Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local

2024-12-20 14:13:08 +00:00 · 2016-08-13 14:44:01 +00:00 · 2016-08-13 14:44:01 +00:00 · c4ea2c77a0
commit c4ea2c77a0
parent 211560472a
7 changed files with 17 additions and 2 deletions
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
--- a/Dockerfile.armel
+++ b/Dockerfile.armel
@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
--- a/Dockerfile.armv7hf
+++ b/Dockerfile.armv7hf
@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
--- a/Dockerfile.i386
+++ b/Dockerfile.i386
@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
--- a/Dockerfile.rpi
+++ b/Dockerfile.rpi
@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
--- a/src/app.coffee
+++ b/src/app.coffee
@ -24,6 +24,8 @@ knex.init.then ->
 		device = require './device'

 		console.log('Starting API server..')
+		utils.createIpTablesRules()
+		.then ->
 			apiServer = api(application).listen(config.listenPort)
 			apiServer.timeout = config.apiTimeout

--- a/src/utils.coffee
+++ b/src/utils.coffee
@ -11,6 +11,7 @@ randomHexString = require './lib/random-hex-string'
 request = Promise.promisifyAll require 'request'
 logger = require './lib/logger'
 TypedError = require 'typed-error'
+execAsync = Promise.promisify(require('child_process').exec)

 # Parses package.json and returns resin-supervisor's version
 version = require('../package.json').version
@ -279,3 +280,10 @@ exports.validateKeys = (options, validSet) ->
 		return if !options?
 		invalidKeys = _.keys(_.omit(options, validSet))
 		throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys)
+
+exports.createIpTablesRules = ->
+	allowedInterfaces = ['tun0', 'docker0', 'lo']
+	Promise.each allowedInterfaces, (iface) ->
+		execAsync("iptables -A INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT")
+	.then ->
+		execAsync("iptables -A INPUT -p tcp --dport #{config.listenPort} -j REJECT")