node control network in CIDR notation
# EMULAB_VCNET Virtual node control network in CIDR notation
# EMULAB_MCADDR Multicast address range used by frisbee
# EMULAB_MCPORT Port range used by frisbee
# EMULAB_BOSSES Comma separated list of subbosses (including "boss"),
# used for services that subbosses provide
# (dhcp/tftp/frisbee).
# EMULAB_SERVERS Comma separated list of all servers
# (EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use. Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced
# with the physical control net device, the VLAN device, and the firewall's
# control net IP address respectively.
#
#
# NOTE!!! The basic firewall rules are set up on client during
# container setup.
#
# Allow everything from the gateway, since the gateway may be part of the node control net
iptables -A OUTSIDE -s EMULAB_GWIP,EMULAB_VGWIP -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# No one on the inside can talk to other experiments' nodes and visa-versa.
#
# XXX currently we only do this for the heavier weight firewalls because
# the user cannot override this.
#
# Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall.
#
# Note also that EMULAB_CNET is only the "node control net" and does not
# include the public/private nets for boss, ops, etc.
#
# XXX yuk! The gateway *is* part of EMULAB_CNET, and assorted packets do
# come from it:
# * IGMP and PIM traffic
# * DHCP replies from boss appear to have come from the gateway
# (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
#
# XXX yuk 2! In a non-segmented control network or in a configuration with
# subbosses, some or all of the server machines will be a part of "the node
# control net" so we cannot unconditionally block all traffic to/from outside
# control net addresses. Here we allow through all traffic involving the known
# servers and let later rules further limit it.
#
iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
#iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
# DNS to NS (for firewalled nodes)
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
# This is the alternate sshd rule for containers.
iptables -A OUTSIDE -p tcp --dport EMULAB_SSHDPORT --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
# NTP to ntp server
# Note: elabinelab myops/myfs use myboss for NTP
iptables -A INSIDE -p udp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
# syslog with ops
iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
#
# NFS
# DANGER WILL ROBINSON!!!
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size. Perhaps we should dial down the read/write size for
# firewalled experiments.
#
iptables -A INSIDE -p udp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d fs -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s fs -f -j ACCEPT # BASIC,CLOSED
# Special services
# pubsubd to ops (unicast TCP and multicast UDP)
iptables -A INSIDE -p udp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
# And to the local proxy.
iptables -A INSIDE -p udp -d me --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d me --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
# slothd to boss
iptables -A INSIDE -p udp -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED
# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer. Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
iptables -A INSIDE -p tcp -s myboss -d boss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
iptables -A OUTSIDE -p tcp -d myboss --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # ,ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
# Ping, IPoD from boss and dom0
# should we allow all ICMP in general?
iptables -A INSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -s boss --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s boss --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -p icmp -d boss --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s me --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s me --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -p icmp -d me --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB
# Boot time only services (DHCP, TFTP, bootinfo, TMCC).
#
# TMCC rules are established on the fly on the physical host, since each
# container gets its own tmcc proxy on a different port.
#
# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp --sport 67 -s EMULAB_BOSSES -d EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB
#
# Explicit drop rules so that we do not return to the calling chain.
# We need these in case dom0 is not doing firewalls too, in which
# case the default chain policy is ACCEPT instead of DROP.
#
iptables -A INSIDE -j DROP # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -j DROP # BASIC,CLOSED,ELABINELAB
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment