Review #711
closedAllow to connect to services hosted on Orthos while being at Conde
Description
allow_input_connections_from_hypervisor
branch from duckcorp-infra
repository.
Allow input connections from the hypervisor
While being at Conde, without this patch, I am not able to reach sup.duckcorp.org
. Indeed the following packet is dropped:
On the hypervisor:
IP 192.168.100.1.33874 > 192.168.100.2.443: Flags [S]
where:
192.168.100.1: IP of the hypervisor on the bridge used with libvirt 192.168.100.2: Orthos
This patch has been applied already.
Updated by Pierre-Louis Bonicoli over 4 years ago
- Status changed from New to In Progress
Updated by Pierre-Louis Bonicoli over 4 years ago
- Description updated (diff)
- Status changed from In Progress to Rejected
Updated by Pierre-Louis Bonicoli over 4 years ago
- Status changed from Rejected to In Progress
Updated by Marc Dequènes over 4 years ago
- Assignee changed from Marc Dequènes to Pierre-Louis Bonicoli
The iptables call is fine; indeed RFC1918 are not expected on the WAN interface but Orthos is not directly connected to the Internet.
I just don't understand the check of interfaces count, what is it supposed to prevent?
Updated by Pierre-Louis Bonicoli over 4 years ago
Marc Dequènes wrote:
I just don't understand the check of interfaces count, what is it supposed to prevent?
The goal is to detect configuration inconsistency, for example if this template were to be reused.
I updated this check:
diff --git a/ansible/roles/dc-base/templates/fw/Orthos b/ansible/roles/dc-base/templates/fw/Orthos index fecc03f..8327e25 100644 --- a/ansible/roles/dc-base/templates/fw/Orthos +++ b/ansible/roles/dc-base/templates/fw/Orthos @@ -19,7 +19,7 @@ ban_bad_people_hook() fi /sbin/iptables -t filter -A INPUT -j bogons {# raise an error when network interfaces differ from (lo, default interface) #} - {%- if ansible_interfaces|length != 2 %} + {%- if ansible_interfaces|length != 2 or ([ansible_default_ipv4.gateway, ansible_default_ipv4.address] | ipaddr('public')) %} {{ undefined|mandatory('unexpected network interfaces: ' ~ ansible_interfaces) -}} {% endif -%} /sbin/iptables -t filter -I bogons -s {{ ansible_default_ipv4.gateway }} -d {{ ansible_default_ipv4.address }} -j RETURN
Updated by Pierre-Louis Bonicoli over 4 years ago
- Assignee changed from Pierre-Louis Bonicoli to Marc Dequènes
Updated by Marc Dequènes over 4 years ago
- Assignee changed from Marc Dequènes to Pierre-Louis Bonicoli
This check has absolutely nothing to do with the original PR. Moreover these templates are specific parameters and functions to customize srv_firewalling already so it is never gonna be reused. Also we setup the interfaces via Ansible so this should never happen. Here this check requires syncing configuration in two places, this one being not obvious at all, thus I believe this is not a good approach.
I would suggest a more descriptive approach of the network config if we want to improve. For example I made changes to handle ppp interfaces in a generic way for Elwing (see host_vars/Elwing/net.yml). In this case we could simply bring bogons support into srv_firewalling (no idea why it's duplicated since it's used on all machines) (outside of the hook to still be able to add host-specific config, maybe with a net.filter_bogons flag) and add a flag net.wan_natted which would trigger this behavior. Anyway, this is for a separate PR.
Updated by Pierre-Louis Bonicoli over 4 years ago
- Status changed from In Progress to Rejected
- Assignee deleted (
Pierre-Louis Bonicoli)
Updated by Pierre-Louis Bonicoli over 4 years ago
- Status changed from Rejected to In Progress
- Assignee set to Marc Dequènes
Updated: Following our exchanges on IRC, I removed the first check (about the number of interfaces) and kept only the check about private ranges.
diff --git a/ansible/roles/dc-base/templates/fw/Orthos b/ansible/roles/dc-base/templates/fw/Orthos index 8327e25..33c9853 100644 --- a/ansible/roles/dc-base/templates/fw/Orthos +++ b/ansible/roles/dc-base/templates/fw/Orthos @@ -18,9 +18,9 @@ ban_bad_people_hook() sh /var/lib/adm/bogons-iptables.sh fi /sbin/iptables -t filter -A INPUT -j bogons - {# raise an error when network interfaces differ from (lo, default interface) #} - {%- if ansible_interfaces|length != 2 or ([ansible_default_ipv4.gateway, ansible_default_ipv4.address] | ipaddr('public')) %} - {{ undefined|mandatory('unexpected network interfaces: ' ~ ansible_interfaces) -}} + {# raise an error when the IPv4 of the default network interface isn't private #} + {%- if [ansible_default_ipv4.gateway, ansible_default_ipv4.address] | ipaddr('public') %} + {{ undefined|mandatory('unexpected network setup: ' ~ ansible_default_ipv4.alias) -}} {% endif -%} /sbin/iptables -t filter -I bogons -s {{ ansible_default_ipv4.gateway }} -d {{ ansible_default_ipv4.address }} -j RETURN }
Updated by Marc Dequènes about 4 years ago
- Status changed from In Progress to Resolved