From 122dcfb423495b946aaae6a76634ebc00b3d9fff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E7=A5=96=E5=BB=BA?= Date: Fri, 21 Jul 2023 18:15:57 +0800 Subject: [PATCH] iptables: reject access to service ip after ipvs/DNAT processing --- dist/images/uninstall.sh | 2 ++ pkg/daemon/gateway_linux.go | 2 ++ 2 files changed, 4 insertions(+) diff --git a/dist/images/uninstall.sh b/dist/images/uninstall.sh index 86516b25405..99b6eb5ac00 100644 --- a/dist/images/uninstall.sh +++ b/dist/images/uninstall.sh @@ -16,6 +16,7 @@ iptables -t filter -D INPUT -m set --match-set ovn40subnets dst -j ACCEPT iptables -t filter -D INPUT -m set --match-set ovn40subnets src -j ACCEPT iptables -t filter -D INPUT -m set --match-set ovn40services dst -j ACCEPT iptables -t filter -D INPUT -m set --match-set ovn40services src -j ACCEPT +iptables -t filter -D INPUT -m set --match-set ovn40services dst -m conntrack --ctstate NEW -j REJECT iptables -t filter -D FORWARD -m set --match-set ovn40subnets dst -j ACCEPT iptables -t filter -D FORWARD -m set --match-set ovn40subnets src -j ACCEPT iptables -t filter -D FORWARD -m set --match-set ovn40services dst -j ACCEPT @@ -52,6 +53,7 @@ ip6tables -t filter -D INPUT -m set --match-set ovn60subnets dst -j ACCEPT ip6tables -t filter -D INPUT -m set --match-set ovn60subnets src -j ACCEPT ip6tables -t filter -D INPUT -m set --match-set ovn60services dst -j ACCEPT ip6tables -t filter -D INPUT -m set --match-set ovn60services src -j ACCEPT +ip6tables -t filter -D INPUT -m set --match-set ovn60services dst -m conntrack --ctstate NEW -j REJECT ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets dst -j ACCEPT ip6tables -t filter -D FORWARD -m set --match-set ovn60subnets src -j ACCEPT ip6tables -t filter -D FORWARD -m set --match-set ovn60services dst -j ACCEPT diff --git a/pkg/daemon/gateway_linux.go b/pkg/daemon/gateway_linux.go index 45dc72a4ba7..211cb465139 100644 --- a/pkg/daemon/gateway_linux.go +++ b/pkg/daemon/gateway_linux.go @@ -544,6 +544,7 @@ func (c *Controller) setIptables() error { {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn40subnets dst -j ACCEPT`)}, {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn40services src -j ACCEPT`)}, {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn40services dst -j ACCEPT`)}, + {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn40services dst -m conntrack --ctstate NEW -j REJECT`)}, // Forward Accept {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40subnets src -j ACCEPT`)}, {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn40subnets dst -j ACCEPT`)}, @@ -581,6 +582,7 @@ func (c *Controller) setIptables() error { {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn60subnets dst -j ACCEPT`)}, {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn60services src -j ACCEPT`)}, {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn60services dst -j ACCEPT`)}, + {Table: "filter", Chain: "INPUT", Rule: strings.Fields(`-m set --match-set ovn60services dst -m conntrack --ctstate NEW -j REJECT`)}, // Forward Accept {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60subnets src -j ACCEPT`)}, {Table: "filter", Chain: "FORWARD", Rule: strings.Fields(`-m set --match-set ovn60subnets dst -j ACCEPT`)},