apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-5297: Fix ACL rules on VPN for VPC

Browse Source 
Insert a new iptables chain for FORWARD chain, in order to let following ACL
rules being executed as well.
This commit is contained in:
Sheng Yang 2013-12-09 17:28:53 -08:00
parent fe83dd621b
commit 3ccdf67dfb
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
systemvm/patches/debian/vpn/opt/cloud/bin/vpn_l2tp.sh
View File

@ -35,21 +35,41 @@ get_intf_ip() {
iptables_() { iptables_() {
local op=$1 local op=$1
local public_ip=$2 local public_ip=$2
local is_vpc=false
local forward_action="ACCEPT"
if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null
then
is_vpc=true
fi
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 500 -j ACCEPT
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 4500 -j ACCEPT
sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT sudo iptables $op INPUT -i $dev --dst $public_ip -p udp -m udp --dport 1701 -j ACCEPT
sudo iptables $op INPUT -i $dev -p ah -j ACCEPT sudo iptables $op INPUT -i $dev -p ah -j ACCEPT
sudo iptables $op INPUT -i $dev -p esp -j ACCEPT sudo iptables $op INPUT -i $dev -p esp -j ACCEPT
sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT if $is_vpc
sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT then
sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT # Need to apply the following ACL rules as well.
if sudo iptables -N VPN_FORWARD &> /dev/null
then
sudo iptables -I FORWARD -i ppp+ -j VPN_FORWARD
sudo iptables -I FORWARD -o ppp+ -j VPN_FORWARD
sudo iptables -A VPN_FORWARD -j DROP
fi
sudo iptables $op VPN_FORWARD -i ppp+ -o ppp+ -j RETURN
sudo iptables $op VPN_FORWARD -i ppp+ -d $cidr -j RETURN
sudo iptables $op VPN_FORWARD -s $cidr -o ppp+ -j RETURN
else
sudo iptables $op FORWARD -i ppp+ -d $cidr -j ACCEPT
sudo iptables $op FORWARD -s $cidr -o ppp+ -j ACCEPT
sudo iptables $op FORWARD -i ppp+ -o ppp+ -j ACCEPT
fi
sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT sudo iptables $op INPUT -i ppp+ -m udp -p udp --dport 53 -j ACCEPT
sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT sudo iptables $op INPUT -i ppp+ -m tcp -p tcp --dport 53 -j ACCEPT
sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j DNAT --to-destination $local_ip sudo iptables -t nat $op PREROUTING -i ppp+ -p tcp -m tcp --dport 53 -j DNAT --to-destination $local_ip
sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $local_ip sudo iptables -t nat $op PREROUTING -i ppp+ -p udp -m udp --dport 53 -j DNAT --to-destination $local_ip
if grep "vpcrouter" /var/cache/cloud/cmdline &> /dev/null if $is_vpc
then then
return return
fi fi