Enable firewall on each deployed VM
I think for the studio, it's not a problem to set this flag because during the last meeting in l'aquila (UDA, Tirasa and UDA), we have plan to ask this kind of information during the synthesis phase.
For the iptable, I propose the following Authorized only some input ports like:
- http(80)
- https (443)
- SSH (22) (for configuration if needed)
Authorized only some output ports like:
- http (80)
- https(443)
- DNS(53) (if necessary)
- NTP(123) (for time synchronization)
HTTP or HTTPS must be set depending of the choreography specification
To install iptable : Sudo apt-get install iptables
To create the configuration file, creates the /etc.init.d/firewall file with the following contant:
######################################################### #!/bin/bash echo Setting firewall rules...
config de base dedibox
###### Initialisation
Prohibit any incoming connection
iptables -t filter -P INPUT DROP iptables -t filter -P FORWARD DROP
Ban all outgoing connection
iptables -t filter -P OUTPUT DROP
Empty current tables
iptables -t filter -F iptables -t filter -X
Allow SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
Do not break the established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
end Initalisation
Rules
allow DNS, HTTP/HTTPS, NTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT iptables -t filter -A OUTPUT -o lo -j ACCEPT
allow ping
iptables -t filter -A INPUT -p icmp -j ACCEPT iptables -t filter -A OUTPUT -p icmp -j ACCEPT
allow http/https
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
end rules
#################################################
To apply the configuration sudo chmod +x /etc/init.d/firewall sudo /etc/init.d/firewall sudo update-rc.d firewall defaults