Re: [Blocker] Default ip table rules on VR

Mon, 03 Aug 2015 02:32:22 -0700 

Hi Sanjeev,

I added some comments to the issue on Jira, but will share it here as well 
since not many people are watching the issue:

I updated the CsAddress.py file and deployed a KVM datacenter, with new 
agent/common RPM packages. The router has now INPUT/FORWARD with DROP instead 
of ACCEPT.

However, it seems to block communication with the host, since the router stays 
stuck on "starting" state on ACS management server.

I managed to access the router via libvirt console command. See details below:

[root@kvm2 ~]# virsh console 4
Connected to domain r-4-VM
Escape character is ^]

root@r-4-VM:~# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:10086
NETWORK_STATS  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             vrrp.mcast.net      
ACCEPT     all  --  anywhere             225.0.0.50          
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             vrrp.mcast.net      
ACCEPT     all  --  anywhere             225.0.0.50          
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http 
state NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt 
state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         
NETWORK_STATS  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state 
RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NETWORK_STATS  all  --  anywhere             anywhere            

Chain NETWORK_STATS (3 references)
target     prot opt source               destination         
           all  --  anywhere             anywhere            
           all  --  anywhere             anywhere            
           tcp  --  anywhere             anywhere            
           tcp  --  anywhere             anywhere            
root@r-4-VM:~# 

I will compare the new iptables configuration with the old 
iptables-vpcrouter/iptables-router files.

Cheers,
Wilder


> On 31 Jul 2015, at 06:03, Sanjeev N <sanj...@apache.org> wrote:
> 
> Thanks for working on it Wilder !!
> 
> On Thu, Jul 30, 2015 at 6:05 PM, Wilder Rodrigues <
> wrodrig...@schubergphilis.com> wrote:
> 
>> Hi,
>> 
>> We discussed that one yesterday and I already assigned the issue to myself
>> on Jira. I will fix it.
>> 
>> Cheers,
>> WIlder
>> 
>> 
>> 
>>> On 30 Jul 2015, at 14:09, Sanjeev N <sanj...@apache.org> wrote:
>>> 
>>> Agree with Kishan Kavala and Jayapal.
>>> 
>>> On Thu, Jul 30, 2015 at 2:13 PM, Kishan Kavala <kishan.kav...@citrix.com
>>> 
>>> wrote:
>>> 
>>>> This is a security issue with high impact.
>>>> We should treat it as a blocker.
>>>> 
>>>> -----Original Message-----
>>>> From: Jayapal Reddy Uradi [mailto:jayapalreddy.ur...@citrix.com]
>>>> Sent: 30 July 2015 02:07 PM
>>>> To: <dev@cloudstack.apache.org> <dev@cloudstack.apache.org>
>>>> Subject: Re: [Blocker] Default ip table rules on VR
>>>> 
>>>> I see VR ingress traffic is blocked by default from iptables mangle
>> table.
>>>> But on the guest interface all the traffic is accepted.
>>>> Also egress firewall rule will break because of FORWARD policy.
>>>> 
>>>> Thanks,
>>>> Jayapal
>>>> 
>>>> On 30-Jul-2015, at 12:53 PM, Jayapal Reddy Uradi <
>>>> jayapalreddy.ur...@citrix.com> wrote:
>>>> 
>>>>> 
>>>>> It is security concern on the VR. All the ingress traffic onto the VR
>> is
>>>> accepted.
>>>>> Let it be blocker.
>>>>> 
>>>>> Thanks,
>>>>> Jayapal
>>>>> 
>>>>> On 30-Jul-2015, at 12:28 PM, Daan Hoogland <daan.hoogl...@gmail.com>
>>>>> wrote:
>>>>> 
>>>>>> I changed it to critical. It is only a blocker if we agree on this
>>>>>> list that it is.
>>>>>> 
>>>>>> On Thu, Jul 30, 2015 at 6:44 AM, Sanjeev N <sanj...@apache.org>
>> wrote:
>>>>>>> Hi,
>>>>>>> 
>>>>>>> In latest ACS builds, the ip table rules in VR have ACCEPT as the
>>>>>>> default policy in INPUT and FORWARD chains, instead of DROP.
>>>>>>> 
>>>>>>> Created a blocker bug for this issue
>>>>>>> https://issues.apache.org/jira/browse/CLOUDSTACK-8688
>>>>>>> 
>>>>>>> Can somebody please fix it?
>>>>>>> 
>>>>>>> Thanks,
>>>>>>> Sanjeev
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Daan
>>>>> 
>>>> 
>>>> 
>> 
>>

Reply via email to