diff --git a/client/firewall/iptables/manager_linux.go b/client/firewall/iptables/manager_linux.go index b3a66f02b..3c0e49725 100644 --- a/client/firewall/iptables/manager_linux.go +++ b/client/firewall/iptables/manager_linux.go @@ -27,6 +27,9 @@ var pingSupportDefaultRule = []string{ "-p", "icmp", "--icmp-type", "echo-request", "-j", "ACCEPT", "-m", "comment", "--comment", "Allow pings from the Netbird Devices"} +// dropAllDefaultRule in the Netbird chain +var dropAllDefaultRule = []string{"-j", "DROP"} + // Manager of iptables firewall type Manager struct { mutex sync.Mutex @@ -184,7 +187,9 @@ func (m *Manager) filterRuleSpecs( case fw.DirectionDst: specs = append(specs, "-d", ip.String()) } - specs = append(specs, "-p", protocol) + if protocol != "" { + specs = append(specs, "-p", protocol) + } if port != "" { specs = append(specs, "--dport", port) } @@ -224,6 +229,10 @@ func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) { return nil, fmt.Errorf("failed to create default ping allow rule: %w", err) } + if err := client.AppendUnique("filter", ChainFilterName, dropAllDefaultRule...); err != nil { + return nil, fmt.Errorf("failed to create default drop all in netbird chain: %w", err) + } + specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdDefaultRule...) if err := client.AppendUnique("filter", "INPUT", specs...); err != nil { return nil, fmt.Errorf("failed to create chain: %w", err) diff --git a/client/internal/engine.go b/client/internal/engine.go index 29176b88e..9b3ce291a 100644 --- a/client/internal/engine.go +++ b/client/internal/engine.go @@ -1098,9 +1098,6 @@ func (e *Engine) protoRuleToFirewallRule(r *mgmProto.FirewallRule) firewall.Rule protocol = firewall.ProtocolUDP case "icmp": protocol = firewall.ProtocolICMP - default: - log.Errorf("invalid protocol, skipping firewall rule: %q", r.Protocol) - return nil } var direction firewall.Direction diff --git a/management/server/policy.go b/management/server/policy.go index 642fd973a..4c0656bc9 100644 --- a/management/server/policy.go +++ b/management/server/policy.go @@ -228,13 +228,6 @@ func (f *FirewallRule) parseFromRegoResult(value interface{}) error { f.Direction = direction f.Action = action - // TODO: remove this after migration from rules - // - // by default if protocol not present use TCP - if f.Protocol == "" { - f.Protocol = "tcp" - } - return nil } diff --git a/management/server/policy_test.go b/management/server/policy_test.go index 1d8534d87..73663a8fd 100644 --- a/management/server/policy_test.go +++ b/management/server/policy_test.go @@ -53,12 +53,12 @@ func TestAccount_getPeersByPolicy(t *testing.T) { assert.Contains(t, peers, account.Peers["peer3"]) epectedFirewallRules := []*FirewallRule{ - {PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "dst", Action: "accept", Protocol: "tcp", Port: ""}, - {PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "dst", Action: "accept", Protocol: "tcp", Port: ""}, - {PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "dst", Action: "accept", Protocol: "tcp", Port: ""}, - {PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "src", Action: "accept", Protocol: "tcp", Port: ""}, - {PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "src", Action: "accept", Protocol: "tcp", Port: ""}, - {PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "src", Action: "accept", Protocol: "tcp", Port: ""}, + {PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "dst", Action: "accept", Port: ""}, + {PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "dst", Action: "accept", Port: ""}, + {PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "dst", Action: "accept", Port: ""}, + {PeerID: "peer1", PeerIP: "10.20.0.1", Direction: "src", Action: "accept", Port: ""}, + {PeerID: "peer2", PeerIP: "10.20.0.2", Direction: "src", Action: "accept", Port: ""}, + {PeerID: "peer3", PeerIP: "10.20.0.3", Direction: "src", Action: "accept", Port: ""}, } assert.Len(t, firewallRules, len(epectedFirewallRules)) for i := range firewallRules {