lakitu: add default firewall rules for anthos-amd64-vsphere
BUG=b/172348269
TEST=presubmit
RELEASE_NOTE=None
Change-Id: I92aa39f078237b3a8756d299e1f8452df7f0e73b
Reviewed-on: https://cos-review.googlesource.com/c/cos/overlays/board-overlays/+/10320
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Varsha Teratipally <teratipally@google.com>
diff --git a/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1-r7.ebuild b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1-r8.ebuild
similarity index 100%
rename from project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1-r7.ebuild
rename to project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1-r8.ebuild
diff --git a/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1.ebuild b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1.ebuild
index 0c97458..a4cb314 100644
--- a/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1.ebuild
+++ b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/chromeos-firewall-init-lakitu-0.0.1.ebuild
@@ -9,6 +9,7 @@
LICENSE="BSD-Google"
SLOT="0"
KEYWORDS="*"
+IUSE="platform_vsphere"
S=${WORKDIR}
@@ -21,9 +22,13 @@
src_install() {
exeinto /usr/share/cloud
- doexe "${FILESDIR}"/iptables-setup
- doexe "${FILESDIR}"/ip6tables-setup
-
+ if use platform_vsphere; then
+ doexe "${FILESDIR}"/vsphere/iptables-setup
+ doexe "${FILESDIR}"/vsphere/ip6tables-setup
+ else
+ doexe "${FILESDIR}"/iptables-setup
+ doexe "${FILESDIR}"/ip6tables-setup
+ fi
systemd_dounit "${FILESDIR}"/iptables-setup.service
systemd_enable_service basic.target iptables-setup.service
systemd_dounit "${FILESDIR}"/ip6tables-setup.service
diff --git a/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/files/vsphere/ip6tables-setup b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/files/vsphere/ip6tables-setup
new file mode 100644
index 0000000..431a427
--- /dev/null
+++ b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/files/vsphere/ip6tables-setup
@@ -0,0 +1,46 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+ip6tables -P INPUT DROP -w
+ip6tables -P FORWARD DROP -w
+ip6tables -P OUTPUT DROP -w
+
+# Accept everything on the loopback
+ip6tables -A INPUT -i lo -j ACCEPT -w
+ip6tables -A OUTPUT -o lo -j ACCEPT -w
+
+# Accept all inbound TCP/UDP/ICMP/SCTP packets
+ip6tables -A INPUT -p tcp -j ACCEPT -w
+ip6tables -A INPUT -p udp -j ACCEPT -w
+ip6tables -A INPUT -p icmpv6 -j ACCEPT -w
+ip6tables -A INPUT -p sctp -j ACCEPT -w
+
+# Accept all forwarded TCP/UDP/ICMP/SCTP packets
+ip6tables -A FORWARD -p tcp -j ACCEPT -w
+ip6tables -A FORWARD -p udp -j ACCEPT -w
+ip6tables -A FORWARD -p icmpv6 -j ACCEPT -w
+ip6tables -A FORWARD -p sctp -j ACCEPT -w
+
+
+ip6tables -A OUTPUT -p icmpv6 -j ACCEPT -w
+
+# Accept return traffic inbound
+ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w
+
+# Accept new and return traffic outbound
+ip6tables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w
+
+# Allow DHCPv6 client inbound
+ip6tables -A INPUT -p udp -m udp --dport 546 -j ACCEPT
diff --git a/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/files/vsphere/iptables-setup b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/files/vsphere/iptables-setup
new file mode 100644
index 0000000..8db489d
--- /dev/null
+++ b/project-lakitu/chromeos-base/chromeos-firewall-init-lakitu/files/vsphere/iptables-setup
@@ -0,0 +1,40 @@
+#!/bin/bash
+# Copyright 2021 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+iptables -P INPUT DROP -w
+iptables -P FORWARD DROP -w
+iptables -P OUTPUT DROP -w
+
+# Accept everything on the loopback
+iptables -I INPUT -i lo -j ACCEPT -w
+iptables -I OUTPUT -o lo -j ACCEPT -w
+
+# Accept return traffic inbound
+iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -w
+
+# Accept all inbound TCP/UDP/ICMP/SCTP packets
+iptables -A INPUT -p tcp -j ACCEPT -w
+iptables -A INPUT -p udp -j ACCEPT -w
+iptables -A INPUT -p icmp -j ACCEPT -w
+iptables -A INPUT -p sctp -j ACCEPT -w
+
+# Accept all forwarded TCP/UDP/ICMP/SCTP packets
+iptables -A FORWARD -p tcp -j ACCEPT -w
+iptables -A FORWARD -p udp -j ACCEPT -w
+iptables -A FORWARD -p icmp -j ACCEPT -w
+iptables -A FORWARD -p sctp -j ACCEPT -w
+
+# Accept new and return traffic outbound
+iptables -I OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -w
