Merge pull request #37 from picatz/iptables-block-metadata-endpoint

Block access to the metadata endpoint with NOMAD-AMDIN
picatz · May 31, 2021 · f06f592 · f06f592
2 parents 3cfd6b6 + ea421dd
commit f06f592
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/templates/client.sh b/templates/client.sh
@@ -90,3 +90,15 @@ systemctl restart docker
 # Start and enable Nomad
 systemctl start nomad
 systemctl enable nomad
+
+# Block access to the metadata endpoint in four easy steps
+# https://github.com/picatz/terraform-google-nomad/issues/19
+#
+# 1. Create NOAMD-ADMIN chain
+sudo iptables --new NOMAD-ADMIN
+# 2. Add default rule (this is appended by Nomad by default to the end of the chain as well... maye not needed?)
+sudo iptables --append NOMAD-ADMIN --destination 172.26.64.0/20  --jump ACCEPT
+# 3. Allow access to metadata endpoint for DNS resolution (UDP only)
+sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --protocol udp --dport 53 --jump ACCEPT
+# 4. Block access to metadata endpoint
+sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --jump DROP