[
https://issues.apache.org/jira/browse/CLOUDSTACK-8688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14723342#comment-14723342
]
ASF GitHub Bot commented on CLOUDSTACK-8688:
--------------------------------------------
GitHub user wilderrodrigues opened a pull request:
https://github.com/apache/cloudstack/pull/765
CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be se…
…t to DROP instead of ACCEPT
- In order to be able to access the routers via the link local interface,
we have to add a rules with NEW and ESTABLISHED state
Tests:
* Deployed 2 zones, basic and advanced, using KVM as hypervisor
* On the basic zone, created 1 security group, added ingress rules to open
port 22 and deployed 1 VM
* SSH into the router and checked that the INPUT/FORWARD policies were
set to DROP
* SSH to the VM
* On the advanced zone, created 1 single VPC (with 2 tiers, 2 puc IPs, 2
VMs and 1 ACL), 1 redundant VPC ((with 2 tiers, 2 puc IPs, 2 VMs and 1 ACL)), 1
isolated network (with 1 VM and 1 pub IP), 1 redundant network (with 1 VM and 1
pub IP)
* SSH into all routers to check that the INPUT/FORWARD policies were set
to DROP
* SSH into all VMs to test the communication
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.26 (192.168.23.26)' can't be
established.
RSA key fingerprint is cb:42:81:d0:05:97:f4:be:9e:3b:dd:3f:c6:d2:48:e7.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.26' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exit
Connection to 192.168.23.26 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.22.63 (192.168.22.63)' can't be
established.
RSA key fingerprint is a2:20:d6:e2:fb:c5:89:94:57:f5:89:b1:a1:6d:63:99.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.22.63' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exit
Connection to 192.168.22.63 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.27 (192.168.23.27)' can't be
established.
RSA key fingerprint is 20:f1:6d:9b:74:c5:7b:53:10:5c:a0:0c:bc:9f:2a:29.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.27' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.27 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.28 (192.168.23.28)' can't be
established.
RSA key fingerprint is f7:ae:49:46:ba:02:c1:25:5a:50:87:0e:6f:a4:43:a3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.28' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.28 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.29 (192.168.23.29)' can't be
established.
RSA key fingerprint is 09:0c:f2:41:a3:74:3d:ee:04:2b:78:ff:a9:91:0d:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.29' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exit
Connection to 192.168.23.29 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.30 (192.168.23.30)' can't be
established.
RSA key fingerprint is 2c:a6:10:f5:6d:4b:d1:70:e2:47:07:19:0b:86:c1:b0.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.30' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.30 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$
sbpltk1zffh04:asf_cloudstack wrodrigues$ ssh [email protected]
The authenticity of host '192.168.23.32 (192.168.23.32)' can't be
established.
RSA key fingerprint is 6b:85:1e:c7:2e:aa:01:a2:d4:19:e3:ec:a7:69:a1:71.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.23.32' (RSA) to the list of known hosts.
[email protected]'s password:
# ls /
bin boot dev etc home lib
lib64 linuxrc lost+found media mnt opt proc
root run sbin sys tmp usr var
# exitConnection to 192.168.23.32 closed.
sbpltk1zffh04:asf_cloudstack wrodrigues$
I'm now running some automated tests, will post the results here once they
are complete.
@remibergsma @DaanHoogland @bhaisaab @miguelaferreira @wido @karuturi ,
could you guys please have a look?
Cheers,
Wilder
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/schubergphilis/cloudstack fix/default_policies
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/cloudstack/pull/765.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #765
----
commit f5e5f4d0026f8ffd6f3aa7e8e4c7be0cd809d6c9
Author: wilderrodrigues <[email protected]>
Date: 2015-08-27T13:21:30Z
CLOUDSTACK-8688 - default policies for INPUT and FORWARD should be set to
DROP instead of ACCEPT
- In order to be able to access the routers via the link local interface,
we have to add a rules with NEW and ESTABLISHED state
----
> Default policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> -----------------------------------------------------------------------
>
> Key: CLOUDSTACK-8688
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8688
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Virtual Router
> Affects Versions: 4.6.0
> Environment: Latest build from ACS master.
> Zone type: Advanced
> Reporter: Sanjeev N
> Assignee: Wilder Rodrigues
> Priority: Blocker
> Fix For: 4.6.0
>
>
> Defualt policy for INPUT and FORWARD chain is ACCEPT in VR filter table
> Steps to reproduce the issue:
> =======================
> 1.Bring up CS in advanced zone with any supported hypervisor (e.g. Xenserver)
> 2.Create an isolated network with Network Offering
> "DefaultIsolatedNetworkOfferingWithSourceNatService"
> 3.Deploy one guest vm within that network
> Result:
> =======
> IP tables rules on the VR created are as follows:
> root@r-7-VM:~# iptables --list
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT all -- anywhere vrrp.mcast.net
> ACCEPT all -- anywhere 225.0.0.50
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT icmp -- anywhere anywhere
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:bootps
> ACCEPT udp -- anywhere anywhere udp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:domain
> ACCEPT tcp -- anywhere anywhere tcp dpt:http
> state NEW
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:http-alt state NEW
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state NEW
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> NETWORK_STATS all -- anywhere anywhere
> Chain NETWORK_STATS (3 references)
> target prot opt source destination
> all -- anywhere anywhere
> all -- anywhere anywhere
> tcp -- anywhere anywhere
> tcp -- anywhere anywhere
> But the Default policy for INPUT and FORWARD chain should be DROP instead of
> ACCEPT. Otherwise all the traffic would be allowed to VR.
> Same is the case with VPC and Shared network as well.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
