https://issues.apache.org/jira/browse/CLOUDSTACK-5494
Also need to take care of changes in subnets too.
-abhi
On 23/06/14 4:01 pm, "Nux!" <n...@li.nux.ro> wrote:
>Hi,
>
>Today I've been bitten again by the $subject and complaints were sent to
>my hoster's abuse email address; apparently someone used my VR in a DDOS
>attack.
>It is my fault as I knew about this issue, but I'd like to throw the
>blame on Cloudstack. :)
>
>So, the VR is accepting DNS requests from everybody on the interwebs and
>this should be changed, imho.
>
>I see there are already iptables rules concerning port 8080 of the VR and
>only the public IP ranges are allowed. Why isn't this the case for port
>53 as well?
>
>I have placed this script in my VR's rc.local, but it's not kosher at all.
>
># disallows global DNS traffic and only allows it from the cloud public
>subnets
>for i in `iptables-save |grep 8080|awk '{print $4}'`; do iptables -I
>INPUT -s $i -p tcp -m tcp --dport 53 -j ACCEPT; iptables -I INPUT -s $i
>-p udp -m udp --dport 53 -j ACCEPT; done
>iptables -D INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
>iptables -D INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
>
>This could be greatly improved and added in the official tree.
>Currently I'm getting the subnets by checking which IPs the 8080 rules
>apply, how can I retrieve this information in a more elegant way?
>
>Lucian
>
>--
>Sent from the Delta quadrant using Borg technology!
>
>Nux!
>www.nux.ro
>
