Updated Branches: refs/heads/master 6a9c588d3 -> dbe88c1ed
CLOUDSTACK-417: Handle passwd-srvr securely on VR, port 8080 By default do not enable port 8080 in iptables-router. Since, the socat server which serves the password is in an infinite loop, any incorrect attempt is returned bad_request and passwd-srvr won't break. When /etc/init.d/cloud-passwd-srvr is started: - It finds and removes any old rules on port 8080, eth0 - It applies iptables rule that accepts only traffic from private cidr. When cloud-passwd-srvr is stopped: - It removes iptables rules on port 8080, eth0 Signed-off-by: Rohit Yadav <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/dbe88c1e Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/dbe88c1e Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/dbe88c1e Branch: refs/heads/master Commit: dbe88c1ed3c120ff0e0f38c67b6a03e3665fe987 Parents: 6a9c588 Author: Rohit Yadav <[email protected]> Authored: Fri Oct 26 21:33:25 2012 +0530 Committer: Rohit Yadav <[email protected]> Committed: Fri Oct 26 21:37:32 2012 +0530 ---------------------------------------------------------------------- .../debian/config/etc/init.d/cloud-passwd-srvr | 36 ++++++++++++++- .../debian/config/etc/iptables/iptables-router | 1 - 2 files changed, 35 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dbe88c1e/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr b/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr index e681841..7c938f7 100755 --- a/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr +++ b/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr @@ -29,10 +29,43 @@ ENABLED=0 [ -e /etc/default/cloud-passwd-srvr ] && . /etc/default/cloud-passwd-srvr +add_iptables_rules() +{ + #Delete any old iptables rule for port 8080 on eth0 + remove_iptables_rules + + #For all cidrs on eth0 for port 8080 accept only if source is withing that cidr + for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}'); + do + iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -s $cidr --dport 8080 -j ACCEPT + done + echo "Added cloud-passwd-srvr iptables rules" && return 0 +} + +remove_iptables_rules() +{ + #Change the Internal Field Separator so the for loop, loops on lines and not spaces + OIFS="${IFS}" + NIFS=$'\n' + IFS="${NIFS}" + + #Removed all iptable rules for port 8080 on eth0, they were added in start() + for srcdest in `iptables -L -n -v | grep eth0 | grep 8080 | grep ACCEPT | awk '{print "--source "$8" --destination "$9}'`; + do + eval "iptables -D INPUT -i eth0 -p tcp -m state --state NEW -m tcp $srcdest --dport 8080 -j ACCEPT"; + done + + #Restore IFS + IFS="${OIFS}" + + echo "Removed cloud-passwd-srvr iptables rules" && return 0 +} + start() { [ "$ENABLED" != 0 ] || exit 0 pid=$(getpid) [ "$pid" != "" ] && echo "Password server is already running (pid=$pid)" && return 0 + add_iptables_rules nohup bash /opt/cloud/bin/passwd_server & } @@ -50,7 +83,8 @@ stop_socat() { stop () { stop_socat pid=$(getpid) - [ "$pid" != "" ] && kill -9 $pid && echo "Stopped password server (pid=$pid)" && stop_socat && return 0 + [ "$pid" != "" ] && kill -9 $pid && remove_iptables_rules && echo "Stopped password server (pid=$pid)" && stop_socat && return 0 + echo "Password server is not running" && return 0 } http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dbe88c1e/patches/systemvm/debian/config/etc/iptables/iptables-router ---------------------------------------------------------------------- diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router b/patches/systemvm/debian/config/etc/iptables/iptables-router index 1aba34c..59d2e46 100644 --- a/patches/systemvm/debian/config/etc/iptables/iptables-router +++ b/patches/systemvm/debian/config/etc/iptables/iptables-router @@ -34,7 +34,6 @@ COMMIT -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT --A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -o eth2 -j ACCEPT
