cloudstack-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject [6/7] git commit: updated refs/heads/master to 76bb54b
Date Tue, 09 Dec 2014 09:44:51 GMT
made iptables for the VPN connection more secure

Added destination and source definition. Flag -S can be used
to ignore this. It's the new default as it is more secure
and does not impact the way things work (backwords compatible).


Project: http://git-wip-us.apache.org/repos/asf/cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/cloudstack/commit/ef3b4bb4
Tree: http://git-wip-us.apache.org/repos/asf/cloudstack/tree/ef3b4bb4
Diff: http://git-wip-us.apache.org/repos/asf/cloudstack/diff/ef3b4bb4

Branch: refs/heads/master
Commit: ef3b4bb4e3342f166489034fa7149540d2ef1383
Parents: 7f33f7c
Author: Remi Bergsma <rbergsma@schubergphilis.com>
Authored: Mon Dec 8 19:06:55 2014 +0100
Committer: Remi Bergsma <rbergsma@schubergphilis.com>
Committed: Mon Dec 8 19:06:55 2014 +0100

----------------------------------------------------------------------
 .../debian/config/opt/cloud/bin/ipsectunnel.sh  | 26 ++++++++++++++------
 1 file changed, 18 insertions(+), 8 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cloudstack/blob/ef3b4bb4/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
----------------------------------------------------------------------
diff --git a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
index a95c65e..e0af6a2 100755
--- a/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/ipsectunnel.sh
@@ -23,7 +23,7 @@ vpnoutmark="0x525"
 vpninmark="0x524"
 
 usage() {
-    printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr>
-g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets>
-e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime>
-s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check
if up on creation ]\n" $(basename $0) >&2
+    printf "Usage: %s: (-A|-D) -l <left-side vpn peer> -n <left-side guest cidr>
-g <left-side next hop> -r <right-side vpn peer> -N <right-side private subnets>
-e <esp policy> -i <ike policy> -t <ike lifetime> -T <esp lifetime>
-s <pre-shared secret> -d <dpd 0 or 1> [ -p <passive or not> -c <check
if up on creation> -S <disable vpn ports iptables> ]\n" $(basename $0) >&2
 }
 
 #set -x
@@ -61,13 +61,16 @@ enable_iptables_subnets() {
   return 0
 }
 
+#
+# Add the right side here to close the gap, so we're sure no one else comes in
+#   also double check the default behaviour of ipsec to drop if wrong....
 check_and_enable_iptables() {
   sudo iptables-save | grep "A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT"
   if [ $? -ne 0 ]
   then
-      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
-      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
-      sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
       # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
       sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j
ACCEPT
   fi
@@ -90,9 +93,9 @@ check_and_disable_iptables() {
   if [ $? -ne 0 ]
   then
     #Nobody else use s2s vpn now, so delete the iptables rules
-    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
-    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
-    sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 $iptables_secure -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 $iptables_secure -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p 50 $iptables_secure -j ACCEPT
     sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
   fi
   return 0
@@ -213,8 +216,9 @@ sflag=
 passive=0
 op=""
 checkup=0
+secure=1
 
-while getopts 'ADpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
+while getopts 'ADSpcl:n:g:r:N:e:i:t:T:s:d:' OPTION
 do
   case $OPTION in
   A)    opflag=1
@@ -260,6 +264,8 @@ do
         ;;
   c)    checkup=1
         ;;
+  S)    secure=0
+        ;;
   ?)    usage
         exit 2
         ;;
@@ -267,6 +273,10 @@ do
 done
 
 logger -t cloud "$(basename $0): parameters $*"
+if [ $secure -eq 1 ]
+then
+   iptables_secure=" -s $rightpeer -d $leftpeer "
+fi
 
 # get interface for public ip
 ip link|grep BROADCAST|grep -v eth0|cut -d ":" -f 2 > /tmp/iflist


Mime
View raw message