You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/03/24 07:20:48 UTC
[GitHub] [cloudstack] Spaceman1984 edited a comment on pull request #4847: Restricting http access on VR to internal network
Spaceman1984 edited a comment on pull request #4847:
URL: https://github.com/apache/cloudstack/pull/4847#issuecomment-805566088
> > > I think the change in this line also needed.
> > > https://github.com/apache/cloudstack/blob/master/systemvm/debian/etc/iptables/iptables-dhcpsrvr#L40
> >
> >
> > In my testing, this was not needed.
>
> @Spaceman1984 line 40 in systemvm/debian/etc/iptables/iptables-dhcpsrvr should be removed, as it opens http access to all internet.
> `-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT`
Doesn't seem like those rules are applied. This is the output from iptables-save:
```
# Generated by iptables-save v1.6.2 on Wed Mar 24 07:15:19 2021
*mangle
:PREROUTING ACCEPT [3051:197074]
:INPUT ACCEPT [3051:197074]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [886:99341]
:POSTROUTING ACCEPT [886:99341]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
-A POSTROUTING -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Mar 24 07:15:19 2021
# Generated by iptables-save v1.6.2 on Wed Mar 24 07:15:19 2021
*filter
:INPUT DROP [2517:137372]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [886:99341]
:FW_EGRESS_RULES - [0:0]
:FW_OUTBOUND - [0:0]
:NETWORK_STATS - [0:0]
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.10.11/32 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -d 192.168.10.11/32 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -j NETWORK_STATS
-A INPUT -i eth1 -p tcp -m tcp --dport 3922 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -d 224.0.0.18/32 -j ACCEPT
-A INPUT -d 225.0.0.50/32 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.10.0/24 -i eth0 -p tcp -m tcp --dport 8080 -m state --state NEW -j ACCEPT
-A FORWARD -j NETWORK_STATS
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j NETWORK_STATS
-A FW_OUTBOUND -m state --state RELATED,ESTABLISHED -j ACCEPT
-A NETWORK_STATS -i eth0 -o eth2
-A NETWORK_STATS -i eth2 -o eth0
-A NETWORK_STATS ! -i eth0 -o eth2 -p tcp
-A NETWORK_STATS -i eth2 ! -o eth0 -p tcp
COMMIT
# Completed on Wed Mar 24 07:15:19 2021
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org