mirror of
https://github.com/balena-os/balena-supervisor.git
synced 2024-12-19 05:37:53 +00:00
Merge pull request #229 from resin-io/228-iptables
Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local
This commit is contained in:
commit
439bac6331
@ -1,3 +1,5 @@
|
||||
* Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local [Pablo]
|
||||
|
||||
# v1.13.2
|
||||
|
||||
* bootstrap: if offlineMode is enabled, persist only the uuid [petrosagg]
|
||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
||||
btrfs-tools \
|
||||
ca-certificates \
|
||||
curl \
|
||||
iptables \
|
||||
rsync \
|
||||
supervisor \
|
||||
--no-install-recommends \
|
||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
||||
btrfs-tools \
|
||||
ca-certificates \
|
||||
curl \
|
||||
iptables \
|
||||
rsync \
|
||||
supervisor \
|
||||
--no-install-recommends \
|
||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
||||
btrfs-tools \
|
||||
ca-certificates \
|
||||
curl \
|
||||
iptables \
|
||||
rsync \
|
||||
supervisor \
|
||||
--no-install-recommends \
|
||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
||||
btrfs-tools \
|
||||
ca-certificates \
|
||||
curl \
|
||||
iptables \
|
||||
rsync \
|
||||
supervisor \
|
||||
--no-install-recommends \
|
||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
||||
btrfs-tools \
|
||||
ca-certificates \
|
||||
curl \
|
||||
iptables \
|
||||
rsync \
|
||||
supervisor \
|
||||
--no-install-recommends \
|
||||
|
@ -24,8 +24,10 @@ knex.init.then ->
|
||||
device = require './device'
|
||||
|
||||
console.log('Starting API server..')
|
||||
apiServer = api(application).listen(config.listenPort)
|
||||
apiServer.timeout = config.apiTimeout
|
||||
utils.createIpTablesRules()
|
||||
.then ->
|
||||
apiServer = api(application).listen(config.listenPort)
|
||||
apiServer.timeout = config.apiTimeout
|
||||
|
||||
bootstrap.done
|
||||
.then ->
|
||||
|
@ -11,6 +11,7 @@ randomHexString = require './lib/random-hex-string'
|
||||
request = Promise.promisifyAll require 'request'
|
||||
logger = require './lib/logger'
|
||||
TypedError = require 'typed-error'
|
||||
execAsync = Promise.promisify(require('child_process').exec)
|
||||
|
||||
# Parses package.json and returns resin-supervisor's version
|
||||
version = require('../package.json').version
|
||||
@ -279,3 +280,15 @@ exports.validateKeys = (options, validSet) ->
|
||||
return if !options?
|
||||
invalidKeys = _.keys(_.omit(options, validSet))
|
||||
throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys)
|
||||
|
||||
checkAndAddIptablesRule = (rule) ->
|
||||
execAsync("iptables -C #{rule}")
|
||||
.catch ->
|
||||
execAsync("iptables -A #{rule}")
|
||||
|
||||
exports.createIpTablesRules = ->
|
||||
allowedInterfaces = ['tun0', 'docker0', 'lo']
|
||||
Promise.each allowedInterfaces, (iface) ->
|
||||
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT")
|
||||
.then ->
|
||||
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -j REJECT")
|
||||
|
Loading…
Reference in New Issue
Block a user