Details

    • Type: Bug
    • Status: Closed (View workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.1
    • Fix Version/s: 3.4.1
    • Component/s: Node Controller
    • Labels:
      None
    • Environment:

      HA and non-HA

    • Benefit:
      High
    • Security:
      Yes
    • Hypervisor:
      KVM
    • Network mode:
      Managed, Managed-NOVLAN, Static, System
    • Operating System:
      CentOS 6
    • SLA:
      Standard
    • Flagged:
      Customer Affecting
    • Rank:
      0|i01uiv:

      Description

      If we enable the default firewall on the NCs running CentOS / RHEL 6.x the following is available for us

      # Generated by iptables-save v1.4.7 on Wed Mar  6 21:19:36 2013
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [294733:108329028]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
      -A INPUT -p icmp -j ACCEPT 
      -A INPUT -i lo -j ACCEPT 
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
      -A INPUT -j REJECT --reject-with icmp-host-prohibited 
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
      COMMIT
      # Completed on Wed Mar  6 21:19:36 2013
      

      In our installation guide for opening up ports on the machines running Eucalyptus NC , specified here

      http://www.eucalyptus.com/docs/3.2/ig/preparing_firewalls.html#preparing_firewalls

      This mentions that the NC listens on port 8775 , so the user would open access for port 8775 and hence the rule

      -A INPUT -p tcp -m state --state NEW -m tcp --dport 8775 -j ACCEPT 
      

      But this does not solve his problem because even though the NC can communicate the CC and download files from Walrus to start a new instance, it cannot have an instance that can get its IP from the CCs DHCP server, access the meta-data, internet IPs, and also it is not accessible from either the CC or the CLC or outside the cloud.

      We do not currently do a good job of telling our users what needs to be done to make sure with the default firewall switched ON , the NC, what is that is required to make everything work with Eucalyptus.

      There is a link to the installation guide below, that talks about configuring firewall on the hosts running Eucalyptus:

      http://www.eucalyptus.com/docs/3.2/ig/configure_firewall.html#configure_firewall

      Let me be very frank here, the above link and the related text is really no were close to be helpful for a cloud administrator

      If you have existing firewall rules on your hosts, you must allow Eucalyptus access. If you do not have a firewall enabled, you may skip this step.
      

      We found out the following rules are required in the FORWARD chain to allow instance traffic to go through the NC

      -A FORWARD -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
      -A FORWARD -s 192.168.0.0/16 -j ACCEPT 
      -A FORWARD -d 192.168.0.0/16 -j ACCEPT 
      

      The above should come up before the REJECT rule, also 192.168.0.0/16 is the VNET_SUBNET/VNET_NETMASK specified in eucalyptus.conf of the CC, it would change environment to environment.

      So in the end the iptables configuration look like:

      # Generated by iptables-save v1.4.7 on Wed Mar  6 21:19:36 2013
      *filter
      :INPUT ACCEPT [0:0]
      :FORWARD ACCEPT [0:0]
      :OUTPUT ACCEPT [294733:108329028]
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
      -A INPUT -p icmp -j ACCEPT 
      -A INPUT -i lo -j ACCEPT 
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
      -A INPUT -p tcp -m state --state NEW -m tcp --dport 8775 -j ACCEPT 
      -A INPUT -j REJECT --reject-with icmp-host-prohibited 
      -A FORWARD -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
      -A FORWARD -s 192.168.0.0/16 -j ACCEPT 
      -A FORWARD -d 192.168.0.0/16 -j ACCEPT 
      -A FORWARD -j REJECT --reject-with icmp-host-prohibited 
      COMMIT
      # Completed on Wed Mar  6 21:19:36 2013
      

      Hope this is helpful for everyone and our documentation team specifically as well as the security team for the documentation on Security hardening.

        Gliffy Diagrams

          Attachments

            Issue links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  hspencer Harold Spencer Jr.
                  Support Contact:
                  Deependra Shekhawat (Inactive)
                  Developer:
                  Chuck (Inactive)
                  Participants:
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  7 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: