Commit 21258cd9 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

[#51] just open the port for the remote ip

parent 0830f6a9
......@@ -46,3 +46,14 @@ And the backend must run from root
# ./bin/rvd_back.pl &
## Firewall
Ravada uses `iptables` to restrict the access to the virtual machines.
Thes iptables rules grants acess to the admin workstation to all the domains
and disables the access to everyone else.
When the users access through the web broker they are allowed to the port of
their virtual machines. Ravada uses its own iptables chain called 'ravada' to
do so:
-A INPUT -p tcp -m tcp -s ip.of.admin.workstation --dport 5900:7000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900:7000 -j DROP
......@@ -795,13 +795,13 @@ sub _add_iptable {
$self->_log_iptable(iptables => \@iptables_arg, @_);
@iptables_arg = ( '0.0.0.0'
,$local_ip, 'filter', $IPTABLES_CHAIN, 'DROP',
,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port});
($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg);
$self->_log_iptable(iptables => \@iptables_arg, %args);
# @iptables_arg = ( '0.0.0.0'
# ,$local_ip, 'filter', $IPTABLES_CHAIN, 'DROP',
# ,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port});
#
#($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg);
#
#$self->_log_iptable(iptables => \@iptables_arg, %args);
}
......@@ -859,10 +859,10 @@ sub _obj_iptables {
($rv, $out_ar, $errs_ar) = $ipt_obj->chain_exists('filter', $IPTABLES_CHAIN);
if (!$rv) {
$ipt_obj->create_chain('filter', $IPTABLES_CHAIN);
$ipt_obj->add_jump_rule('filter','INPUT', 0, $IPTABLES_CHAIN);
$ipt_obj->add_jump_rule('filter','INPUT', 1, $IPTABLES_CHAIN);
}
# set the policy on the FORWARD table to DROP
$ipt_obj->set_chain_policy('filter', 'FORWARD', 'DROP');
# $ipt_obj->set_chain_policy('filter', 'FORWARD', 'DROP');
return $ipt_obj;
}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment