Skip to content

Commit c824569

Browse files
kvinwangkvinwang
committed
Optimize vmm firewall rules
1 parent 9276b83 commit c824569

File tree

1 file changed

+45
-9
lines changed

1 file changed

+45
-9
lines changed

vmm/src/setup-user.sh

Lines changed: 45 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -23,11 +23,13 @@
2323
# user = "dstack-prd1"
2424
# ```
2525
#
26+
set -e
2627

2728
# Default values
2829
USERNAME=""
2930
GROUP_NAME=""
3031
NO_FW=false
32+
NO_SERVICE=false
3133
ALLOWED_TCP_PORTS=""
3234
ALLOWED_UDP_PORTS=""
3335

@@ -38,6 +40,10 @@ while [[ $# -gt 0 ]]; do
3840
NO_FW=true
3941
shift
4042
;;
43+
--no-svc)
44+
NO_SERVICE=true
45+
shift
46+
;;
4147
--allow-tcp)
4248
ALLOWED_TCP_PORTS="$ALLOWED_TCP_PORTS $2"
4349
shift
@@ -54,9 +60,10 @@ while [[ $# -gt 0 ]]; do
5460
shift
5561
;;
5662
-h | --help)
57-
echo "Usage: $0 <username> [--ufw] [-g|--group] [--no-fw] [--allow-tcp <port> --allow-udp <port>]"
63+
echo "Usage: $0 <username> [-g|--group] [--no-fw] [--no-svc] [--allow-tcp <port> --allow-udp <port>]"
5864
echo "Options:"
5965
echo " --no-fw Do not setup/clear firewall rules"
66+
echo " --no-svc Do not setup/clear service rules"
6067
echo " --allow-tcp Allow the specified TCP port to be accessed"
6168
echo " --allow-udp Allow the specified UDP port to be accessed"
6269
echo " -g, --group Add the user to the specified group"
@@ -79,7 +86,7 @@ done
7986
# Check if username is provided
8087
if [[ -z "$USERNAME" ]]; then
8188
echo "Error: Username is required"
82-
echo "Usage: $0 <username> [--ufw] [--no-fw] [--allow <port>]"
89+
echo "Usage: $0 <username> [-g|--group] [--no-fw] [--no-svc] [--allow-tcp <port> --allow-udp <port>]"
8390
exit 1
8491
fi
8592

@@ -100,16 +107,38 @@ if [ -n "$GROUP_NAME" ]; then
100107
usermod -aG $GROUP_NAME $USERNAME
101108
fi
102109

110+
rule_nums=$(iptables -L OUTPUT --line-numbers | grep $CHAIN_NAME | awk '{print $1}' | sort -r)
111+
echo $rule_nums
112+
103113
if iptables -L $CHAIN_NAME >/dev/null 2>&1; then
104114
echo "Removing existing firewall rules"
105-
iptables -D OUTPUT -o lo -m owner --uid-owner $USERNAME -j $CHAIN_NAME 2>/dev/null || true
115+
# Delete each rule (in reverse order to avoid index shifting)
116+
if [ -n "$rule_nums" ]; then
117+
echo "Removing rules jumping to $CHAIN_NAME from OUTPUT chain"
118+
for num in $rule_nums; do
119+
echo "Removing rule $num"
120+
iptables -D OUTPUT $num
121+
done
122+
echo "All rules jumping to $CHAIN_NAME removed"
123+
else
124+
echo "No rules jumping to $CHAIN_NAME found in OUTPUT chain"
125+
fi
106126
iptables -F $CHAIN_NAME 2>/dev/null || true
107127
iptables -X $CHAIN_NAME 2>/dev/null || true
108128
echo "Removed iptables chain $CHAIN_NAME"
109129
fi
110130

111131
rm -f $RULES_FILE
112132

133+
if [ "$NO_SERVICE" = true ]; then
134+
echo "Removing existing systemd service"
135+
rm -f /etc/systemd/system/iptables-restore.service
136+
rm -f /etc/iptables/dstack-rules-${USERNAME}.v4
137+
systemctl disable iptables-restore.service || true
138+
systemctl daemon-reload
139+
echo "Removed systemd service and rules file"
140+
fi
141+
113142
if [ "$NO_FW" = true ]; then
114143
echo "Skipping firewall rules setup"
115144
exit 0
@@ -129,21 +158,28 @@ fi
129158
# Add rules to allow specific ports
130159
for port in $ALLOWED_TCP_PORTS; do
131160
echo "Adding exception for TCP port $port"
132-
iptables -A $CHAIN_NAME -o lo -d 127.0.0.1 -p tcp --dport $port -j ACCEPT
133-
iptables -A $CHAIN_NAME -o lo -d 127.0.0.1 -p tcp --sport $port -j ACCEPT
161+
iptables -A $CHAIN_NAME -p tcp --dport $port -j ACCEPT
162+
iptables -A $CHAIN_NAME -p tcp --sport $port -j ACCEPT
134163
done
135164
for port in $ALLOWED_UDP_PORTS; do
136165
echo "Adding exception for UDP port $port"
137-
iptables -A $CHAIN_NAME -o lo -d 127.0.0.1 -p udp --dport $port -j ACCEPT
138-
iptables -A $CHAIN_NAME -o lo -d 127.0.0.1 -p udp --sport $port -j ACCEPT
166+
iptables -A $CHAIN_NAME -p udp --dport $port -j ACCEPT
167+
iptables -A $CHAIN_NAME -p udp --sport $port -j ACCEPT
139168
done
140169

141170
# Add final DROP rule for all other traffic to localhost
142-
iptables -A $CHAIN_NAME -o lo -d 127.0.0.1 -j DROP
171+
iptables -A $CHAIN_NAME -p udp -j DROP
172+
iptables -A $CHAIN_NAME -p tcp -m tcp --syn -j DROP
173+
143174

144175
# Ensure our chain is referenced from the OUTPUT chain
145176
if ! iptables -C OUTPUT -o lo -m owner --uid-owner $USERNAME -j $CHAIN_NAME 2>/dev/null; then
146-
iptables -I OUTPUT -o lo -m owner --uid-owner $USERNAME -j $CHAIN_NAME
177+
iptables -I OUTPUT -o lo -d 127.0.0.1 -m owner --uid-owner $USERNAME -j $CHAIN_NAME
178+
fi
179+
180+
if [ "$NO_SERVICE" = true ]; then
181+
echo "Skipping service rules setup"
182+
exit 0
147183
fi
148184

149185
# Make iptables rules persistent

0 commit comments

Comments
 (0)