Make it compatible with docker

Add a new variable "DOCKER" that should be set to "on" when this is a
docker machine.

It will
- Disable the nat tables flush on stop/restart
  Reason : Not breaking outgoing networking for containers

- Create the "DOCKER-USER" chain, and add a DROP
  By default everything is closed and we don't expose services to the
  outside world

- Add rules in the "DOCKER-USER" chain to open services to the outside
  world.

Untested with swarm
This commit is contained in:
Ludovic Poujol 2020-02-21 16:33:15 +01:00
parent 30041b8949
commit 0ec2cb2f4b
Signed by: lpoujol
GPG Key ID: 6F563E6A4DD5DCEF
2 changed files with 47 additions and 2 deletions

View File

@ -51,11 +51,20 @@ BROAD='255.255.255.255'
PORTSROOT='0:1023'
PORTSUSER='1024:65535'
chain_exists()
{
local chain_name="$1" ; shift
[ $# -eq 1 ] && local intable="--table $1"
iptables $intable -nL "$chain_name" >/dev/null 2>&1
}
# Configuration
oldconfigfile="/etc/firewall.rc"
configfile="/etc/default/minifirewall"
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
INT=$(grep "INT=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
case "$1" in
start)
@ -114,6 +123,18 @@ $IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT
if [ "$DOCKER" != "off" ]; then
if chain_exists 'DOCKER-USER'; then
$IPT -F DOCKER-USER
else
$IPT -N DOCKER-USER
fi;
iptables -A DOCKER-USER -i $INT -m state --state NEW -j DROP
iptables -A DOCKER-USER -j RETURN
fi
if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
@ -219,6 +240,16 @@ for x in $SERVICESUDP3
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
done
# Docker services (IPv4)
for x in $SERVICESTCP4
do
$IPT -I DOCKER-USER -p tcp --dport $x -j RETURN
done
for x in $SERVICESUDP4
do
$IPT -I DOCKER-USER -p udp --dport $x -j RETURN
done
# External services
###################
@ -325,11 +356,16 @@ trap - INT TERM EXIT
$IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT
$IPT -t nat -F
[ "$DOCKER" != "on" ] && $IPT -t nat -F
$IPT -t mangle -F
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
if [ "$DOCKER" != "off" ]; then
$IPT -F DOCKER-USER
$IPT -A DOCKER-USER -j RETURN
fi
# Accept all
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
@ -384,4 +420,3 @@ trap - INT TERM EXIT
esac
exit 0

View File

@ -8,6 +8,12 @@ INT='eth0'
# IPv6
IPV6=on
# Docker Mode
# Changes the behaviour of minifirewall to not break the containers' network
# For instance, turning it on will disable nat table purge
# Also, we'll add the DOCKER-USER chain, in iptable
DOCKER='off'
# Trusted IPv4 local network
# ...will be often IP/32 if you don't trust anything
INTLAN='192.168.0.2/32'
@ -40,6 +46,10 @@ SERVICESUDP2=''
SERVICESTCP3='5666'
SERVICESUDP3=''
# Docker services (IPv4)
SERVICESTCP4='8080'
SERVICESUDP4=''
# Standard output IPv4 access restrictions
##########################################