forked from evolix/ansible-roles
minifirewall: Docker support
This commit is contained in:
parent
b6817cb62c
commit
9aa24f4cde
|
@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* dovecot: Update munin plugin & configure it
|
* dovecot: Update munin plugin & configure it
|
||||||
* evoacme: variable to disable Debian version check (default: False)
|
* evoacme: variable to disable Debian version check (default: False)
|
||||||
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
|
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
|
||||||
|
* minifirewall: Docker support
|
||||||
* mysql: install save_mysql_processlist script
|
* mysql: install save_mysql_processlist script
|
||||||
* nextcloud: New role to setup a nextcloud instance
|
* nextcloud: New role to setup a nextcloud instance
|
||||||
* redis: variable to force use of port 6379 in instances mode
|
* redis: variable to force use of port 6379 in instances mode
|
||||||
|
|
|
@ -10,6 +10,7 @@ minifirewall_checkout_path: "/tmp/minifirewall"
|
||||||
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
||||||
minifirewall_ipv6: "on"
|
minifirewall_ipv6: "on"
|
||||||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||||
|
minifirewall_docker: "off"
|
||||||
|
|
||||||
minifirewall_default_trusted_ips: []
|
minifirewall_default_trusted_ips: []
|
||||||
minifirewall_additional_trusted_ips: []
|
minifirewall_additional_trusted_ips: []
|
||||||
|
|
|
@ -8,6 +8,12 @@ INT='eth0'
|
||||||
# IPv6
|
# IPv6
|
||||||
IPV6=on
|
IPV6=on
|
||||||
|
|
||||||
|
# Docker Mode
|
||||||
|
# Changes the behaviour of minifirewall to not break the containers' network
|
||||||
|
# For instance, turning it on will disable nat table purge
|
||||||
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||||
|
DOCKER='off'
|
||||||
|
|
||||||
# Trusted IPv4 local network
|
# Trusted IPv4 local network
|
||||||
# ...will be often IP/32 if you don't trust anything
|
# ...will be often IP/32 if you don't trust anything
|
||||||
INTLAN='192.168.0.2/32'
|
INTLAN='192.168.0.2/32'
|
||||||
|
|
|
@ -58,6 +58,12 @@
|
||||||
# IPv6
|
# IPv6
|
||||||
IPV6='{{ minifirewall_ipv6 }}'
|
IPV6='{{ minifirewall_ipv6 }}'
|
||||||
|
|
||||||
|
# Docker Mode
|
||||||
|
# Changes the behaviour of minifirewall to not break the containers' network
|
||||||
|
# For instance, turning it on will disable nat table purge
|
||||||
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||||
|
DOCKER='{{ minifirewall_docker }}'
|
||||||
|
|
||||||
# Trusted IPv4 local network
|
# Trusted IPv4 local network
|
||||||
# ...will be often IP/32 if you don't trust anything
|
# ...will be often IP/32 if you don't trust anything
|
||||||
INTLAN='{{ minifirewall_intlan }}'
|
INTLAN='{{ minifirewall_intlan }}'
|
||||||
|
|
|
@ -51,6 +51,20 @@ BROAD='255.255.255.255'
|
||||||
PORTSROOT='0:1023'
|
PORTSROOT='0:1023'
|
||||||
PORTSUSER='1024:65535'
|
PORTSUSER='1024:65535'
|
||||||
|
|
||||||
|
chain_exists()
|
||||||
|
{
|
||||||
|
local chain_name="$1" ; shift
|
||||||
|
[ $# -eq 1 ] && local intable="--table $1"
|
||||||
|
iptables $intable -nL "$chain_name" >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configuration
|
||||||
|
oldconfigfile="/etc/firewall.rc"
|
||||||
|
configfile="{{ minifirewall_main_file }}"
|
||||||
|
|
||||||
|
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||||
|
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||||
|
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
|
@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
|
||||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
|
|
||||||
# Configuration
|
|
||||||
oldconfigfile="/etc/firewall.rc"
|
|
||||||
configfile="{{ minifirewall_main_file }}"
|
|
||||||
|
|
||||||
if test -f $oldconfigfile; then
|
if test -f $oldconfigfile; then
|
||||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
|
||||||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -A MINIFW-DOCKER-PUB -j RETURN
|
||||||
|
|
||||||
|
# Flush DOCKER-USER if exist, create it if absent
|
||||||
|
if chain_exists 'DOCKER-USER'; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
else
|
||||||
|
$IPT -N DOCKER-USER
|
||||||
|
fi;
|
||||||
|
|
||||||
|
# Pipe new connection through MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Local services restrictions
|
# Local services restrictions
|
||||||
#############################
|
#############################
|
||||||
|
|
||||||
|
@ -218,6 +255,64 @@ for x in $SERVICESUDP3
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
|
||||||
|
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||||
|
for dstport in $SERVICESTCP1
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP1
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
# Privileged services (accessible from privileged & trusted IPs)
|
||||||
|
for dstport in $SERVICESTCP2
|
||||||
|
do
|
||||||
|
for srcip in $PRIVILEGIEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP2
|
||||||
|
do
|
||||||
|
for srcip in $PRIVILEGIEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Trusted services (accessible from trusted IPs)
|
||||||
|
for dstport in $SERVICESTCP3
|
||||||
|
do
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP3
|
||||||
|
do
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# External services
|
# External services
|
||||||
###################
|
###################
|
||||||
|
|
||||||
|
@ -323,11 +418,24 @@ trap - INT TERM EXIT
|
||||||
$IPT -F ONLYTRUSTED
|
$IPT -F ONLYTRUSTED
|
||||||
$IPT -F ONLYPRIVILEGIED
|
$IPT -F ONLYPRIVILEGIED
|
||||||
$IPT -F NEEDRESTRICT
|
$IPT -F NEEDRESTRICT
|
||||||
$IPT -t nat -F
|
[ "$DOCKER" = "off" ] && $IPT -t nat -F
|
||||||
$IPT -t mangle -F
|
$IPT -t mangle -F
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
$IPT -F MINIFW-DOCKER-PUB
|
||||||
|
$IPT -X MINIFW-DOCKER-PUB
|
||||||
|
$IPT -F MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -X MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -F MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -X MINIFW-DOCKER-TRUSTED
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
# Accept all
|
# Accept all
|
||||||
$IPT -P INPUT ACCEPT
|
$IPT -P INPUT ACCEPT
|
||||||
$IPT -P OUTPUT ACCEPT
|
$IPT -P OUTPUT ACCEPT
|
||||||
|
|
Loading…
Reference in a new issue