search

aws / amazon-ecs-init

ecs-init is now part of the amazon-ecs-agent repo https://github.com/aws/amazon-ecs-agent/tree/master/ecs-init
https://github.com/aws/amazon-ecs-agent
Apache License 2.0
200 stars 117 forks source link

Drop traffic to 127.0.0.1 that isn't originated from the host #334

Closed fenxiong closed 4 years ago

fenxiong commented 4 years ago

Summary

Add iptable rule to drop traffic to 127.0.0.1 that isn't originated from the host. This is necessitated by the fact that we set `net.ipv4.conf.all.route_localnet` to 1. ### Implementation details

Add following iptable rule when starting up:

iptables -I INPUT --dst 127.0.0.0/8 ! --src 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP

Remove the rule upon stop. Some refactor in unit test code to reduce duplicate code and use assert/require from testify library.

Testing

Unit tests added/updated.

Built the rpm and verified that the expected iptable rule is added after the sevice start:

[ec2-user@ip-xxx ~]$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  -- !ip-127-0-0-0.us-west-2.compute.internal/8  ip-127-0-0-0.us-west-2.compute.internal/8  ! ctstate RELATED,ESTABLISHED,DNAT

and that the rule is removed when service stopped. Ran a few agent functional tests with the rpm including the task iam role test to make sure the local traffic forwarding to task credential endpoint isn't affected.

New tests cover the changes: yes

Description for the changelog

Drop traffic to 127.0.0.1 that isn't originated from the host.

Licensing

This contribution is under the terms of the Apache 2.0 License: