Project

General

Profile

Anomalie #2113

Gestion de eole-firewall pour le mode bridge

Added by Emmanuel GARETTE (2) over 11 years ago. Updated over 11 years ago.

Status:
Fermé
Priority:
Normal
Assigned To:
Category:
-
Start date:
09/26/2011
Due date:
% Done:

100%

Estimated time:
0.50 h
Spent time:
Distribution:
EOLE 2.3

Description

Si les interfaces supplémentaires sont en mode bridge, eole-firewall bloque la communication.

La communication inter-conteneur ou entre l'extérieur et les conteneurs devrait être ouverte.

Autorise le FORWARD sur l'interface (communication inter-conteneur et surement (mais pas tester) entre l'extérieur et les conteneurs) :

--- /root/end_static_rules.sh    2011-09-26 22:01:41.859838229 +0200
+++ /usr/share/eole/creole/distrib/end_static_rules.sh    2011-09-26 22:46:02.275938785 +0200
@@ -1,10 +1,23 @@
+%set global %%method_eth0='macvlan'
+%set global %%method_eth1='macvlan'
+%set global %%method_eth2='macvlan'
+%set global %%method_eth3='macvlan'
+%set global %%method_eth4='macvlan'
+%include "/etc/eole/containers_bridge.conf" 
+
 %if %%adresse_ip_br0 != "127.0.0.1" 
-/sbin/iptables -t nat -A POSTROUTING -o eth0 -s %%adresse_network_br0/%%adresse_netmask_br0 -d 0.0.0.0/0.0.0.0 -j SNAT --to-source %%adresse_ip_eth0
+
+ %if %%method_eth0 == 'bridge'
+%set %%interface_eth0='breth0'
+ %else
+%set %%interface_eth0='eth0'
+ %end if
+/sbin/iptables -t nat -A POSTROUTING -o %%interface_eth0 -s %%adresse_network_br0/%%adresse_netmask_br0 -d 0.0.0.0/0.0.0.0 -j SNAT --to-source %%adresse_ip_eth0
 /sbin/iptables -A INPUT -s %%adresse_network_br0/%%adresse_netmask_br0 -d %%adresse_ip_br0 -i br0 -p tcp -m tcp --dport 514 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

 /sbin/iptables -A INPUT -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 /sbin/iptables -A FORWARD -i br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-/sbin/iptables -A FORWARD -i eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
+/sbin/iptables -A FORWARD -i %%interface_eth0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

 /sbin/iptables -A cont-cont -m limit --limit 15/min -j LOG --log-prefix="DROP container->container: " 
 /sbin/iptables -A cont-cont -j DROP
@@ -20,41 +33,64 @@

 /sbin/iptables -A wide-wide -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A wide-wide -j DROP
-/sbin/iptables -A FORWARD -i eth0 -o eth0 -j wide-wide
+/sbin/iptables -A FORWARD -i %%interface_eth0 -o %%interface_eth0 -j wide-wide

 %end if

 %if %%nombre_interfaces >= "2" 
 /sbin/iptables -A eth1-root -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A eth1-root -j DROP
+ %if %%method_eth1 == 'bridge'
+/sbin/iptables -A FORWARD -i breth1 -j ACCEPT
+/sbin/iptables -A INPUT -i breth1 -j eth1-root
+ %else
 /sbin/iptables -A INPUT -i eth1 -j eth1-root
+ %end if

 /sbin/iptables -A eth0-eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A eth0-eth1 -j DROP
-/sbin/iptables -A FORWARD -i eth0 -o eth1 -j eth0-eth1
+/sbin/iptables -A FORWARD -i %%interface_eth0 -o eth1 -j eth0-eth1

 /sbin/iptables -A eth1-eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A eth1-eth0 -j DROP
-/sbin/iptables -A FORWARD -i eth1 -o eth0 -j eth1-eth0
+/sbin/iptables -A FORWARD -i eth1 -o %%interface_eth0 -j eth1-eth0
 %end if
 %if %%nombre_interfaces >= "3" 
 /sbin/iptables -A eth2-root -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A eth2-root -j DROP
+ %if %%method_eth2 == 'bridge'
+/sbin/iptables -A FORWARD -i breth2 -j ACCEPT
+/sbin/iptables -A INPUT -i breth2 -j eth2-root
+ %else
 /sbin/iptables -A INPUT -i eth2 -j eth2-root
+ %end if
 %end if
 %if %%nombre_interfaces >= "4" 
 /sbin/iptables -A eth3-root -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A eth3-root -j DROP
+ %if %%method_eth3 == 'bridge'
+/sbin/iptables -A FORWARD -i breth3 -j ACCEPT
+/sbin/iptables -A INPUT -i breth3 -j eth3-root
+ %else
 /sbin/iptables -A INPUT -i eth3 -j eth3-root
+ %end if
 %end if
 %if %%nombre_interfaces >= "5" 
 /sbin/iptables -A eth4-root -m state --state ESTABLISHED,RELATED -j ACCEPT
 /sbin/iptables -A eth4-root -j DROP
+ %if %%method_eth4 == 'bridge'
+/sbin/iptables -A FORWARD -i breth4 -j ACCEPT
+/sbin/iptables -A INPUT -i breth4 -j eth4-root
+ %else
 /sbin/iptables -A INPUT -i eth4 -j eth4-root
+ %end if
 %end if

