Don't masquerade traffic inbound from the internet
Our MASQUERADE rule was too general. Limit it to internally-sourced traffic.
This commit is contained in:
parent
7638e20292
commit
d6b9d5ee02
|
@ -276,13 +276,6 @@ class IPTablesManager(base.Manager):
|
||||||
), ip_version=4
|
), ip_version=4
|
||||||
))
|
))
|
||||||
|
|
||||||
# Add a masquerade catch-all for VMs without floating IPs
|
|
||||||
mgt_if = self.get_management_network(config).interface
|
|
||||||
rules.append(Rule(
|
|
||||||
'-A POSTROUTING ! -o %s -j MASQUERADE' % mgt_if.ifname,
|
|
||||||
ip_version=4
|
|
||||||
))
|
|
||||||
|
|
||||||
return rules
|
return rules
|
||||||
|
|
||||||
def _build_floating_ips(self, config):
|
def _build_floating_ips(self, config):
|
||||||
|
@ -350,6 +343,13 @@ class IPTablesManager(base.Manager):
|
||||||
), ip_version=4)
|
), ip_version=4)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
# Add a masquerade catch-all for VMs without floating IPs
|
||||||
|
mgt_if = self.get_management_network(config).interface
|
||||||
|
rules.append(Rule(
|
||||||
|
'-A PUBLIC_SNAT ! -o %s -j MASQUERADE' % mgt_if.ifname,
|
||||||
|
ip_version=4
|
||||||
|
))
|
||||||
|
|
||||||
return rules
|
return rules
|
||||||
|
|
||||||
def _build_raw_table(self, config):
|
def _build_raw_table(self, config):
|
||||||
|
|
|
@ -77,6 +77,7 @@ V4_OUTPUT = [
|
||||||
':PUBLIC_SNAT - [0:0]',
|
':PUBLIC_SNAT - [0:0]',
|
||||||
'-A PUBLIC_SNAT -m mark --mark 0xACDA -j RETURN',
|
'-A PUBLIC_SNAT -m mark --mark 0xACDA -j RETURN',
|
||||||
'-A PUBLIC_SNAT -s 192.168.0.2 -j SNAT --to 172.16.77.50',
|
'-A PUBLIC_SNAT -s 192.168.0.2 -j SNAT --to 172.16.77.50',
|
||||||
|
'-A PUBLIC_SNAT ! -o eth0 -j MASQUERADE',
|
||||||
':PREROUTING ACCEPT [0:0]',
|
':PREROUTING ACCEPT [0:0]',
|
||||||
':INPUT ACCEPT [0:0]',
|
':INPUT ACCEPT [0:0]',
|
||||||
':OUTPUT ACCEPT [0:0]',
|
':OUTPUT ACCEPT [0:0]',
|
||||||
|
@ -85,7 +86,6 @@ V4_OUTPUT = [
|
||||||
'-A PREROUTING -i eth1 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2', # noqa
|
'-A PREROUTING -i eth1 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2', # noqa
|
||||||
'-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2', # noqa
|
'-A PREROUTING -i eth2 -d 172.16.77.50 -j DNAT --to-destination 192.168.0.2', # noqa
|
||||||
'-A PREROUTING -i eth2 -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:9602', # noqa
|
'-A PREROUTING -i eth2 -d 169.254.169.254 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.1:9602', # noqa
|
||||||
'-A POSTROUTING ! -o eth0 -j MASQUERADE',
|
|
||||||
'COMMIT',
|
'COMMIT',
|
||||||
'*raw',
|
'*raw',
|
||||||
':INPUT - [0:0]',
|
':INPUT - [0:0]',
|
||||||
|
|
Loading…
Reference in New Issue