provisioner: allow tftp access from admin network only (bsc#1019111)

The tftp server is for hosts on the admin network only. But it can be accessed from outside if the admin network is routable. This patch adds an iptables rule to prevent access from outside the admin network.
djoreilly · Jun 9, 2020 · a699d6c · a699d6c
1 parent e7548b2
commit a699d6c
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 1 deletion.
diff --git a/chef/cookbooks/provisioner/recipes/setup_base_images.rb b/chef/cookbooks/provisioner/recipes/setup_base_images.rb
@@ -299,7 +299,8 @@
       owner "root"
       group "root"
       mode "0644"
-      variables(tftproot: tftproot, admin_ip: admin_ip)
+      variables(tftproot: tftproot, admin_ip: admin_ip,
+                admin_subnet: admin_net.subnet, admin_netmask: admin_net.netmask)
     end
 
     service "tftp.service" do

diff --git a/chef/cookbooks/provisioner/templates/default/tftp.service.erb b/chef/cookbooks/provisioner/templates/default/tftp.service.erb
@@ -3,5 +3,7 @@ Description=Tftp Server
 
 [Service]
 Type=simple
+ExecStartPre=/usr/sbin/iptables -A INPUT -d <%= @admin_ip %> ! -s <%= @admin_subnet %>/<%= @admin_netmask %> -p udp -m udp --dport 69 -j DROP
 ExecStart=/usr/sbin/in.tftpd -u tftp -s <%= @tftproot %> -m /etc/tftpd.conf -L -a <%= @admin_ip %> -B 1024 -v
+ExecStopPost=/usr/sbin/iptables -D INPUT -d <%= @admin_ip %> ! -s <%= @admin_subnet %>/<%= @admin_netmask %> -p udp -m udp --dport 69 -j DROP
 Restart=on-failure