Ask Your Question
1

How do I make instance firewall rules less restrictive for a transparent proxy?

asked 2014-02-20 17:41:11 -0500

pat gravatar image

updated 2014-02-20 17:53:40 -0500

My openstack setup:

  • havana release on ubuntu 13.10
  • neutron for networking with linux bridge plugin and iptables firewall driver
    • core_plugin = neutron.plugins.linuxbridge.lb_neutron_plugin.LinuxBridgePluginV2
    • firewall_driver = neutron.agent.linux.iptables_firewall.IptablesFirewallDriver

I wish to allow any source ip address or a specified ip list to be allowed from the instance itself. The reason is my instance is running a transparent proxy. Traffic originating from the instance itself will appear to be coming from the server ip of the originating connection. For example:

  • client 10.10.10.10 attempts to connect to server 12.12.12.12 on port 80
  • the above connection is redirected to a proxy instance
  • the proxy will attempt to complete the tcp handshake by impersonating the server ip address (12.12.12.12)
  • the return traffic from the proxy instance will have the:
    • source ip set to 12.12.12.12 and source port set to 80
    • destination ip set to 10.10.10.10 and destintation port equal to ephemeral port used by client

For each proxy instance started the following firewall rules are added on the compute server (I believe these are referred to as the anti-spoof firewall rules):

% iptables -t filter -nvL neutron-linuxbri-s0e7bd998-e
Chain neutron-linuxbri-s0e7bd998-e (1 references)
pkts bytes target     prot opt in     out     source               destination         
7398  745K RETURN     all  --  *      *       10.210.0.1           0.0.0.0/0            MAC FA:16:3E:2F:9F:D0
429 25740 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

The above rules are currently blocking my transparent return traffic to the originating client. If I manually add a rule here to allow traffic to my client (destintation) ip of 10.10.10.10 then the traffic will be allowed to pass.

Security groups do not seem to allow me to control the allowed outbound traffic from the instance.

How can I allow the transparent outbound traffic using this setup?

thanks for the help.

edit retag flag offensive close merge delete

Comments

Anyone have an answer to this? We are facing same issue.

Gopal gravatar imageGopal ( 2014-04-01 05:34:07 -0500 )edit

2 answers

Sort by ยป oldest newest most voted
1

answered 2014-04-01 13:13:15 -0500

darragh-oreilly gravatar image

Have a look at the allowed address pairs extension. Eg to let 10.0.0.10 out:

neutron port-update $PORT_ID --allowed_address_pairs type=dict list=true ip_address=10.0.0.10

other mac addresses can be be specified and I think CIDRs too.

Another way is to subclass IptablesFirewallDriver and override one or two methods so the antispoof rules won't be applied.

edit flag offensive delete link more

Comments

How to disable the anti-ip-spoofing in devstack?

SGPJ gravatar imageSGPJ ( 2014-04-01 18:04:58 -0500 )edit

I think there was a blueprint to selectively disable them, but I don't think it landed in Icehouse. So I think they are still hardcoded.

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-04-02 03:38:21 -0500 )edit

Is '--allowed_address_pairs' an Icehouse option? As it doesn't work with the neutron I have from the havana release.

pat gravatar imagepat ( 2014-04-02 11:00:57 -0500 )edit

It is, but it seems the extension was not added to the linuxbridge plugin. You should look into using the ML2 plugin which will work with the linuxbridge-agent - this would be better for you in the lon run too. https://review.openstack.org/#/c/3823...

darragh-oreilly gravatar imagedarragh-oreilly ( 2014-04-02 11:31:35 -0500 )edit

Thanks for the info. I'm currently using the noop firewall driver to get around the issue in havana. When I get a chance to revist this I'll try this out.

pat gravatar imagepat ( 2014-04-02 11:37:25 -0500 )edit
0

answered 2014-04-01 05:29:54 -0500

Gaganjot Singh gravatar image

Try Changing the firewall_driver to NoopFirewallDriver instead of ipTableFirewallDriver

edit flag offensive delete link more

Comments

Already tried that. Doesn't work. Changing nova.conf after nova is already running doesn't seem to have any affect. Tried to restart n-api and q-svc services after editing nova.conf. Still doesn't work. ./unstack and ./stack will just regenerate the same IptableFirewallDriver rule.

Gopal gravatar imageGopal ( 2014-04-02 10:29:52 -0500 )edit

I am currently using the noop firewal driver to get around the issue until I have time to come back and revisit this and find a more secure solution.

pat gravatar imagepat ( 2014-04-02 11:03:46 -0500 )edit

if you are looking to change ebtables, try setting share_dhcp_address= False in the nova.conf file.

Gaganjot Singh gravatar imageGaganjot Singh ( 2014-04-03 00:06:06 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower

Stats

Asked: 2014-02-20 17:41:11 -0500

Seen: 1,387 times

Last updated: Apr 01 '14