Merge pull request #229 from resin-io/228-iptables

Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local
This commit is contained in:
Pablo Carranza Vélez 2016-08-16 17:36:19 -03:00 committed by GitHub
commit 439bac6331
8 changed files with 24 additions and 2 deletions

View File

@ -1,3 +1,5 @@
* Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local [Pablo]
# v1.13.2 # v1.13.2
* bootstrap: if offlineMode is enabled, persist only the uuid [petrosagg] * bootstrap: if offlineMode is enabled, persist only the uuid [petrosagg]

View File

@ -11,6 +11,7 @@ RUN apt-get -q update \
btrfs-tools \ btrfs-tools \
ca-certificates \ ca-certificates \
curl \ curl \
iptables \
rsync \ rsync \
supervisor \ supervisor \
--no-install-recommends \ --no-install-recommends \

View File

@ -11,6 +11,7 @@ RUN apt-get -q update \
btrfs-tools \ btrfs-tools \
ca-certificates \ ca-certificates \
curl \ curl \
iptables \
rsync \ rsync \
supervisor \ supervisor \
--no-install-recommends \ --no-install-recommends \

View File

@ -11,6 +11,7 @@ RUN apt-get -q update \
btrfs-tools \ btrfs-tools \
ca-certificates \ ca-certificates \
curl \ curl \
iptables \
rsync \ rsync \
supervisor \ supervisor \
--no-install-recommends \ --no-install-recommends \

View File

@ -11,6 +11,7 @@ RUN apt-get -q update \
btrfs-tools \ btrfs-tools \
ca-certificates \ ca-certificates \
curl \ curl \
iptables \
rsync \ rsync \
supervisor \ supervisor \
--no-install-recommends \ --no-install-recommends \

View File

@ -11,6 +11,7 @@ RUN apt-get -q update \
btrfs-tools \ btrfs-tools \
ca-certificates \ ca-certificates \
curl \ curl \
iptables \
rsync \ rsync \
supervisor \ supervisor \
--no-install-recommends \ --no-install-recommends \

View File

@ -24,6 +24,8 @@ knex.init.then ->
device = require './device' device = require './device'
console.log('Starting API server..') console.log('Starting API server..')
utils.createIpTablesRules()
.then ->
apiServer = api(application).listen(config.listenPort) apiServer = api(application).listen(config.listenPort)
apiServer.timeout = config.apiTimeout apiServer.timeout = config.apiTimeout

View File

@ -11,6 +11,7 @@ randomHexString = require './lib/random-hex-string'
request = Promise.promisifyAll require 'request' request = Promise.promisifyAll require 'request'
logger = require './lib/logger' logger = require './lib/logger'
TypedError = require 'typed-error' TypedError = require 'typed-error'
execAsync = Promise.promisify(require('child_process').exec)
# Parses package.json and returns resin-supervisor's version # Parses package.json and returns resin-supervisor's version
version = require('../package.json').version version = require('../package.json').version
@ -279,3 +280,15 @@ exports.validateKeys = (options, validSet) ->
return if !options? return if !options?
invalidKeys = _.keys(_.omit(options, validSet)) invalidKeys = _.keys(_.omit(options, validSet))
throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys) throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys)
checkAndAddIptablesRule = (rule) ->
execAsync("iptables -C #{rule}")
.catch ->
execAsync("iptables -A #{rule}")
exports.createIpTablesRules = ->
allowedInterfaces = ['tun0', 'docker0', 'lo']
Promise.each allowedInterfaces, (iface) ->
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT")
.then ->
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -j REJECT")