From 0495c9bf6a07e37380d29db7298cd4a8b9fbd2f3 Mon Sep 17 00:00:00 2001 From: Roberto Santalla Date: Mon, 10 Jul 2023 14:46:26 +0200 Subject: [PATCH] iptables: restric unnecessarily wide local rules --- pkg/iptables/iptables.go | 4 ++-- pkg/iptables/iptables_test.go | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/iptables/iptables.go b/pkg/iptables/iptables.go index 78d0b41c..ab1c9518 100644 --- a/pkg/iptables/iptables.go +++ b/pkg/iptables/iptables.go @@ -42,7 +42,7 @@ import ( // as the proxy targets the pod IP and not the loopback address. const redirectLocalRule = "OUTPUT " + // For local traffic "-t nat " + // Traversing the nat table - "-s 127.0.0.0/8 -d 127.0.0.0/8 " + // Coming from and directed to the loopback address, i.e. not the pod IP. + "-s 127.0.0.0/8 -d 127.0.0.1/32 " + // Coming from and directed to localhost, i.e. not the pod IP. "-p tcp --dport %d " + // Sent to the upstream application's port "-j REDIRECT --to-port %d" // Forward it to the proxy address @@ -63,7 +63,7 @@ const redirectExternalRule = "PREROUTING " + // For remote traffic // the pod's external IP and not the loopback address. const resetLocalRule = "INPUT " + // For traffic traversing the INPUT chain "-i lo " + // On the loopback interface - "-s 127.0.0.0/8 -d 127.0.0.0/8 " + // Coming from and directed to the loopback address + "-s 127.0.0.0/8 -d 127.0.0.1/32 " + // Coming from and directed to localhost "-p tcp --dport %d " + // Directed to the upstream application's port "-m state --state ESTABLISHED " + // That are already ESTABLISHED, i.e. not before they are redirected "-j REJECT --reject-with tcp-reset" // Reject it diff --git a/pkg/iptables/iptables_test.go b/pkg/iptables/iptables_test.go index b0761e1d..e1cb8413 100644 --- a/pkg/iptables/iptables_test.go +++ b/pkg/iptables/iptables_test.go @@ -85,9 +85,9 @@ func Test_Commands(t *testing.T) { }, expectedCmds: []string{ "iptables -D INPUT -p tcp --dport 8080 -j REJECT --reject-with tcp-reset", - "iptables -A OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to-port 8080", + "iptables -A OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 8080", "iptables -A PREROUTING -t nat ! -i lo -p tcp --dport 80 -j REDIRECT --to-port 8080", - "iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset", + "iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset", "iptables -A INPUT ! -i lo -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset", }, expectError: false, @@ -104,9 +104,9 @@ func Test_Commands(t *testing.T) { return tr.Stop() }, expectedCmds: []string{ - "iptables -D OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -j REDIRECT --to-port 8080", + "iptables -D OUTPUT -t nat -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -j REDIRECT --to-port 8080", "iptables -D PREROUTING -t nat ! -i lo -p tcp --dport 80 -j REDIRECT --to-port 8080", - "iptables -D INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset", + "iptables -D INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.1/32 -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset", "iptables -D INPUT ! -i lo -p tcp --dport 80 -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset", "iptables -A INPUT -p tcp --dport 8080 -j REJECT --reject-with tcp-reset", },