From 2f7874bd4bc1341256b73fcac885356ee6938657 Mon Sep 17 00:00:00 2001
From: Jonathan Sun <jonathansun@google.com>
Date: Fri, 12 Jun 2020 10:59:32 -0700
Subject: [PATCH] Install firewall logging rules to log metadata server access
 for unauthorized components.

---
 cluster/gce/gci/configure-helper.sh | 36 ++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh
index fd01f4881a0..0d41abf263f 100644
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -25,6 +25,9 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+### Hardcoded constants
+METADATA_SERVER_IP="${METADATA_SERVER_IP:-169.254.169.254}"
+
 function convert-manifest-params {
   # A helper function to convert the manifest args from a string to a list of
   # flag arguments.
@@ -96,6 +99,28 @@ function secure_random {
   echo -n "${out}" | xxd -r -p | base64 -w 0
 }
 
+# Helper for configuring iptables rules for metadata server.
+#
+# $1 is the command flag (-I or -D).
+# $2 is the firewall action (LOG or REJECT).
+# $3 is the prefix for log output.
+# $4 is "!" to optionally invert the uid range.
+function gce-metadata-fw-helper {
+  local -r command="$1"
+  local action="$2"
+  local -r prefix="$3"
+  local -r invert="${4:-}"
+
+  # Expand rule action to include relevant option flags.
+  case "${action}" in
+    LOG)
+      action="LOG --log-prefix "${prefix}:" --log-uid --log-tcp-options --log-ip-option"
+      ;;
+  esac
+
+  iptables ${command} OUTPUT -p tcp --dport 80 -d ${METADATA_SERVER_IP} -m owner ${invert:-} --uid-owner=${METADATA_SERVER_ALLOWED_UID_RANGE:-0-2999} -j ${action}
+}
+
 function config-ip-firewall {
   echo "Configuring IP firewall rules"
 
@@ -146,8 +171,17 @@ function config-ip-firewall {
   # node because we don't expect the daemonset to run on this node.
   if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]] && [[ ! "${METADATA_CONCEALMENT_NO_FIREWALL:-}" == "true" ]]; then
     echo "Add rule for metadata concealment"
-    iptables -w -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
+    iptables -w -t nat -I PREROUTING -p tcp -d ${METADATA_SERVER_IP} --dport 80 -m comment --comment "metadata-concealment: bridge traffic to metadata server goes to metadata proxy" -j DNAT --to-destination 127.0.0.1:988
   fi
+
+  # Log all metadata access not from approved processes.
+  case "${METADATA_SERVER_FIREWALL_MODE:-off}" in
+    log)
+      echo "Installing metadata firewall logging rules"
+      gce-metadata-fw-helper -I LOG "MetadataServerFirewallReject" !
+      gce-metadata-fw-helper -I LOG "MetadataServerFirewallAccept"
+      ;;
+  esac
 }
 
 function create-dirs {