fix: block wireserver port 80 traffic in multitenancy (#2395)

* Add vm and vnet ns block wireserver port 80 rule * Use existing variable for known ip * Move code to networkutils * Address feedback * Address iptables version feedback * Address protocol and format feedback * Add comments * Remove cidr in case ipv6 is used
2023-11-29 13:37:45 -08:00 · 2023-11-29 13:37:45 -08:00 · 2382637912
--- a/network/network_linux.go
+++ b/network/network_linux.go
@ -95,9 +95,14 @@ func (nm *networkManager) newNetworkImpl(nwInfo *NetworkInfo, extIf *externalInt
 		ifName = extIf.Name
 		nu := networkutils.NewNetworkUtils(nm.netlink, nm.plClient)
 		if err := nu.EnableIPV4Forwarding(); err != nil {
-			return nil, fmt.Errorf("Ipv4 forwarding failed: %w", err)
+			return nil, errors.Wrap(err, "ipv4 forwarding failed")
 		}
 		logger.Info("Ipv4 forwarding enabled")
+		// Blocks wireserver traffic from apipa nic
+		if err := networkutils.BlockEgressTrafficFromContainer(iptables.V4, networkutils.AzureDNS, iptables.TCP, iptables.HTTPPort); err != nil {
+			return nil, errors.Wrap(err, "unable to insert vm iptables rule drop wireserver packets")
+		}
+		logger.Info("Block wireserver traffic rule added")
 	default:
 		return nil, errNetworkModeInvalid
 	}
--- a/network/networkutils/networkutils_linux.go
+++ b/network/networkutils/networkutils_linux.go
@ -176,6 +176,12 @@ func AllowIPAddresses(bridgeName string, skipAddresses []string, action string)
 	return nil
 }

+func BlockEgressTrafficFromContainer(version, ipAddress, protocol string, port int) error {
+	// iptables -t filter -I FORWARD -j DROP -d <ip> -p <protocol> -m <protocol> --dport <port>
+	dropTraffic := fmt.Sprintf("-d %s -p %s -m %s --dport %d", ipAddress, protocol, protocol, port)
+	return errors.Wrap(iptables.InsertIptableRule(version, iptables.Filter, iptables.Forward, dropTraffic, iptables.Drop), "iptables block traffic failed")
+}
+
 func BlockIPAddresses(bridgeName, action string) error {
 	privateIPAddresses := getPrivateIPSpace()
 	chains := getFilterChains()
--- a/network/transparent_vlan_endpointclient_linux.go
+++ b/network/transparent_vlan_endpointclient_linux.go
@ -404,6 +404,11 @@ func (client *TransparentVlanEndpointClient) AddVnetRules(epInfo *EndpointInfo)
 	if err := iptables.InsertIptableRule(iptables.V4, "mangle", "PREROUTING", match, "ACCEPT"); err != nil {
 		return errors.Wrap(err, "unable to insert iptables rule accept all incoming from vlan interface")
 	}
+	// Blocks wireserver traffic from customer vnet nic
+	if err := networkutils.BlockEgressTrafficFromContainer(iptables.V4, networkutils.AzureDNS, iptables.TCP, iptables.HTTPPort); err != nil {
+		return errors.Wrap(err, "unable to insert iptables rule to drop wireserver packets")
+	}
+
 	// Packets that are marked should go to the tunneling table
 	newRule := vishnetlink.NewRule()
 	newRule.Mark = tunnelingMark