fix: block wireserver port 80 traffic in multitenancy (#2395)

* Add vm and vnet ns block wireserver port 80 rule * Use existing variable for known ip * Move code to networkutils * Address feedback * Address iptables version feedback * Address protocol and format feedback * Add comments * Remove cidr in case ipv6 is used
Azure · Nov 29, 2023 · 2382637 · 2382637
1 parent 493da62
commit 2382637
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 1 deletion.
diff --git a/network/network_linux.go b/network/network_linux.go
@@ -95,9 +95,14 @@ func (nm *networkManager) newNetworkImpl(nwInfo *NetworkInfo, extIf *externalInt
 		ifName = extIf.Name
 		nu := networkutils.NewNetworkUtils(nm.netlink, nm.plClient)
 		if err := nu.EnableIPV4Forwarding(); err != nil {
-			return nil, fmt.Errorf("Ipv4 forwarding failed: %w", err)
+			return nil, errors.Wrap(err, "ipv4 forwarding failed")
 		}
 		logger.Info("Ipv4 forwarding enabled")
+		// Blocks wireserver traffic from apipa nic
+		if err := networkutils.BlockEgressTrafficFromContainer(iptables.V4, networkutils.AzureDNS, iptables.TCP, iptables.HTTPPort); err != nil {
+			return nil, errors.Wrap(err, "unable to insert vm iptables rule drop wireserver packets")
+		}
+		logger.Info("Block wireserver traffic rule added")
 	default:
 		return nil, errNetworkModeInvalid
 	}

diff --git a/network/networkutils/networkutils_linux.go b/network/networkutils/networkutils_linux.go
@@ -176,6 +176,12 @@ func AllowIPAddresses(bridgeName string, skipAddresses []string, action string)
 	return nil
 }
 
+func BlockEgressTrafficFromContainer(version, ipAddress, protocol string, port int) error {
+	// iptables -t filter -I FORWARD -j DROP -d <ip> -p <protocol> -m <protocol> --dport <port>
+	dropTraffic := fmt.Sprintf("-d %s -p %s -m %s --dport %d", ipAddress, protocol, protocol, port)
+	return errors.Wrap(iptables.InsertIptableRule(version, iptables.Filter, iptables.Forward, dropTraffic, iptables.Drop), "iptables block traffic failed")
+}
+
 func BlockIPAddresses(bridgeName, action string) error {
 	privateIPAddresses := getPrivateIPSpace()
 	chains := getFilterChains()

diff --git a/network/transparent_vlan_endpointclient_linux.go b/network/transparent_vlan_endpointclient_linux.go
@@ -404,6 +404,11 @@ func (client *TransparentVlanEndpointClient) AddVnetRules(epInfo *EndpointInfo)
 	if err := iptables.InsertIptableRule(iptables.V4, "mangle", "PREROUTING", match, "ACCEPT"); err != nil {
 		return errors.Wrap(err, "unable to insert iptables rule accept all incoming from vlan interface")
 	}
+	// Blocks wireserver traffic from customer vnet nic
+	if err := networkutils.BlockEgressTrafficFromContainer(iptables.V4, networkutils.AzureDNS, iptables.TCP, iptables.HTTPPort); err != nil {
+		return errors.Wrap(err, "unable to insert iptables rule to drop wireserver packets")
+	}
+
 	// Packets that are marked should go to the tunneling table
 	newRule := vishnetlink.NewRule()
 	newRule.Mark = tunnelingMark