evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

minifirewall: Docker support
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse source
This commit is contained in:
Jérémy Lecour 2020-12-01 22:47:38 +01:00 committed by Jérémy Lecour
parent b6817cb62c
commit 9aa24f4cde
5 changed files with 127 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -15,6 +15,7 @@ The **patch** part changes incrementally at each release.
* dovecot: Update munin plugin & configure it * dovecot: Update munin plugin & configure it
* evoacme: variable to disable Debian version check (default: False) * evoacme: variable to disable Debian version check (default: False)
* kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd) * kvm-host: Add drbd role dependency (toggleable with kvm_install_drbd)
* minifirewall: Docker support
* mysql: install save_mysql_processlist script * mysql: install save_mysql_processlist script
* nextcloud: New role to setup a nextcloud instance * nextcloud: New role to setup a nextcloud instance
* redis: variable to force use of port 6379 in instances mode * redis: variable to force use of port 6379 in instances mode

1
minifirewall/defaults/main.yml
View file

@ -10,6 +10,7 @@ minifirewall_checkout_path: "/tmp/minifirewall"
minifirewall_int: "{{ ansible_default_ipv4.interface }}" minifirewall_int: "{{ ansible_default_ipv4.interface }}"
minifirewall_ipv6: "on" minifirewall_ipv6: "on"
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32" minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
minifirewall_docker: "off"
minifirewall_default_trusted_ips: [] minifirewall_default_trusted_ips: []
minifirewall_additional_trusted_ips: [] minifirewall_additional_trusted_ips: []

6
minifirewall/files/minifirewall.conf
View file

@ -8,6 +8,12 @@ INT='eth0'
# IPv6 # IPv6
IPV6=on IPV6=on
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='off'
# Trusted IPv4 local network # Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything # ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32' INTLAN='192.168.0.2/32'

6
minifirewall/tasks/config.yml
View file

@ -58,6 +58,12 @@
# IPv6 # IPv6
IPV6='{{ minifirewall_ipv6 }}' IPV6='{{ minifirewall_ipv6 }}'
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='{{ minifirewall_docker }}'
# Trusted IPv4 local network # Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything # ...will be often IP/32 if you don't trust anything
INTLAN='{{ minifirewall_intlan }}' INTLAN='{{ minifirewall_intlan }}'

118
minifirewall/templates/minifirewall.j2
View file

@ -51,6 +51,20 @@ BROAD='255.255.255.255'
PORTSROOT='0:1023' PORTSROOT='0:1023'
PORTSUSER='1024:65535' PORTSUSER='1024:65535'
chain_exists()
{
local chain_name="$1" ; shift
[ $# -eq 1 ] && local intable="--table $1"
iptables $intable -nL "$chain_name" >/dev/null 2>&1
}
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="{{ minifirewall_main_file }}"
IPV6=$(grep "IPV6=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
DOCKER=$(grep "DOCKER=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
INT=$(grep "INT=" {{ minifirewall_main_file }} | awk -F '=' -F "'" '{print $2}')
case "$1" in case "$1" in
start) start)
@ -109,10 +123,6 @@ $IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT $IPT -A LOG_ACCEPT -j ACCEPT
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="{{ minifirewall_main_file }}"
if test -f $oldconfigfile; then if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2 echo "$oldconfigfile is deprecated, rename to $configfile" >&2
exit 1 exit 1
@ -165,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
if [ "$DOCKER" = "on" ]; then
$IPT -N MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
$IPT -N MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
$IPT -N MINIFW-DOCKER-PUB
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PUB -j RETURN
# Flush DOCKER-USER if exist, create it if absent
if chain_exists 'DOCKER-USER'; then
$IPT -F DOCKER-USER
else
$IPT -N DOCKER-USER
fi;
# Pipe new connection through MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -j RETURN
fi
# Local services restrictions # Local services restrictions
############################# #############################
@ -218,6 +255,64 @@ for x in $SERVICESUDP3
done done
if [ "$DOCKER" = "on" ]; then
# Public services defined in SERVICESTCP1 & SERVICESUDP1
for dstport in $SERVICESTCP1
do
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
done
for dstport in $SERVICESUDP1
do
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
done
# Privileged services (accessible from privileged & trusted IPs)
for dstport in $SERVICESTCP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done
for dstport in $SERVICESUDP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
# Trusted services (accessible from trusted IPs)
for dstport in $SERVICESTCP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done
for dstport in $SERVICESUDP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
fi
# External services # External services
################### ###################
@ -323,11 +418,24 @@ trap - INT TERM EXIT
$IPT -F ONLYTRUSTED $IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED $IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT $IPT -F NEEDRESTRICT
$IPT -t nat -F [ "$DOCKER" = "off" ] && $IPT -t nat -F
$IPT -t mangle -F $IPT -t mangle -F
[ "$IPV6" != "off" ] && $IPT6 -F INPUT [ "$IPV6" != "off" ] && $IPT6 -F INPUT
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
if [ "$DOCKER" = "on" ]; then
$IPT -F DOCKER-USER
$IPT -A DOCKER-USER -j RETURN
$IPT -F MINIFW-DOCKER-PUB
$IPT -X MINIFW-DOCKER-PUB
$IPT -F MINIFW-DOCKER-PRIVILEGED
$IPT -X MINIFW-DOCKER-PRIVILEGED
$IPT -F MINIFW-DOCKER-TRUSTED
$IPT -X MINIFW-DOCKER-TRUSTED
fi
# Accept all # Accept all
$IPT -P INPUT ACCEPT $IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT $IPT -P OUTPUT ACCEPT