Make it compatible with docker
Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm
This commit is contained in:
parent
30041b8949
commit
0ec2cb2f4b
39
minifirewall
39
minifirewall
|
@ -51,11 +51,20 @@ BROAD='255.255.255.255'
|
||||||
PORTSROOT='0:1023'
|
PORTSROOT='0:1023'
|
||||||
PORTSUSER='1024:65535'
|
PORTSUSER='1024:65535'
|
||||||
|
|
||||||
|
chain_exists()
|
||||||
|
{
|
||||||
|
local chain_name="$1" ; shift
|
||||||
|
[ $# -eq 1 ] && local intable="--table $1"
|
||||||
|
iptables $intable -nL "$chain_name" >/dev/null 2>&1
|
||||||
|
}
|
||||||
|
|
||||||
# Configuration
|
# Configuration
|
||||||
oldconfigfile="/etc/firewall.rc"
|
oldconfigfile="/etc/firewall.rc"
|
||||||
configfile="/etc/default/minifirewall"
|
configfile="/etc/default/minifirewall"
|
||||||
|
|
||||||
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||||
|
DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||||
|
INT=$(grep "INT=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}')
|
||||||
|
|
||||||
case "$1" in
|
case "$1" in
|
||||||
start)
|
start)
|
||||||
|
@ -114,6 +123,18 @@ $IPT -N LOG_ACCEPT
|
||||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
|
|
||||||
|
if [ "$DOCKER" != "off" ]; then
|
||||||
|
|
||||||
|
if chain_exists 'DOCKER-USER'; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
else
|
||||||
|
$IPT -N DOCKER-USER
|
||||||
|
fi;
|
||||||
|
|
||||||
|
iptables -A DOCKER-USER -i $INT -m state --state NEW -j DROP
|
||||||
|
iptables -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
if test -f $oldconfigfile; then
|
if test -f $oldconfigfile; then
|
||||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||||
|
@ -219,6 +240,16 @@ for x in $SERVICESUDP3
|
||||||
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
|
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Docker services (IPv4)
|
||||||
|
for x in $SERVICESTCP4
|
||||||
|
do
|
||||||
|
$IPT -I DOCKER-USER -p tcp --dport $x -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for x in $SERVICESUDP4
|
||||||
|
do
|
||||||
|
$IPT -I DOCKER-USER -p udp --dport $x -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
# External services
|
# External services
|
||||||
###################
|
###################
|
||||||
|
@ -325,11 +356,16 @@ trap - INT TERM EXIT
|
||||||
$IPT -F ONLYTRUSTED
|
$IPT -F ONLYTRUSTED
|
||||||
$IPT -F ONLYPRIVILEGIED
|
$IPT -F ONLYPRIVILEGIED
|
||||||
$IPT -F NEEDRESTRICT
|
$IPT -F NEEDRESTRICT
|
||||||
$IPT -t nat -F
|
[ "$DOCKER" != "on" ] && $IPT -t nat -F
|
||||||
$IPT -t mangle -F
|
$IPT -t mangle -F
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
||||||
|
|
||||||
|
if [ "$DOCKER" != "off" ]; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
fi
|
||||||
|
|
||||||
# Accept all
|
# Accept all
|
||||||
$IPT -P INPUT ACCEPT
|
$IPT -P INPUT ACCEPT
|
||||||
$IPT -P OUTPUT ACCEPT
|
$IPT -P OUTPUT ACCEPT
|
||||||
|
@ -384,4 +420,3 @@ trap - INT TERM EXIT
|
||||||
esac
|
esac
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,12 @@ INT='eth0'
|
||||||
# IPv6
|
# IPv6
|
||||||
IPV6=on
|
IPV6=on
|
||||||
|
|
||||||
|
# Docker Mode
|
||||||
|
# Changes the behaviour of minifirewall to not break the containers' network
|
||||||
|
# For instance, turning it on will disable nat table purge
|
||||||
|
# Also, we'll add the DOCKER-USER chain, in iptable
|
||||||
|
DOCKER='off'
|
||||||
|
|
||||||
# Trusted IPv4 local network
|
# Trusted IPv4 local network
|
||||||
# ...will be often IP/32 if you don't trust anything
|
# ...will be often IP/32 if you don't trust anything
|
||||||
INTLAN='192.168.0.2/32'
|
INTLAN='192.168.0.2/32'
|
||||||
|
@ -40,6 +46,10 @@ SERVICESUDP2=''
|
||||||
SERVICESTCP3='5666'
|
SERVICESTCP3='5666'
|
||||||
SERVICESUDP3=''
|
SERVICESUDP3=''
|
||||||
|
|
||||||
|
# Docker services (IPv4)
|
||||||
|
SERVICESTCP4='8080'
|
||||||
|
SERVICESUDP4=''
|
||||||
|
|
||||||
# Standard output IPv4 access restrictions
|
# Standard output IPv4 access restrictions
|
||||||
##########################################
|
##########################################
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue