From 125257739ceda7d01be1d6fa4b56bf4764c9ef9f Mon Sep 17 00:00:00 2001 From: IanB Date: Mon, 29 Oct 2018 15:05:30 +0000 Subject: Route Incoming TCP Traffic Via the Reverse Proxy By default any container is accessible from any pod inside a Kubernetes cluster. It is therefore possible to send requests directly to the primary microservice even if sidecar security is enabled. An additional netfilter rule will redirect any incoming TCP requests to the Reverse Proxy. The Reverse Proxy service listens on the hard coded port (10692) Issue-ID: AAF-591 Change-Id: I9afccadb08add4312cef770221702942d811cbdd Signed-off-by: IanB --- sidecar/tproxy-config/src/main/bin/start.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sidecar/tproxy-config/src/main/bin/start.sh b/sidecar/tproxy-config/src/main/bin/start.sh index 758a910..054be93 100644 --- a/sidecar/tproxy-config/src/main/bin/start.sh +++ b/sidecar/tproxy-config/src/main/bin/start.sh @@ -22,6 +22,8 @@ set -x set -eo pipefail +iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 10692 + iptables -t nat -A OUTPUT -p tcp -j ACCEPT -s 127.0.0.1 --dport 61647 iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9042 iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9160 -- cgit 1.2.3-korg