iptables: restric unnecessarily wide local rules

grafana · Jul 10, 2023 · 0495c9b · 0495c9b
1 parent 59345a4
commit 0495c9b
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/pkg/iptables/iptables.go b/pkg/iptables/iptables.go
@@ -42,7 +42,7 @@ import (
 // as the proxy targets the pod IP and not the loopback address.
 const redirectLocalRule = "OUTPUT " + // For local traffic
 	"-t nat " + // Traversing the nat table
-	"-s 127.0.0.0/8 -d 127.0.0.0/8 " + // Coming from and directed to the loopback address, i.e. not the pod IP.
+	"-s 127.0.0.0/8 -d 127.0.0.1/32 " + // Coming from and directed to localhost, i.e. not the pod IP.
 	"-p tcp --dport %d " + // Sent to the upstream application's port
 	"-j REDIRECT --to-port %d" // Forward it to the proxy address
 
@@ -63,7 +63,7 @@ const redirectExternalRule = "PREROUTING " + // For remote traffic
 // the pod's external IP and not the loopback address.
 const resetLocalRule = "INPUT " + // For traffic traversing the INPUT chain
 	"-i lo " + // On the loopback interface
-	"-s 127.0.0.0/8 -d 127.0.0.0/8 " + // Coming from and directed to the loopback address
+	"-s 127.0.0.0/8 -d 127.0.0.1/32 " + // Coming from and directed to localhost
 	"-p tcp --dport %d " + // Directed to the upstream application's port
 	"-m state --state ESTABLISHED " + // That are already ESTABLISHED, i.e. not before they are redirected
 	"-j REJECT --reject-with tcp-reset" // Reject it

diff --git a/pkg/iptables/iptables_test.go b/pkg/iptables/iptables_test.go
@@ -85,9 +85,9 @@ func Test_Commands(t *testing.T) {
 			},
 			expectedCmds: []string{
 				"iptables -D INPUT -p tcp --dport 8080 -j REJECT --reject-with tcp-reset",
-				"iptables -A OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to-port 8080",
+				"iptables -A OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 8080",
 				"iptables -A PREROUTING -t nat ! -i lo -p tcp --dport 80 -j REDIRECT --to-port 8080",
-				"iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset",
+				"iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset",
 				"iptables -A INPUT ! -i lo -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset",
 			},
 			expectError: false,
@@ -104,9 +104,9 @@ func Test_Commands(t *testing.T) {
 				return tr.Stop()
 			},
 			expectedCmds: []string{
-				"iptables -D OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to-port 8080",
+				"iptables -D OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 8080",
 				"iptables -D PREROUTING -t nat ! -i lo -p tcp --dport 80 -j REDIRECT --to-port 8080",
-				"iptables -D INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset",
+				"iptables -D INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset",
 				"iptables -D INPUT ! -i lo -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset",
 				"iptables -A INPUT -p tcp --dport 8080 -j REJECT --reject-with tcp-reset",
 			},