path: root/sidecar/tproxy-config
diff options
authorIanB <IanB@amdocs.com>2018-10-29 15:05:30 +0000
committerIanB <IanB@amdocs.com>2018-10-29 15:31:48 +0000
commit125257739ceda7d01be1d6fa4b56bf4764c9ef9f (patch)
treeb96cc68ffba4c6c72adbffea0d868e1cbbe6a339 /sidecar/tproxy-config
parent16b2d4d78ac172b01e5e68d088390136b572d09e (diff)
Route Incoming TCP Traffic Via the Reverse Proxy
By default any container is accessible from any pod inside a Kubernetes cluster. It is therefore possible to send requests directly to the primary microservice even if sidecar security is enabled. An additional netfilter rule will redirect any incoming TCP requests to the Reverse Proxy. The Reverse Proxy service listens on the hard coded port (10692) Issue-ID: AAF-591 Change-Id: I9afccadb08add4312cef770221702942d811cbdd Signed-off-by: IanB <IanB@amdocs.com>
Diffstat (limited to 'sidecar/tproxy-config')
1 files changed, 2 insertions, 0 deletions
diff --git a/sidecar/tproxy-config/src/main/bin/start.sh b/sidecar/tproxy-config/src/main/bin/start.sh
index 758a910..054be93 100644
--- a/sidecar/tproxy-config/src/main/bin/start.sh
+++ b/sidecar/tproxy-config/src/main/bin/start.sh
@@ -22,6 +22,8 @@
set -x
set -eo pipefail
+iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 10692
iptables -t nat -A OUTPUT -p tcp -j ACCEPT -s --dport 61647
iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9042
iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9160