From: IanB <IanB@amdocs.com>
Date: Mon, 29 Oct 2018 15:05:30 +0000 (+0000)
Subject: Route Incoming TCP Traffic Via the Reverse Proxy
X-Git-Tag: 2.1.8~14
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F02%2F71402%2F1;p=aaf%2Fcadi.git

Route Incoming TCP Traffic Via the Reverse Proxy

By default any container is accessible from any pod inside
a Kubernetes cluster. It is therefore possible to send requests
directly to the primary microservice even if sidecar security
is enabled.

An additional netfilter rule will redirect any incoming TCP
requests to the Reverse Proxy. The Reverse Proxy service
listens on the hard coded port (10692)

Issue-ID: AAF-591

Change-Id: I9afccadb08add4312cef770221702942d811cbdd
Signed-off-by: IanB <IanB@amdocs.com>
---

diff --git a/sidecar/tproxy-config/src/main/bin/start.sh b/sidecar/tproxy-config/src/main/bin/start.sh
index 758a910..054be93 100644
--- a/sidecar/tproxy-config/src/main/bin/start.sh
+++ b/sidecar/tproxy-config/src/main/bin/start.sh
@@ -22,6 +22,8 @@
 set -x
 set -eo pipefail
 
+iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 10692
+
 iptables -t nat -A OUTPUT -p tcp -j ACCEPT -s 127.0.0.1 --dport 61647
 iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9042
 iptables -t nat -A OUTPUT -p tcp -j ACCEPT --dport 9160