From 70faecb5489e6fae82c9af22a493eabd1c2ab441 Mon Sep 17 00:00:00 2001
From: Julian Calaby <julian@cabinetsbycomputer.com>
Date: Tue, 26 Jul 2022 11:49:12 +1000
Subject: [PATCH 1/2] Disable source/destination checks

---
 main.tf    |  4 +++-
 runonce.sh | 17 +++++++++++++++--
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 9b00d8a..0a8eadd 100644
--- a/main.tf
+++ b/main.tf
@@ -194,7 +194,9 @@ resource "aws_iam_role_policy" "eni" {
         {
             "Effect": "Allow",
             "Action": [
-                "ec2:AttachNetworkInterface"
+                "ec2:AttachNetworkInterface",
+                "ec2:ModifyNetworkInterfaceAttribute",
+                "ec2:DescribeInstances"
             ],
             "Resource": "*"
         }
diff --git a/runonce.sh b/runonce.sh
index 3a0e01c..2803d9c 100644
--- a/runonce.sh
+++ b/runonce.sh
@@ -1,12 +1,25 @@
 #!/bin/bash -x
 
+sudo yum install -y jq
+
+INSTANCE_ID="$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)"
+REGION="$(/opt/aws/bin/ec2-metadata -z  | sed 's/placement: \(.*\).$/\1/')"
+
 # attach the ENI
 aws ec2 attach-network-interface \
-  --region "$(/opt/aws/bin/ec2-metadata -z  | sed 's/placement: \(.*\).$/\1/')" \
-  --instance-id "$(/opt/aws/bin/ec2-metadata -i | cut -d' ' -f2)" \
+  --region "$REGION" \
+  --instance-id "$INSTANCE_ID" \
   --device-index 1 \
   --network-interface-id "${eni_id}"
 
+# Disable source/destination checks
+for i in $(aws ec2 describe-instances --region "$REGION" --filter '[{"Name": "instance-id", "Values": ["'$INSTANCE_ID'"]}]' | jq -r .Reservations[0].Instances[0].NetworkInterfaces[].NetworkInterfaceId); do
+  aws ec2 modify-network-interface-attribute \
+    --region "$REGION" \
+    --network-interface-id "$i" \
+    --no-source-dest-check
+done
+
 # start SNAT
 systemctl enable snat
 systemctl start snat

From 38b7da23fc5dc946885a8e93005f126063d9b4c6 Mon Sep 17 00:00:00 2001
From: Julian Calaby <julian@cabinetsbycomputer.com>
Date: Tue, 26 Jul 2022 11:51:23 +1000
Subject: [PATCH 2/2] Disable reverse path protection on all interfaces

---
 snat.sh | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/snat.sh b/snat.sh
index b026a0d..d0fc3d7 100644
--- a/snat.sh
+++ b/snat.sh
@@ -1,16 +1,25 @@
 #!/bin/bash
 set -x
 
-# wait for eth1
+# Wait for eth1
 while ! ip link show dev eth1; do
   sleep 1
 done
 
-# enable IP forwarding and NAT
+# Enable IP forwarding
 sysctl -q -w net.ipv4.ip_forward=1
+
+# Disable ICMP redirects on eth1
 sysctl -q -w net.ipv4.conf.eth1.send_redirects=0
+
+# Configure NAT
 iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
 
+# Disable reverse path protection
+for i in $(find /proc/sys/net/ipv4/conf/ -name rp_filter) ; do
+  echo 0 > $i;
+done
+
 # prevent setting the default route to eth0 after reboot
 rm -f /etc/sysconfig/network-scripts/ifcfg-eth0
 
@@ -21,4 +30,4 @@ ip route del default dev eth0
 curl --retry 10 http://www.example.com
 
 # reestablish connections
-systemctl restart amazon-ssm-agent.service
+systemctl restart amazon-ssm-agent.service
\ No newline at end of file