merged fix-iptables

nova/flags.py

@@ -188,7 +188,9 @@ DEFINE_string('rabbit_userid', 'guest', 'rabbit userid')
 DEFINE_string('rabbit_password', 'guest', 'rabbit password')
 DEFINE_string('rabbit_virtual_host', '/', 'rabbit virtual host')
 DEFINE_string('control_exchange', 'nova', 'the main exchange to connect to')
-DEFINE_string('ec2_url', 'http://127.0.0.1:8773/services/Cloud',
+DEFINE_string('cc_host', '127.0.0.1', 'ip of api server')
+DEFINE_integer('cc_port', 8773, 'cloud controller port')
+DEFINE_string('ec2_url', 'http://%s:%s/services/Cloud' % (FLAGS.cc_host, FLAGS.cc_port),
               'Url to ec2 api server')
 
 DEFINE_string('default_image', 'ami-11111',

nova/manager.py

@@ -37,3 +37,10 @@ class Manager(object):
         if not db_driver:
             db_driver = FLAGS.db_driver
         self.db = utils.import_object(db_driver)  # pylint: disable-msg=C0103
+
+    def init_host(self):
+       """Do any initialization that needs to be run if this is a standalone service.
+       
+       Child classes should override this method.
+       """
+

nova/network/linux_net.py

@@ -36,13 +36,30 @@ flags.DEFINE_string('dhcpbridge_flagfile',
 flags.DEFINE_string('networks_path', utils.abspath('../networks'),
                     'Location to keep network config files')
 flags.DEFINE_string('public_interface', 'vlan1',
-                        'Interface for public IP addresses')
+                    'Interface for public IP addresses')
 flags.DEFINE_string('bridge_dev', 'eth0',
-                        'network device for bridges')
-
+                    'network device for bridges')
+flags.DEFINE_string('routing_source_ip', utils.get_my_ip(),
+                    'Public IP of network host')
 
 DEFAULT_PORTS = [("tcp", 80), ("tcp", 22), ("udp", 1194), ("tcp", 443)]
 
+def init_host():
+    """Basic networking setup goes here"""
+    # NOTE(devcamcar): Cloud public DNAT entries, CloudPipe port
+    # forwarding entries and a default DNAT entry.
+    _confirm_rule("-t nat -A nova_prerouting -s 0.0.0.0/0 "
+             "-d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT "
+             "--to-destination %s:%s" % (FLAGS.cc_host, FLAGS.cc_port))
+
+    # NOTE(devcamcar): Cloud public SNAT entries and the default
+    # SNAT rule for outbound traffic.
+    _confirm_rule("-t nat -A nova_postrouting -s %s "
+             "-j SNAT --to-source %s"
+             % (FLAGS.private_range, FLAGS.routing_source_ip))
+
+    _confirm_rule("-A nova_postrouting -s %s MASQUERADE" % FLAGS.private_range)
+    _confirm_rule("-A nova_postrouting -s %(range)s -d %(range)s" % {'range': FLAGS.private_range})
 
 def bind_floating_ip(floating_ip):
     """Bind ip to public interface"""
@@ -58,37 +75,37 @@ def unbind_floating_ip(floating_ip):
 
 def ensure_vlan_forward(public_ip, port, private_ip):
     """Sets up forwarding rules for vlan"""
-    _confirm_rule("FORWARD -d %s -p udp --dport 1194 -j ACCEPT" % private_ip)
+    _confirm_rule("nova_forward -d %s -p udp --dport 1194 -j ACCEPT" % private_ip)
     _confirm_rule(
-        "PREROUTING -t nat -d %s -p udp --dport %s -j DNAT --to %s:1194"
+        "nova_prerouting -t nat -d %s -p udp --dport %s -j DNAT --to %s:1194"
             % (public_ip, port, private_ip))
 
 
 def ensure_floating_forward(floating_ip, fixed_ip):
     """Ensure floating ip forwarding rule"""
-    _confirm_rule("PREROUTING -t nat -d %s -j DNAT --to %s"
+    _confirm_rule("nova_prerouting -t nat -d %s -j DNAT --to %s"
                            % (floating_ip, fixed_ip))
-    _confirm_rule("POSTROUTING -t nat -s %s -j SNAT --to %s"
+    _confirm_rule("nova_postrouting -t nat -s %s -j SNAT --to %s"
                            % (fixed_ip, floating_ip))
     # TODO(joshua): Get these from the secgroup datastore entries
-    _confirm_rule("FORWARD -d %s -p icmp -j ACCEPT"
+    _confirm_rule("nova_forward -d %s -p icmp -j ACCEPT"
                            % (fixed_ip))
     for (protocol, port) in DEFAULT_PORTS:
         _confirm_rule(
-            "FORWARD -d %s -p %s --dport %s -j ACCEPT"
+            "nova_forward -d %s -p %s --dport %s -j ACCEPT"
             % (fixed_ip, protocol, port))
 
