1
0
mirror of https://github.com/OpenNebula/one.git synced 2024-12-25 23:21:29 +03:00

B #3556: Fix IP spoofing filters (#3558)

Signed-off-by: Venko Moyankov <venko@storpool.com>
This commit is contained in:
vmoyankov 2019-07-29 14:51:26 +03:00 committed by Ruben S. Montero
parent 01d293654a
commit 4ca50f7519

View File

@ -350,8 +350,8 @@ module SGIPTables
# --physdev-is-bridged -j one-3-0-i"
# iptables -I opennebula -m physdev --physdev-in vnet0
# --physdev-is-bridged -j one-3-0-o"
# iptables -A one-3-0-i -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A one-3-0-o -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A one-3-0-i -m state --state ESTABLISHED,RELATED -j RETURN
# iptables -A one-3-0-o -m state --state ESTABLISHED,RELATED -j RETURN
#
# Mac spoofing (no output traffic from a different MAC)
# iptables -A one-3-0-o -m mac ! --mac-source 02:00:00:00:00:01 -j DROP
@ -386,31 +386,31 @@ module SGIPTables
# ICMPv6 Neighbor Discovery Protocol (ARP replacement for IPv6)
## Allow routers to send router advertisements
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 134 "\
"-j ACCEPT"
"-j RETURN"
## Allow neighbor solicitations to reach the host
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 135 "\
"-j ACCEPT"
"-j RETURN"
## Allow neighbor solicitations replies to reach the host
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 136 "\
"-j ACCEPT"
"-j RETURN"
## Allow routers to send Redirect messages
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 137 "\
"-j ACCEPT"
"-j RETURN"
## Allow the host to send a router solicitation
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 133 "\
"-j ACCEPT"
"-j RETURN"
## Allow the host to send neighbor solicitation requests
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 135 "\
"-j ACCEPT"
"-j RETURN"
## Allow the host to send neighbor solicitation replies
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 136 "\
"-j ACCEPT"
"-j RETURN"
# Mac-spofing
if nic[:filter_mac_spoofing] == "YES"
@ -432,7 +432,7 @@ module SGIPTables
#bootp
commands.add :iptables, "-A #{chain_out} -p udp "\
"--source 0.0.0.0/32 --sport 68 --destination "\
"255.255.255.255/32 --dport 67 -j ACCEPT"
"255.255.255.255/32 --dport 67 -j RETURN"
set = "#{vars[:chain]}-ip-spoofing"
@ -473,13 +473,13 @@ module SGIPTables
# Related, Established
commands.add :iptables, "-A #{chain_in} -m state"\
" --state ESTABLISHED,RELATED -j ACCEPT"
" --state ESTABLISHED,RELATED -j RETURN"
commands.add :iptables, "-A #{chain_out} -m state"\
" --state ESTABLISHED,RELATED -j ACCEPT"
" --state ESTABLISHED,RELATED -j RETURN"
commands.add :ip6tables, "-A #{chain_in} -m state"\
" --state ESTABLISHED,RELATED -j ACCEPT"
" --state ESTABLISHED,RELATED -j RETURN"
commands.add :ip6tables, "-A #{chain_out} -m state"\
" --state ESTABLISHED,RELATED -j ACCEPT"
" --state ESTABLISHED,RELATED -j RETURN"
commands.run!
end