Skip to content
Permalink
Browse files

Perform direct iptables calls so that we can use --wait

  • Loading branch information...
smarterclayton committed Feb 7, 2017
1 parent 44a1c87 commit 9eb10e284f3ce06d8fe6d695d765e626808b0b05
Showing with 46 additions and 41 deletions.
  1. +1 −1 inventory/gce/hosts/gce.py
  2. +45 −40 playbooks/roles/restrict-gce-metadata/tasks/main.yaml
@@ -317,13 +317,13 @@ def group_instances(self, zones=None):
while True:
try:
nodes = self.driver.list_nodes()
break
except libcloud.common.google.ResourceNotFoundError:
tries = tries + 1
if tries > 15:
raise e
time.sleep(1)
continue
break

for node in nodes:

@@ -1,50 +1,55 @@
---
- name: block access to the GCE metadata server
iptables:
state: present
action: insert
chain: OUTPUT
destination: 169.254.169.254
reject_with: icmp-host-prohibited
comment: Prevent all users from reaching GCE API server
command: iptables --wait -4 --insert OUTPUT -d 169.254.169.254 -m comment --comment "Prevent all users from reaching GCE API server" -j REJECT --reject-with icmp-host-prohibited
#iptables:
# state: present
# action: insert
# chain: OUTPUT
# destination: 169.254.169.254
# reject_with: icmp-host-prohibited
# comment: Prevent all users from reaching GCE API server

- name: enable root user access to the GCE metadata server
iptables:
state: present
action: insert
chain: OUTPUT
destination: 169.254.169.254
uid_owner: 0
jump: ACCEPT
comment: Enable root user to reach GCE API server
command: iptables --wait -4 --insert OUTPUT -d 169.254.169.254 -j ACCEPT -m comment --comment "Enable root user to reach GCE API server" -m owner --uid-owner 0
#iptables:
# state: present
# action: insert
# chain: OUTPUT
# destination: 169.254.169.254
# uid_owner: 0
# jump: ACCEPT
# comment: Enable root user to reach GCE API server

- name: enable udp access to the GCE DNS
iptables:
state: present
action: insert
chain: OUTPUT
protocol: udp
destination: 169.254.169.254
destination_port: 53
jump: ACCEPT
comment: Enable udp access to the GCE DNS
command: iptables --wait -4 --insert OUTPUT -p udp -d 169.254.169.254 -j ACCEPT --destination-port 53 -m comment --comment "Enable udp access to the GCE DNS"
#iptables:
# state: present
# action: insert
# chain: OUTPUT
# protocol: udp
# destination: 169.254.169.254
# destination_port: 53
# jump: ACCEPT
# comment: Enable udp access to the GCE DNS

- name: enable tcp access to the GCE DNS
iptables:
state: present
action: insert
chain: OUTPUT
protocol: tcp
destination: 169.254.169.254
destination_port: 53
jump: ACCEPT
comment: Enable tcp access to the GCE DNS
command: iptables --wait -4 --insert OUTPUT -p tcp -d 169.254.169.254 -j ACCEPT --destination-port 53 -m comment --comment "Enable tcp access to the GCE DNS"
#iptables:
# state: present
# action: insert
# chain: OUTPUT
# protocol: tcp
# destination: 169.254.169.254
# destination_port: 53
# jump: ACCEPT
# comment: Enable tcp access to the GCE DNS

- name: block containers from access to the GCE metadata server
iptables:
state: present
action: insert
chain: FORWARD
destination: 169.254.169.254
reject_with: icmp-host-prohibited
comment: Prevent containers from reaching GCE API server
command: iptables --wait -4 --insert FORWARD -d 169.254.169.254 -m comment --comment "Prevent containers from reaching GCE API server" -j REJECT --reject-with icmp-host-prohibited
#iptables:
# state: present
# action: insert
# chain: FORWARD
# destination: 169.254.169.254
# reject_with: icmp-host-prohibited
# comment: Prevent containers from reaching GCE API server

0 comments on commit 9eb10e2

Please sign in to comment.
You can’t perform that action at this time.