mirror of
https://github.com/balena-os/balena-supervisor.git
synced 2024-12-23 23:42:29 +00:00
Merge pull request #229 from resin-io/228-iptables
Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local
This commit is contained in:
commit
439bac6331
@ -1,3 +1,5 @@
|
|||||||
|
* Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local [Pablo]
|
||||||
|
|
||||||
# v1.13.2
|
# v1.13.2
|
||||||
|
|
||||||
* bootstrap: if offlineMode is enabled, persist only the uuid [petrosagg]
|
* bootstrap: if offlineMode is enabled, persist only the uuid [petrosagg]
|
||||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
|||||||
btrfs-tools \
|
btrfs-tools \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
|
iptables \
|
||||||
rsync \
|
rsync \
|
||||||
supervisor \
|
supervisor \
|
||||||
--no-install-recommends \
|
--no-install-recommends \
|
||||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
|||||||
btrfs-tools \
|
btrfs-tools \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
|
iptables \
|
||||||
rsync \
|
rsync \
|
||||||
supervisor \
|
supervisor \
|
||||||
--no-install-recommends \
|
--no-install-recommends \
|
||||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
|||||||
btrfs-tools \
|
btrfs-tools \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
|
iptables \
|
||||||
rsync \
|
rsync \
|
||||||
supervisor \
|
supervisor \
|
||||||
--no-install-recommends \
|
--no-install-recommends \
|
||||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
|||||||
btrfs-tools \
|
btrfs-tools \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
|
iptables \
|
||||||
rsync \
|
rsync \
|
||||||
supervisor \
|
supervisor \
|
||||||
--no-install-recommends \
|
--no-install-recommends \
|
||||||
|
@ -11,6 +11,7 @@ RUN apt-get -q update \
|
|||||||
btrfs-tools \
|
btrfs-tools \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
|
iptables \
|
||||||
rsync \
|
rsync \
|
||||||
supervisor \
|
supervisor \
|
||||||
--no-install-recommends \
|
--no-install-recommends \
|
||||||
|
@ -24,6 +24,8 @@ knex.init.then ->
|
|||||||
device = require './device'
|
device = require './device'
|
||||||
|
|
||||||
console.log('Starting API server..')
|
console.log('Starting API server..')
|
||||||
|
utils.createIpTablesRules()
|
||||||
|
.then ->
|
||||||
apiServer = api(application).listen(config.listenPort)
|
apiServer = api(application).listen(config.listenPort)
|
||||||
apiServer.timeout = config.apiTimeout
|
apiServer.timeout = config.apiTimeout
|
||||||
|
|
||||||
|
@ -11,6 +11,7 @@ randomHexString = require './lib/random-hex-string'
|
|||||||
request = Promise.promisifyAll require 'request'
|
request = Promise.promisifyAll require 'request'
|
||||||
logger = require './lib/logger'
|
logger = require './lib/logger'
|
||||||
TypedError = require 'typed-error'
|
TypedError = require 'typed-error'
|
||||||
|
execAsync = Promise.promisify(require('child_process').exec)
|
||||||
|
|
||||||
# Parses package.json and returns resin-supervisor's version
|
# Parses package.json and returns resin-supervisor's version
|
||||||
version = require('../package.json').version
|
version = require('../package.json').version
|
||||||
@ -279,3 +280,15 @@ exports.validateKeys = (options, validSet) ->
|
|||||||
return if !options?
|
return if !options?
|
||||||
invalidKeys = _.keys(_.omit(options, validSet))
|
invalidKeys = _.keys(_.omit(options, validSet))
|
||||||
throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys)
|
throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys)
|
||||||
|
|
||||||
|
checkAndAddIptablesRule = (rule) ->
|
||||||
|
execAsync("iptables -C #{rule}")
|
||||||
|
.catch ->
|
||||||
|
execAsync("iptables -A #{rule}")
|
||||||
|
|
||||||
|
exports.createIpTablesRules = ->
|
||||||
|
allowedInterfaces = ['tun0', 'docker0', 'lo']
|
||||||
|
Promise.each allowedInterfaces, (iface) ->
|
||||||
|
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT")
|
||||||
|
.then ->
|
||||||
|
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -j REJECT")
|
||||||
|
Loading…
Reference in New Issue
Block a user