threefoldtech · Omarabdul3ziz · Jan 8, 2025 · Jan 15, 2025 · Jan 15, 2025 · delandtj
@@ -558,6 +558,10 @@ func applyFirewall() error {
 		return errors.Wrap(err, "failed to apply nft rule set")
 	}
 
+	if err := nft.DropTrafficToLAN(dmzNamespace); err != nil {
+		return errors.Wrap(err, "failed to drop traffic to lan")
+	}
+
 	return nil
 }
 

@@ -1,10 +1,13 @@
 package nft
 
 import (
+	"bytes"
+	"fmt"
 	"io"
 	"os/exec"
 
 	"github.com/rs/zerolog/log"
+	"github.com/vishvananda/netlink"
 
 	"github.com/pkg/errors"
 )
@@ -32,3 +35,93 @@ func Apply(r io.Reader, ns string) error {
 	}
 	return nil
 }
+
+// DropTrafficToLAN drops all the outgoing traffic to any peers on
+// the same lan network, but allow dicovery port for ygg/myc by accepting
+// traffic to/from dest/src ports.
+// @th,0,16 and @th,16,16 is raw expression for sport/dport in transport header
+// used due to limitation on the installed nft v0.9.1
+func DropTrafficToLAN(namesapce string) error {
+	dgw, err := getDefaultGW()
+	if err != nil {
+		return fmt.Errorf("failed to find default gateway: %w", err)
+	}
+
+	if !dgw.IP.IsPrivate() {
+		log.Warn().Msg("skip LAN security. default gateway is public")
+		return nil
+	}
+
+	ipAddr := dgw.IP.String()
+	netAddr := getNetworkRange(dgw)
+	macAddr := dgw.HardwareAddr.String()
+	log.Debug().
+		Str("ipAddr", ipAddr).
+		Str("netAddr", netAddr).
+		Str("macAddr", macAddr).
+		Msg("drop traffic to lan with the default gateway")
+
+	var buf bytes.Buffer
+	buf.WriteString("table inet filter {\n")
+	buf.WriteString("  chain forward {\n")
+	// allow traffic on sport ygg/myc discovery ports
+	buf.WriteString("    meta l4proto { tcp, udp } @th,0,16 { 9651, 9650 } accept;\n")
+	// allow traffic on dport ygg/myc discovery ports
+	buf.WriteString("    meta l4proto { tcp, udp } @th,16,16 { 9651, 9650 } accept;\n")
+	// allow traffic to the default gateway
+	buf.WriteString(fmt.Sprintf("    ip daddr %s accept;\n", ipAddr))
+	// allow traffic to any ip not in the network range
+	buf.WriteString(fmt.Sprintf("    ip daddr != %s accept;\n", netAddr))
+	// only drop traffic if it destined to mac addr other than the default gateway
+	buf.WriteString(fmt.Sprintf("    ether daddr != %s drop;\n", macAddr))
+	buf.WriteString("  }\n")
+	buf.WriteString("}\n")
+
+	// applied on the ndmz namespace
+	return Apply(&buf, namesapce)
+}
+
+func getDefaultGW() (netlink.Neigh, error) {
+	routes, err := netlink.RouteList(nil, netlink.FAMILY_V4)
+	if err != nil {
+		return netlink.Neigh{}, fmt.Errorf("failed to list routes: %v", err)
+	}
+
+	var defaultRoute *netlink.Route
+	for _, route := range routes {
+		if route.Dst == nil {
+			defaultRoute = &route
+			break
+		}
+	}
+
+	if defaultRoute == nil {
+		return netlink.Neigh{}, fmt.Errorf("default route not found")
+	}
+
+	if defaultRoute.Gw == nil {
+		return netlink.Neigh{}, fmt.Errorf("default route has no gateway")
+	}
+
+	neighs, err := netlink.NeighList(0, netlink.FAMILY_V4)
+	if err != nil {
+		return netlink.Neigh{}, fmt.Errorf("failed to list neighbors: %v", err)
+	}
+
+	for _, neigh := range neighs {
+		if neigh.IP.Equal(defaultRoute.Gw) {
+			return neigh, nil
+		}
+	}
+
+	return netlink.Neigh{}, errors.New("failed to get default gw")
+}
+
+func getNetworkRange(ip netlink.Neigh) string {
+	mask := ip.IP.DefaultMask()
+	network := ip.IP.Mask(mask)
+	ones, _ := mask.Size()
+	networkRange := fmt.Sprintf("%s/%d", network.String(), ones)
+
+	return networkRange
+}