[Openstack-security] [Bug 1316271] Re: Network Security: VM hosts can SSH to compute node
David Hill
1316271 at bugs.launchpad.net
Mon May 5 19:23:59 UTC 2014
We could add a default boolean that would be false by default before
pushing this to trunk ... The effect of this patch would be the
following:
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 x.x.x.x tcp dpt:8775
DROP all -- 0.0.0.0/0 x.x.x.x
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT tcp -- 0.0.0.0/0 x.x.x.x tcp dpt:8775
DROP all -- 0.0.0.0/0 x.x.x.x
Instead of:
Chain nova-network-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 10.30.96.8 tcp dpt:8775
Chain nova-network-INPUT (1 references)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
** Tags added: ssh
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316271
Title:
Network Security: VM hosts can SSH to compute node
Status in OpenStack Compute (Nova):
New
Bug description:
Hi guys,
We're still using nova-network and we'll be using it for a while
and we noticed that the VM guests can contact the compute nodes on all
ports ... The one we're the most preoccupied with is SSH. We've
written the following patch in order to isolate the VM guests from the
VM hosts.
--- linux_net.py.orig 2014-05-05 17:25:10.171746968 +0000
+++ linux_net.py 2014-05-05 18:42:54.569209220 +0000
@@ -805,6 +805,24 @@
@utils.synchronized('lock_gateway', external=True)
+def isolate_compute_from_guest(network_ref):
+ if not network_ref:
+ return
+
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-p tcp -d %s --dport 8775 '
+ '-j ACCEPT' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('INPUT',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.ipv4['filter'].add_rule('FORWARD',
+ '-d %s '
+ '-j DROP' % network_ref['dhcp_server'])
+ iptables_manager.apply()
+
def initialize_gateway_device(dev, network_ref):
if not network_ref:
return
@@ -1046,6 +1064,7 @@
try:
_execute('kill', '-HUP', pid, run_as_root=True)
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
return
except Exception as exc: # pylint: disable=W0703
LOG.error(_('Hupping dnsmasq threw %s'), exc)
@@ -1098,6 +1117,7 @@
_add_dnsmasq_accept_rules(dev)
+ isolate_compute_from_guest(network_ref)
@utils.synchronized('radvd_start')
def update_ra(context, dev, network_ref):
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316271/+subscriptions
More information about the Openstack-security
mailing list