Skip to content

Commit

Permalink
Merge pull request #29 from scraperwiki/redirection-fix
Browse files Browse the repository at this point in the history 
Prevent redirection of non-local packets
  • Loading branch information
@pwaller
pwaller committed Dec 12, 2014
2 parents 56c0a21 + 1e22208 commit 3e36515
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions iptables.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,17 +35,22 @@ func iptables(action Action, chain string, source, target int, ipAddress string)
cmd = exec.Command(
"iptables", "--insert", chain, "1",
"--table", "nat",
"--protocol", "tcp", "--match", "tcp",
"!", "--destination", ipAddress,
"--protocol", "tcp",
// Prevent redirection of packets already going to the container
"--match", "tcp", "!", "--destination", ipAddress,
// Prevent redirection of ports on remote servers
// (i.e, don't make google:80 hit our container)
"--match", "addrtype", "--dst-type", "LOCAL",
"--dport", fmt.Sprint(source),
"--jump", "REDIRECT",
"--to-ports", fmt.Sprint(target))
case DELETE:
cmd = exec.Command(
"iptables", "--delete", chain,
"--table", "nat",
"--protocol", "tcp", "--match", "tcp",
"!", "--destination", ipAddress,
"--protocol", "tcp",
"--match", "tcp", "!", "--destination", ipAddress,
"--match", "addrtype", "--dst-type", "LOCAL",
"--dport", fmt.Sprint(source),
"--jump", "REDIRECT",
"--to-ports", fmt.Sprint(target))
Expand Down

0 comments on commit 3e36515

Please sign in to comment.