[#51] just open the port for the remote ip

docs/production.md

@@ -46,3 +46,14 @@ And the backend must run from root
     # ./bin/rvd_back.pl &
 
 
+## Firewall
+
+Ravada uses `iptables` to restrict the access to the virtual machines. 
+Thes iptables rules grants acess to the admin workstation to all the domains
+and disables the access to everyone else.
+When the users access through the web broker they are allowed to the port of
+their virtual machines. Ravada uses its own iptables chain called 'ravada' to
+do so:
+
+    -A INPUT -p tcp -m tcp -s ip.of.admin.workstation --dport 5900:7000 -j ACCEPT
+    -A INPUT -p tcp -m tcp --dport 5900:7000 -j DROP

lib/Ravada/Domain.pm

@@ -795,13 +795,13 @@ sub _add_iptable {
 
     $self->_log_iptable(iptables => \@iptables_arg, @_);
 
-    @iptables_arg = ( '0.0.0.0'
-                        ,$local_ip, 'filter', $IPTABLES_CHAIN, 'DROP',
-                        ,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port});
-
-    ($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg);
-
-    $self->_log_iptable(iptables => \@iptables_arg, %args);
+#    @iptables_arg = ( '0.0.0.0'
+#                        ,$local_ip, 'filter', $IPTABLES_CHAIN, 'DROP',
+#                        ,{'protocol' => 'tcp', 's_port' => 0, 'd_port' => $local_port});
+    #
+    #($rv, $out_ar, $errs_ar) = $ipt_obj->append_ip_rule(@iptables_arg);
+    #
+    #$self->_log_iptable(iptables => \@iptables_arg, %args);
 
 }
 
@@ -859,10 +859,10 @@ sub _obj_iptables {
 	($rv, $out_ar, $errs_ar) = $ipt_obj->chain_exists('filter', $IPTABLES_CHAIN);
     if (!$rv) {
 		$ipt_obj->create_chain('filter', $IPTABLES_CHAIN);
-        $ipt_obj->add_jump_rule('filter','INPUT', 0, $IPTABLES_CHAIN);
+        $ipt_obj->add_jump_rule('filter','INPUT', 1, $IPTABLES_CHAIN);
 	}
 	# set the policy on the FORWARD table to DROP
-    $ipt_obj->set_chain_policy('filter', 'FORWARD', 'DROP');
+#    $ipt_obj->set_chain_policy('filter', 'FORWARD', 'DROP');
 
     return $ipt_obj;
 }