From 0a25c7637f4f602dba24cf6d5be4dfe465b15c06 Mon Sep 17 00:00:00 2001
From: Kent 'picat' Gruber <kent.picat.gruber@gmail.com>
Date: Mon, 31 May 2021 17:55:23 -0400
Subject: [PATCH 1/2] Block access to the metadata endpoint with NOMAD-AMDIN

Thanks to https://github.com/hashicorp/nomad/pull/10181
---
 templates/client.sh | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/templates/client.sh b/templates/client.sh
index adabe3e..feb635d 100644
--- a/templates/client.sh
+++ b/templates/client.sh
@@ -90,3 +90,15 @@ systemctl restart docker
 # Start and enable Nomad
 systemctl start nomad
 systemctl enable nomad
+
+# Block access to the metadata endpoint in three easy steps
+# https://github.com/picatz/terraform-google-nomad/issues/19
+#
+# Note: this also blocks DNS resolution within Nomad allocations (no apt install in containers)
+#
+# 1. Create NOAMD-ADMIN chain
+sudo iptables --new NOMAD-ADMIN
+# 2. Add default rule
+sudo iptables --append NOMAD-ADMIN --destination 172.26.64.0/20  --jump ACCEPT
+# 3. Block access to metadata endpoint
+sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --jump DROP

From ea421ddbae1af468c79eaab1b9949f95f55908b9 Mon Sep 17 00:00:00 2001
From: Kent 'picat' Gruber <kent.picat.gruber@gmail.com>
Date: Mon, 31 May 2021 18:15:54 -0400
Subject: [PATCH 2/2] Ensure DNS resolution via UDP still works in allocations

---
 templates/client.sh | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/templates/client.sh b/templates/client.sh
index feb635d..15f74d1 100644
--- a/templates/client.sh
+++ b/templates/client.sh
@@ -91,14 +91,14 @@ systemctl restart docker
 systemctl start nomad
 systemctl enable nomad
 
-# Block access to the metadata endpoint in three easy steps
+# Block access to the metadata endpoint in four easy steps
 # https://github.com/picatz/terraform-google-nomad/issues/19
 #
-# Note: this also blocks DNS resolution within Nomad allocations (no apt install in containers)
-#
 # 1. Create NOAMD-ADMIN chain
 sudo iptables --new NOMAD-ADMIN
-# 2. Add default rule
+# 2. Add default rule (this is appended by Nomad by default to the end of the chain as well... maye not needed?)
 sudo iptables --append NOMAD-ADMIN --destination 172.26.64.0/20  --jump ACCEPT
-# 3. Block access to metadata endpoint
+# 3. Allow access to metadata endpoint for DNS resolution (UDP only)
+sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --protocol udp --dport 53 --jump ACCEPT
+# 4. Block access to metadata endpoint
 sudo iptables --append NOMAD-ADMIN --destination 169.254.169.254/32 --jump DROP