You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by bh...@apache.org on 2012/10/26 18:08:00 UTC

git commit: CLOUDSTACK-417: Handle passwd-srvr securely on VR, port 8080

Updated Branches:
  refs/heads/master 6a9c588d3 -> dbe88c1ed


CLOUDSTACK-417: Handle passwd-srvr securely on VR, port 8080

By default do not enable port 8080 in iptables-router. Since, the socat
server which serves the password is in an infinite loop, any incorrect
attempt is returned bad_request and passwd-srvr won't break.

When /etc/init.d/cloud-passwd-srvr is started:
  - It finds and removes any old rules on port 8080, eth0
  - It applies iptables rule that accepts only traffic from private cidr.

When cloud-passwd-srvr is stopped:
  - It removes iptables rules on port 8080, eth0

Signed-off-by: Rohit Yadav <bh...@apache.org>


Project: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/commit/dbe88c1e
Tree: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/tree/dbe88c1e
Diff: http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/diff/dbe88c1e

Branch: refs/heads/master
Commit: dbe88c1ed3c120ff0e0f38c67b6a03e3665fe987
Parents: 6a9c588
Author: Rohit Yadav <bh...@apache.org>
Authored: Fri Oct 26 21:33:25 2012 +0530
Committer: Rohit Yadav <bh...@apache.org>
Committed: Fri Oct 26 21:37:32 2012 +0530

----------------------------------------------------------------------
 .../debian/config/etc/init.d/cloud-passwd-srvr     |   36 ++++++++++++++-
 .../debian/config/etc/iptables/iptables-router     |    1 -
 2 files changed, 35 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dbe88c1e/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr b/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr
index e681841..7c938f7 100755
--- a/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr
+++ b/patches/systemvm/debian/config/etc/init.d/cloud-passwd-srvr
@@ -29,10 +29,43 @@
 ENABLED=0
 [ -e /etc/default/cloud-passwd-srvr ] && . /etc/default/cloud-passwd-srvr
 
+add_iptables_rules()
+{
+  #Delete any old iptables rule for port 8080 on eth0
+  remove_iptables_rules
+
+  #For all cidrs on eth0 for port 8080 accept only if source is withing that cidr
+  for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
+  do
+    iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp -s $cidr --dport 8080 -j ACCEPT
+  done
+  echo "Added cloud-passwd-srvr iptables rules" && return 0
+}
+
+remove_iptables_rules()
+{
+  #Change the Internal Field Separator so the for loop, loops on lines and not spaces
+  OIFS="${IFS}"
+  NIFS=$'\n'
+  IFS="${NIFS}"
+
+  #Removed all iptable rules for port 8080 on eth0, they were added in start()
+  for srcdest in `iptables -L -n -v | grep eth0 | grep 8080 | grep ACCEPT | awk '{print "--source "$8" --destination "$9}'`;
+  do
+    eval "iptables -D INPUT -i eth0 -p tcp -m state --state NEW -m tcp $srcdest --dport 8080 -j ACCEPT";
+  done
+
+  #Restore IFS
+  IFS="${OIFS}"
+
+  echo "Removed cloud-passwd-srvr iptables rules" && return 0
+}
+
 start() {
   [ "$ENABLED" != 0 ]  || exit 0 
   pid=$(getpid)
   [ "$pid" != "" ] && echo "Password server is already running (pid=$pid)" && return 0
+  add_iptables_rules
   nohup bash /opt/cloud/bin/passwd_server &
 }
 
@@ -50,7 +83,8 @@ stop_socat() {
 stop () {
   stop_socat
   pid=$(getpid)
-  [ "$pid" != "" ] && kill -9 $pid && echo "Stopped password server (pid=$pid)" && stop_socat && return 0
+  [ "$pid" != "" ] && kill -9 $pid && remove_iptables_rules && echo "Stopped password server (pid=$pid)" && stop_socat && return 0
+
   echo "Password server is not running" && return 0
 }
 

http://git-wip-us.apache.org/repos/asf/incubator-cloudstack/blob/dbe88c1e/patches/systemvm/debian/config/etc/iptables/iptables-router
----------------------------------------------------------------------
diff --git a/patches/systemvm/debian/config/etc/iptables/iptables-router b/patches/systemvm/debian/config/etc/iptables/iptables-router
index 1aba34c..59d2e46 100644
--- a/patches/systemvm/debian/config/etc/iptables/iptables-router
+++ b/patches/systemvm/debian/config/etc/iptables/iptables-router
@@ -34,7 +34,6 @@ COMMIT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
--A INPUT -i eth0 -p tcp -m state --state NEW --dport 8080 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth2 -j ACCEPT