blob: e098d47cece7b03066dbd2156f6738c839f41d4c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Date: Tue, 12 Jul 2016 16:12:25 +0200
Subject: [PATCH] post-scripts: Allow SSH on non-admin ifaces.
By default, Fuel 9.0 configures iptables to only accept SSH connections
on admin interface.
If more than the admin interface is configured (e.g. by transplant script
or manually in fuel menu), whitelist SSH connections on all ifaces.
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
---
.../post-scripts/10_accept_ssh_all_ifaces.sh | 25 ++++++++++++++++++++++
1 file changed, 25 insertions(+)
create mode 100755 build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
diff --git a/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh b/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
new file mode 100755
index 0000000..b551516
--- /dev/null
+++ b/build/f_isoroot/f_bootstrap/post-scripts/10_accept_ssh_all_ifaces.sh
@@ -0,0 +1,25 @@
+#/bin/sh
+##############################################################################
+# Copyright (c) 2016 Enea AB and others.
+# Alexandru.Avadanii@enea.com
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+##############################################################################
+
+# Only mess with iptables if we have additional interfaces configured
+if grep -q "DEFROUTE=no" "/etc/sysconfig/network-scripts/ifcfg-eth0"; then
+ echo "iptables: Allow SSH connections on all interfaces"
+ # By default, Fuel 9.0 configures iptables to only accept SSH connections
+ # on admin interface. Whitelist SSH connections on all ifaces.
+ while [ $? -eq 0 ]; do
+ # First, try removing the rule we want to add to prevent duplicates
+ iptables -D INPUT -p tcp --dport ssh -j ACCEPT > /dev/null 2>&1;
+ done
+ iptables -A INPUT -p tcp --dport ssh -j ACCEPT
+ service iptables save
+ echo "iptables: Done configuring SSH"
+else
+ echo "iptables: Skipping configuring SSH for non-admin ifaces"
+fi
|