Add vm and vnet ns block wireserver port 80 rule

Author: QxBytes

network/network_linux.go

@@ -98,6 +98,12 @@ func (nm *networkManager) newNetworkImpl(nwInfo *NetworkInfo, extIf *externalInt
 			return nil, fmt.Errorf("Ipv4 forwarding failed: %w", err)
 		}
 		logger.Info("Ipv4 forwarding enabled")
+		// iptables -t filter -I FORWARD -j DROP -d 168.63.129.16/32 -p tcp -m tcp --dport 80
+		dropWireserver := "-d 168.63.129.16/32 -p tcp -m tcp --dport 80"
+		if err := iptables.InsertIptableRule(iptables.V4, "filter", "FORWARD", dropWireserver, "DROP"); err != nil {
+			return nil, fmt.Errorf("unable to insert vm iptables rule drop all wireserver port 80 packets: %w", err)
+		}
+		logger.Info("Block wireserver traffic rule added")
 	default:
 		return nil, errNetworkModeInvalid
 	}

network/transparent_vlan_endpointclient_linux.go

@@ -404,6 +404,12 @@ func (client *TransparentVlanEndpointClient) AddVnetRules(epInfo *EndpointInfo)
 	if err := iptables.InsertIptableRule(iptables.V4, "mangle", "PREROUTING", match, "ACCEPT"); err != nil {
 		return errors.Wrap(err, "unable to insert iptables rule accept all incoming from vlan interface")
 	}
+	// iptables -t filter -I FORWARD -j DROP -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -m comment --comment "block traffic to 168.63.129.16 port 80"
+	dropWireserver := "-d 168.63.129.16/32 -p tcp -m tcp --dport 80"
+	if err := iptables.InsertIptableRule(iptables.V4, "filter", "FORWARD", dropWireserver, "DROP"); err != nil {
+		return errors.Wrap(err, "unable to insert iptables rule drop all wireserver port 80 packets")
+	}
+
 	// Packets that are marked should go to the tunneling table
 	newRule := vishnetlink.NewRule()
 	newRule.Mark = tunnelingMark