apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

CLOUDSTACK-5494: Fixed dns is open to public in VR

Browse Source 
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit is contained in:
Jayapal 2015-01-27 16:33:03 +05:30 committed by Rohit Yadav
parent 671248b3e1
commit 81994cf443
3 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
systemvm/patches/debian/config/etc/init.d/cloud-early-config
View File

@ -987,6 +987,12 @@ setup_router() {
cp /etc/iptables/iptables-router /etc/iptables/rules cp /etc/iptables/iptables-router /etc/iptables/rules
setup_sshd $ETH1_IP "eth1" setup_sshd $ETH1_IP "eth1"
load_modules load_modules
#Only allow DNS service for current network
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
} }

29
systemvm/patches/debian/config/opt/cloud/bin/createIpAlias.sh
View File

@ -60,6 +60,7 @@ setup_apache2() {
var="$1" var="$1"
cert="/root/.ssh/id_rsa.cloud" cert="/root/.ssh/id_rsa.cloud"
config_ips="" config_ips=""
setDnsRules=0
while [ -n "$var" ] while [ -n "$var" ]
do do
@ -71,6 +72,7 @@ do
setup_apache2 "$routerip" setup_apache2 "$routerip"
config_ips="${config_ips}"$routerip":" config_ips="${config_ips}"$routerip":"
var=$( echo $var | sed "s/${var1}-//" ) var=$( echo $var | sed "s/${var1}-//" )
setDnsRules=1
done done
#restarting the apache server for the config to take effect. #restarting the apache server for the config to take effect.
@ -95,6 +97,33 @@ then
unlock_exit $result $lock $locked unlock_exit $result $lock $locked
fi fi
if [ "$setDnsRules" -eq 1 ]
then
//check wether chain exist
iptables-save -t filter | grep 'dnsIpAlias_allow'
if [ $? -eq 0 ]
then
iptables -F dnsIpAlias_allow
else
//if not exist create it
iptables -N dnsIpAlias_allow
iptables -A INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
iptables -A INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
fi
for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
do
iptables -A dnsIpAlias_allow -i eth0 -p tcp --dport 53 -s $cidr -j ACCEPT
iptables -A dnsIpAlias_allow -i eth0 -p udp --dport 53 -s $cidr -j ACCEPT
done
else
iptables -D INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
iptables -D INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
iptables -X dnsIpAlias_allow
fi
#restaring the password service to enable it on the ip aliases #restaring the password service to enable it on the ip aliases
/etc/init.d/cloud-passwd-srvr restart /etc/init.d/cloud-passwd-srvr restart
unlock_exit $? $lock $locked unlock_exit $? $lock $locked

2
systemvm/patches/debian/config/opt/cloud/bin/deleteIpAlias.sh
View File

@ -55,6 +55,8 @@ service apache2 restart
releaseLockFile $lock $locked releaseLockFile $lock $locked
iptables -F dnsIpAlias_allow
#recreating the active ip aliases #recreating the active ip aliases
/opt/cloud/bin/createIpAlias.sh $2 /opt/cloud/bin/createIpAlias.sh $2
unlock_exit $? $lock $locked unlock_exit $? $lock $locked