CLOUDSTACK-5494: Fixed dns is open to public in VR

Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
(cherry picked from commit 81994cf443ca64aead822ed1b3cf1c22d10bd9fe)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>
This commit is contained in:
Jayapal 2015-01-27 16:33:03 +05:30 committed by Rohit Yadav
parent 06437dadf5
commit 8414223a96
3 changed files with 37 additions and 0 deletions

View File

@ -987,6 +987,12 @@ setup_router() {
cp /etc/iptables/iptables-router /etc/iptables/rules
setup_sshd $ETH1_IP "eth1"
load_modules
#Only allow DNS service for current network
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4
sed -i "s/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p tcp -m tcp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules
}

View File

@ -60,6 +60,7 @@ setup_apache2() {
var="$1"
cert="/root/.ssh/id_rsa.cloud"
config_ips=""
setDnsRules=0
while [ -n "$var" ]
do
@ -71,6 +72,7 @@ do
setup_apache2 "$routerip"
config_ips="${config_ips}"$routerip":"
var=$( echo $var | sed "s/${var1}-//" )
setDnsRules=1
done
#restarting the apache server for the config to take effect.
@ -95,6 +97,33 @@ then
unlock_exit $result $lock $locked
fi
if [ "$setDnsRules" -eq 1 ]
then
//check wether chain exist
iptables-save -t filter | grep 'dnsIpAlias_allow'
if [ $? -eq 0 ]
then
iptables -F dnsIpAlias_allow
else
//if not exist create it
iptables -N dnsIpAlias_allow
iptables -A INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
iptables -A INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
fi
for cidr in $(ip addr | grep eth0 | grep inet | awk '{print $2}');
do
iptables -A dnsIpAlias_allow -i eth0 -p tcp --dport 53 -s $cidr -j ACCEPT
iptables -A dnsIpAlias_allow -i eth0 -p udp --dport 53 -s $cidr -j ACCEPT
done
else
iptables -D INPUT -i eth0 -p tcp --dport 53 -j dnsIpAlias_allow
iptables -D INPUT -i eth0 -p udp --dport 53 -j dnsIpAlias_allow
iptables -X dnsIpAlias_allow
fi
#restaring the password service to enable it on the ip aliases
/etc/init.d/cloud-passwd-srvr restart
unlock_exit $? $lock $locked

View File

@ -55,6 +55,8 @@ service apache2 restart
releaseLockFile $lock $locked
iptables -F dnsIpAlias_allow
#recreating the active ip aliases
/opt/cloud/bin/createIpAlias.sh $2
unlock_exit $? $lock $locked