 
 def remove_floating_forward(floating_ip, fixed_ip):
     """Remove forwarding for floating ip"""
-    _remove_rule("PREROUTING -t nat -d %s -j DNAT --to %s"
+    _remove_rule("nova_prerouting -t nat -d %s -j DNAT --to %s"
                           % (floating_ip, fixed_ip))
-    _remove_rule("POSTROUTING -t nat -s %s -j SNAT --to %s"
+    _remove_rule("nova_postrouting -t nat -s %s -j SNAT --to %s"
                           % (fixed_ip, floating_ip))
-    _remove_rule("FORWARD -d %s -p icmp -j ACCEPT"
+    _remove_rule("nova_forward -d %s -p icmp -j ACCEPT"
                           % (fixed_ip))
     for (protocol, port) in DEFAULT_PORTS:
-        _remove_rule("FORWARD -d %s -p %s --dport %s -j ACCEPT"
+        _remove_rule("nova_forward -d %s -p %s --dport %s -j ACCEPT"
                               % (fixed_ip, protocol, port))
 
 
@@ -124,7 +141,7 @@ def ensure_bridge(bridge, interface, net_attrs=None):
                      net_attrs['gateway'],
                      net_attrs['broadcast'],
                      net_attrs['netmask']))
-            _confirm_rule("FORWARD --in-interface %s -j ACCEPT" % bridge)
+            _confirm_rule("nova_forward --in-interface %s -j ACCEPT" % bridge)
         else:
             _execute("sudo ifconfig %s up" % bridge)
 

nova/network/manager.py

@@ -218,6 +218,13 @@ class FlatManager(NetworkManager):
 
 class VlanManager(NetworkManager):
     """Vlan network with dhcp"""
+    
+    def init_host(self):
+        """Do any initialization that needs to be run if this is a
+           standalone service.
+        """
+        driver.init_host()
+
     def allocate_fixed_ip(self, context, instance_id, *args, **kwargs):
         """Gets a fixed ip from the pool"""
         network_ref = self.db.project_get_network(context, context.project.id)

tools/setup_ipchains.sh

@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+CMD="global"
+IP="XXX"
+PRIVATE_RANGE="10.128.0.0/12"
+
+if [ -n "$1" ]; then
+    CMD=$1
+fi
+
+if [ -n "$2" ]; then
+    IP=$2
+fi
+
+if [ -n "$3" ]; then
+    PRIVATE_RANGE=$3
+fi
+
+if [ "$CMD" == "global" ]; then
+    iptables -P INPUT DROP
+    iptables -A INPUT -m state --state INVALID -j DROP 
+    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+    iptables -A INPUT -m tcp -p tcp -d $MGMT_IP --dport 22 -j ACCEPT
+    iptables -A INPUT -m udp -p udp --dport 123 -j ACCEPT
+    iptables -N nova_input
+    iptables -A INPUT -j nova_input
+    iptables -A INPUT -p icmp -j ACCEPT 
+    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset 
+    iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable 
+
+    iptables -P FORWARD DROP
+    iptables -A FORWARD -m state --state INVALID -j DROP 
+    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
+    iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu 
+    iptables -N nova_forward
+    iptables -A FORWARD -j nova_forward
+
+    iptables -P OUTPUT DROP
+    iptables -A OUTPUT -m state --state INVALID -j DROP 
+    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
+    iptables -N nova_output
+    iptables -A OUTPUT -j nova_output
+    
+    iptables -t nat -N nova_prerouting
+    iptables -t nat -A PREROUTING -j nova_prerouting
+
+    iptables -t nat -N nova_postrouting
+    iptables -t nat -A POSTROUTING -j nova_postrouting
+
+    iptables -t nat -N nova_output
+    iptables -t nat -A OUTPUT -j nova_output
+
+    # ganglia (all hosts)
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 8649 -j ACCEPT
+    iptables -A nova_input -m udp -p udp -d $IP --dport 8649 -j ACCEPT
+fi
+
+if [ "$CMD" == "dashboard" ]; then
+    # dashboard
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 80 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 443 -j ACCEPT
+fi
+
+if [ "$CMD" == "objectstore" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3333 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 8773 -j ACCEPT
+fi
+
+if [ "$CMD" == "redis" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 6379 -j ACCEPT
+fi
+
+if [ "$CMD" == "mysql" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 3306 -j ACCEPT
+fi
+
+if [ "$CMD" == "rabbitmq" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 4369 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 5672 -j ACCEPT
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 53284 -j ACCEPT
+fi
+
+if [ "$CMD" == "dnsmasq" ]; then
+    # NOTE(vish): this could theoretically be setup per network
+    #             for each host, but it seems like overkill
+    iptables -A nova_input -m tcp -p tcp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
+    iptables -A nova_input -m udp -p udp -s $PRIVATE_RANGE --dport 53 -j ACCEPT
+    iptables -A nova_input -m udp -p udp --dport 67 -j ACCEPT
+
+if [ "$CMD" == "ldap" ]; then
+    iptables -A nova_input -m tcp -p tcp -d $IP --dport 389 -j ACCEPT
+fi
+
+