From 3e3c11ffcaf6ab736800dfdc777cb0681f58ddf1 Mon Sep 17 00:00:00 2001 From: Wido den Hollander Date: Mon, 15 Jun 2015 14:15:26 +0200 Subject: [PATCH] CLOUDSTACK-8559: IP Source spoofing should not be allowed We did not verify if the packets leaving an Instance had the correct source address. Any IP packet not matching the Instance IP(s) will be dropped --- scripts/vm/network/security_group.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/vm/network/security_group.py b/scripts/vm/network/security_group.py index 49e11180833..7279518c43d 100755 --- a/scripts/vm/network/security_group.py +++ b/scripts/vm/network/security_group.py @@ -473,6 +473,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips): #don't let vm spoof its ip address if vm_ip is not None: + execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set ! --set " + vmipsetName + " src -j DROP") execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53 -j RETURN ") execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress) execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)