From 9aa24f4cde128eab02707548676f260a649dd23c Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 1 Dec 2020 22:47:38 +0100
Subject: [PATCH] minifirewall: Docker support

---
 CHANGELOG.md                           |   1 +
 minifirewall/defaults/main.yml         |   1 +
 minifirewall/files/minifirewall.conf   |   6 ++
 minifirewall/tasks/config.yml          |   6 ++
 minifirewall/templates/minifirewall.j2 | 118 +++++++++++++++++++++++--
 5 files changed, 127 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 32bfdeda..67448efd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
 * dovecot: Update munin plugin & configure it
 * evoacme: variable to disable Debian version check (default: False)
 * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
+* minifirewall: Docker support 
 * mysql: install save_mysql_processlist script
 * nextcloud: New role to setup a nextcloud instance
 * redis: variable to force use of port 6379 in instances mode
diff --git a/minifirewall/defaults/main.yml b/minifirewall/defaults/main.yml
index 5489b06a..e12da941 100644
--- a/minifirewall/defaults/main.yml
+++ b/minifirewall/defaults/main.yml
@@ -10,6 +10,7 @@ minifirewall_checkout_path: "/tmp/minifirewall"
 minifirewall_int: "{{ ansible_default_ipv4.interface }}"
 minifirewall_ipv6: "on"
 minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
+minifirewall_docker: "off"
 
 minifirewall_default_trusted_ips: []
 minifirewall_additional_trusted_ips: []
diff --git a/minifirewall/files/minifirewall.conf b/minifirewall/files/minifirewall.conf
index 7285822a..2ddefe62 100644
--- a/minifirewall/files/minifirewall.conf
+++ b/minifirewall/files/minifirewall.conf
@@ -8,6 +8,12 @@ INT='eth0'
 # IPv6
 IPV6=on
 
+# Docker Mode
+# Changes the behaviour of minifirewall to not break the containers' network
+# For instance, turning it on will disable nat table purge
+# Also, we'll add the DOCKER-USER chain, in iptable
+DOCKER='off'
+
 # Trusted IPv4 local network
 # ...will be often IP/32 if you don't trust anything
 INTLAN='192.168.0.2/32'
diff --git a/minifirewall/tasks/config.yml b/minifirewall/tasks/config.yml
index 82be385c..347e58a9 100644
--- a/minifirewall/tasks/config.yml
+++ b/minifirewall/tasks/config.yml
@@ -58,6 +58,12 @@
       # IPv6
       IPV6='{{ minifirewall_ipv6 }}'
 
+      # Docker Mode
+      # Changes the behaviour of minifirewall to not break the containers' network
+      # For instance, turning it on will disable nat table purge
+      # Also, we'll add the DOCKER-USER chain, in iptable
+      DOCKER='{{ minifirewall_docker }}'
+
       # Trusted IPv4 local network
       # ...will be often IP/32 if you don't trust anything
       INTLAN='{{ minifirewall_intlan }}'
diff --git a/minifirewall/templates/minifirewall.j2 b/minifirewall/templates/minifirewall.j2
index 8045ce60..de9e3b96 100755
--- a/minifirewall/templates/minifirewall.j2
+++ b/minifirewall/templates/minifirewall.j2
@@ -51,6 +51,20 @@ BROAD='255.255.255.255'
 PORTSROOT='0:1023'
 PORTSUSER='1024:65535'
 
+chain_exists()
+{
+    local chain_name="$1" ; shift
+    [ $# -eq 1 ] && local intable="--table $1"
+    iptables $intable -nL "$chain_name" >/dev/null 2>&1
+}
+
+# Configuration
+oldconfigfile="/etc/firewall.rc"
+configfile="{{ minifirewall_main_file }}"
+
+IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
+DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '='  -F "'" '{print $2}')
+INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '='  -F "'" '{print $2}')
 
 case "$1" in
  start)
@@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
 $IPT -A LOG_ACCEPT -j LOG  --log-prefix '[IPTABLES ACCEPT] : '
 $IPT -A LOG_ACCEPT -j ACCEPT
 
-# Configuration
-oldconfigfile="/etc/firewall.rc"
-configfile="{{ minifirewall_main_file }}"
-
 if test -f $oldconfigfile; then
     echo "$oldconfigfile is deprecated, rename to $configfile" >&2
     exit 1
@@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
 $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
 
 
+if [ "$DOCKER" = "on" ]; then
+
+    $IPT -N MINIFW-DOCKER-TRUSTED
+    $IPT -A MINIFW-DOCKER-TRUSTED -j DROP
+
+    $IPT -N MINIFW-DOCKER-PRIVILEGED
+    $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
+    $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
+
+    $IPT -N MINIFW-DOCKER-PUB
+    $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
+    $IPT -A MINIFW-DOCKER-PUB -j RETURN
+
+    # Flush DOCKER-USER if exist, create it if absent
+    if chain_exists 'DOCKER-USER'; then
+        $IPT -F DOCKER-USER
+    else
+        $IPT -N DOCKER-USER
+    fi;
+
+    # Pipe new connection through MINIFW-DOCKER-PUB
+    $IPT -A DOCKER-USER -i $INT -m state  --state NEW -j MINIFW-DOCKER-PUB
+    $IPT -A DOCKER-USER -j RETURN
+
+fi
+
+
 # Local services restrictions
 #############################
 
@@ -218,6 +255,64 @@ for x in $SERVICESUDP3
     done
 
 
+if [ "$DOCKER" = "on" ]; then
+
+    # Public services defined in SERVICESTCP1 & SERVICESUDP1
+    for dstport in $SERVICESTCP1
+        do
+            $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
+        done
+
+    for dstport in $SERVICESUDP1
+        do
+            $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
+        done
+
+    # Privileged services (accessible from privileged & trusted IPs)
+    for dstport in $SERVICESTCP2
+        do
+            for srcip in $PRIVILEGIEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    for dstport in $SERVICESUDP2
+        do
+            for srcip in $PRIVILEGIEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    # Trusted services (accessible from trusted IPs)
+    for dstport in $SERVICESTCP3
+        do
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+
+    for dstport in $SERVICESUDP3
+        do
+            for srcip in $TRUSTEDIPS
+                do
+                    $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
+                done
+        done
+fi
+
 # External services
 ###################
 
@@ -323,11 +418,24 @@ trap - INT TERM EXIT
     $IPT -F ONLYTRUSTED
     $IPT -F ONLYPRIVILEGIED
     $IPT -F NEEDRESTRICT
-    $IPT -t nat -F
+    [ "$DOCKER" = "off" ] && $IPT -t nat -F
     $IPT -t mangle -F
     [ "$IPV6" != "off" ] && $IPT6 -F INPUT
     [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
 
+    if [ "$DOCKER" = "on" ]; then
+        $IPT -F DOCKER-USER
+        $IPT -A DOCKER-USER -j RETURN
+
+        $IPT -F MINIFW-DOCKER-PUB
+        $IPT -X MINIFW-DOCKER-PUB
+        $IPT -F MINIFW-DOCKER-PRIVILEGED
+        $IPT -X MINIFW-DOCKER-PRIVILEGED
+        $IPT -F MINIFW-DOCKER-TRUSTED
+        $IPT -X MINIFW-DOCKER-TRUSTED
+
+    fi
+
     # Accept all
     $IPT -P INPUT ACCEPT
     $IPT -P OUTPUT ACCEPT