CLOUDSTACK-5494: Fixed dns is open to public in VR

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
2025-10-26 08:42:29 +01:00 · 2015-01-27 16:33:03 +05:30 · 2015-01-27 16:33:03 +05:30 · 81994cf443
commit 81994cf443
parent 671248b3e1
3 changed files with 37 additions and 0 deletions
--- a/systemvm/patches/debian/config/etc/init.d/cloud-early-config
+++ b/systemvm/patches/debian/config/etc/init.d/cloud-early-config
@ -987,6 +987,12 @@ setup_router() {
  cp /etc/iptables/iptables-router /etc/iptables/rules
  setup_sshd $ETH1_IP "eth1"
  load_modules
+
+  #Only allow DNS service for current network
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
+  sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
 }


--- a/systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
@ -60,6 +60,7 @@ setup_apache2() {
 var="$1"
 cert="/root/.ssh/id_rsa.cloud"
 config_ips=""
+setDnsRules=0

 while [ -n "$var" ]
 do
@ -71,6 +72,7 @@ do
 setup_apache2 "$routerip"
 config_ips="${config_ips}"$routerip":"
 var=$( echo $var | sed "s/${var1}-//" )
+ setDnsRules=1
 done

 #restarting the apache server for the config to take effect.
@ -95,6 +97,33 @@ then
   unlock_exit $result $lock $locked
 fi

+if [ "$setDnsRules" -eq 1 ]
+then
+    //check wether chain exist
+    iptables-save -t filter | grep 'dnsIpAlias_allow'
+
+    if [ $? -eq  0 ]
+    then
+      iptables -F dnsIpAlias_allow
+    else
+        //if not exist create it
+        iptables -N dnsIpAlias_allow
+        iptables -A INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
+        iptables -A INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
+    fi
+
+    for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
+    do
+        iptables -A dnsIpAlias_allow  -i eth0 -p tcp --dport 53 -s $cidr -j ACCEPT
+        iptables -A dnsIpAlias_allow  -i eth0 -p udp --dport 53 -s $cidr -j ACCEPT
+    done
+else
+        iptables -D INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
+        iptables -D INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
+        iptables -X dnsIpAlias_allow
+fi
+
+
 #restaring the password service to enable it on the ip aliases
 /etc/init.d/cloud-passwd-srvr restart
 unlock_exit $? $lock $locked
--- a/systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
+++ b/systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
@ -55,6 +55,8 @@ service apache2 restart

 releaseLockFile $lock $locked

+iptables -F dnsIpAlias_allow
+
 #recreating the active ip aliases
 /opt/cloud/bin/createIpAlias.sh $2
 unlock_exit $? $lock $locked