From c4ea2c77a045ab8284a617eee8c1ee1bdc508e88 Mon Sep 17 00:00:00 2001 From: Pablo Carranza Velez Date: Sat, 13 Aug 2016 14:44:01 +0000 Subject: [PATCH] Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local --- Dockerfile.amd64 | 1 + Dockerfile.armel | 1 + Dockerfile.armv7hf | 1 + Dockerfile.i386 | 1 + Dockerfile.rpi | 1 + src/app.coffee | 6 ++++-- src/utils.coffee | 8 ++++++++ 7 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Dockerfile.amd64 b/Dockerfile.amd64 index 49d7fb4f..f226c9a8 100644 --- a/Dockerfile.amd64 +++ b/Dockerfile.amd64 @@ -11,6 +11,7 @@ RUN apt-get -q update \ btrfs-tools \ ca-certificates \ curl \ + iptables \ rsync \ supervisor \ --no-install-recommends \ diff --git a/Dockerfile.armel b/Dockerfile.armel index 0d69a396..a21506ce 100644 --- a/Dockerfile.armel +++ b/Dockerfile.armel @@ -11,6 +11,7 @@ RUN apt-get -q update \ btrfs-tools \ ca-certificates \ curl \ + iptables \ rsync \ supervisor \ --no-install-recommends \ diff --git a/Dockerfile.armv7hf b/Dockerfile.armv7hf index eefef8a0..22e0b744 100644 --- a/Dockerfile.armv7hf +++ b/Dockerfile.armv7hf @@ -11,6 +11,7 @@ RUN apt-get -q update \ btrfs-tools \ ca-certificates \ curl \ + iptables \ rsync \ supervisor \ --no-install-recommends \ diff --git a/Dockerfile.i386 b/Dockerfile.i386 index 3e6ec066..44cf1f5c 100644 --- a/Dockerfile.i386 +++ b/Dockerfile.i386 @@ -11,6 +11,7 @@ RUN apt-get -q update \ btrfs-tools \ ca-certificates \ curl \ + iptables \ rsync \ supervisor \ --no-install-recommends \ diff --git a/Dockerfile.rpi b/Dockerfile.rpi index b60a0ba3..8d61353b 100644 --- a/Dockerfile.rpi +++ b/Dockerfile.rpi @@ -11,6 +11,7 @@ RUN apt-get -q update \ btrfs-tools \ ca-certificates \ curl \ + iptables \ rsync \ supervisor \ --no-install-recommends \ diff --git a/src/app.coffee b/src/app.coffee index bd8a1031..8bd6a8fb 100644 --- a/src/app.coffee +++ b/src/app.coffee @@ -24,8 +24,10 @@ knex.init.then -> device = require './device' console.log('Starting API server..') - apiServer = api(application).listen(config.listenPort) - apiServer.timeout = config.apiTimeout + utils.createIpTablesRules() + .then -> + apiServer = api(application).listen(config.listenPort) + apiServer.timeout = config.apiTimeout bootstrap.done .then -> diff --git a/src/utils.coffee b/src/utils.coffee index 8b614287..6838988e 100644 --- a/src/utils.coffee +++ b/src/utils.coffee @@ -11,6 +11,7 @@ randomHexString = require './lib/random-hex-string' request = Promise.promisifyAll require 'request' logger = require './lib/logger' TypedError = require 'typed-error' +execAsync = Promise.promisify(require('child_process').exec) # Parses package.json and returns resin-supervisor's version version = require('../package.json').version @@ -279,3 +280,10 @@ exports.validateKeys = (options, validSet) -> return if !options? invalidKeys = _.keys(_.omit(options, validSet)) throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys) + +exports.createIpTablesRules = -> + allowedInterfaces = ['tun0', 'docker0', 'lo'] + Promise.each allowedInterfaces, (iface) -> + execAsync("iptables -A INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT") + .then -> + execAsync("iptables -A INPUT -p tcp --dport #{config.listenPort} -j REJECT")