 /sbin/iptables -A wide-root -m state --state ESTABLISHED,RELATED -j ACCEPT
 #desactive les logs wide->root
 #/sbin/iptables -A DROP_W2R  -m limit --limit 15/min -j LOG --log-prefix="DROP wide->root: " 
 /sbin/iptables -A wide-root -j DROP
-/sbin/iptables -A INPUT -i eth0 -j wide-root
+ %if %%method_eth0 == 'bridge'
+/sbin/iptables -A FORWARD -i breth0 -j ACCEPT
+ %end if
+/sbin/iptables -A INPUT -i %%interface_eth0 -j wide-root

Dans eole-firewall, change automatique les adresses ethx en brethx si nécessaire (pas complètement testé) :

fwobjects.py
--- fwobjects.py    2011-09-26 22:52:31.716625257 +0200
+++ /usr/share/eole/bastion/fwobjects.py    2011-09-26 23:00:24.140377644 +0200
@@ -19,6 +19,12 @@
 state_policy='-m policy'
 state_ipsec_target='{0} --pol ipsec --proto esp --dir'.format(state_policy)

+bridge=open('/etc/eole/containers_bridge.conf').readlines()
+interfaces_brige=[]
+for i in range(0, 5):
+    if "#set global $method_eth%s='bridge'\n" % i in bridge:
+        interfaces_brige.append('eth%s'%i)
+
 def join(*args):
     return " ".join(list(args))

@@ -64,9 +70,15 @@
     def is_era(self):
         return is_installed('era')

+    def calc_interface(self, interface):
+        if interface in interfaces_brige:
+            return 'br' + interface
+        return interface
+
     def _build_wide_src_allow(self):
+        interface = self.calc_interface(self.interface1)
         if self.is_era():
-            return "# rule from %s to %s port1 %s int %s desactivated with era" % (self.ip1, self.ip2, self.port1, self.interface1)
+            return "# rule from %s to %s port1 %s int %s desactivated with era" % (self.ip1, self.ip2, self.port1, interface)
         if self.protocol == 'tcp':
             port_target = tcp_port_target
         elif self.protocol == 'udp':
@@ -74,11 +86,11 @@
         else:
             raise Exception("Protocol %s not supported in _build_wide_src_allow"%self.protocol)

-        ret = join(ipt, forward_target, '-i', self.interface1, '-s',
+        ret = join(ipt, forward_target, '-i', interface, '-s',
                 str(self.ip2), port_target, str(self.port1),
                 '-d', str(self.ip1), accept_target)
         ret += '\n'
-        ret += join(ipt, prerouting_target, '-i', self.interface1, '-s',
+        ret += join(ipt, prerouting_target, '-i', interface, '-s',
                 str(self.ip2), port_target, str(self.port2),
                 dnat_target, '{0}:{1}'.format(str(self.ip1), str(self.port2)))
         return ret
@@ -86,6 +98,7 @@
     def _build_wide_dst_allow(self):
         #if self.is_era():
         #    return "# rule from %s to %s port %s int %s desactivated with era" % (self.ip1, self.ip2, self.port, self.interface)
+        interface = self.calc_interface(self.interface1)
         if self.protocol == 'tcp':
             build_target = join(tcp_port_target, str(self.port1))
         elif self.protocol == 'udp':
@@ -97,7 +110,7 @@
         else:
             raise Exception("Protocol %s not supported in _build_wide_dst_allow"%self.protocol)

-        return join(ipt, forward_target, '-i', 'br0', '-o', self.interface1,
+        return join(ipt, forward_target, '-i', 'br0', '-o', interface,
                 '-s', str(self.ip1), build_target,
                 '-d', str(self.ip2), accept_target)


Related issues

Related to eole-common - Anomalie #2111: Création des bridges supplémentaires pour les conteneurs Fermé 09/26/2011

Associated revisions

Revision 04bb4d86 (diff)
Added by Joël Cuissinat over 11 years ago

end_static_rules.sh : application du patch pour les bridges (fixes #2113)

Revision f4f190a0 (diff)
Added by Joël Cuissinat over 11 years ago

fwobjects.py : application du patch pour les bridges (fixes #2113)

History

#1 Updated by Joël Cuissinat over 11 years ago

  • Target version set to Mises à jour 2.3 - 03 RC

#2 Updated by Joël Cuissinat over 11 years ago

  • Assigned To set to Joël Cuissinat
  • Target version changed from Mises à jour 2.3 - 03 RC to Mises à jour 2.3 - 02 Stable
  • Estimated time set to 0.50 h
  • Distribution set to EOLE 2.3

#3 Updated by Joël Cuissinat over 11 years ago

  • Status changed from Nouveau to Résolu
  • % Done changed from 0 to 100

#5 Updated by Joël Cuissinat over 11 years ago

  • Status changed from Résolu to Fermé

=> Fonctionnement à valider sur Eclair

Also available in: Atom PDF