From 0ec2cb2f4bde60ca8fb81d8853ef47a848ee94b2 Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Fri, 21 Feb 2020 16:33:15 +0100 Subject: [PATCH 1/2] Make it compatible with docker Add a new variable "DOCKER" that should be set to "on" when this is a docker machine. It will - Disable the nat tables flush on stop/restart Reason : Not breaking outgoing networking for containers - Create the "DOCKER-USER" chain, and add a DROP By default everything is closed and we don't expose services to the outside world - Add rules in the "DOCKER-USER" chain to open services to the outside world. Untested with swarm --- minifirewall | 39 +++++++++++++++++++++++++++++++++++++-- minifirewall.conf | 10 ++++++++++ 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/minifirewall b/minifirewall index 320fa49..d51afde 100755 --- a/minifirewall +++ b/minifirewall @@ -51,11 +51,20 @@ BROAD='255.255.255.255' PORTSROOT='0:1023' PORTSUSER='1024:65535' +chain_exists() +{ + local chain_name="$1" ; shift + [ $# -eq 1 ] && local intable="--table $1" + iptables $intable -nL "$chain_name" >/dev/null 2>&1 +} + # Configuration oldconfigfile="/etc/firewall.rc" configfile="/etc/default/minifirewall" IPV6=$(grep "IPV6=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}') +DOCKER=$(grep "DOCKER=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}') +INT=$(grep "INT=" /etc/default/minifirewall | awk -F '=' -F "'" '{print $2}') case "$1" in start) @@ -114,6 +123,18 @@ $IPT -N LOG_ACCEPT $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' $IPT -A LOG_ACCEPT -j ACCEPT +if [ "$DOCKER" != "off" ]; then + + if chain_exists 'DOCKER-USER'; then + $IPT -F DOCKER-USER + else + $IPT -N DOCKER-USER + fi; + + iptables -A DOCKER-USER -i $INT -m state --state NEW -j DROP + iptables -A DOCKER-USER -j RETURN + +fi if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 @@ -219,6 +240,16 @@ for x in $SERVICESUDP3 $IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED done +# Docker services (IPv4) +for x in $SERVICESTCP4 + do + $IPT -I DOCKER-USER -p tcp --dport $x -j RETURN + done + +for x in $SERVICESUDP4 + do + $IPT -I DOCKER-USER -p udp --dport $x -j RETURN + done # External services ################### @@ -325,11 +356,16 @@ trap - INT TERM EXIT $IPT -F ONLYTRUSTED $IPT -F ONLYPRIVILEGIED $IPT -F NEEDRESTRICT - $IPT -t nat -F + [ "$DOCKER" != "on" ] && $IPT -t nat -F $IPT -t mangle -F [ "$IPV6" != "off" ] && $IPT6 -F INPUT [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT + if [ "$DOCKER" != "off" ]; then + $IPT -F DOCKER-USER + $IPT -A DOCKER-USER -j RETURN + fi + # Accept all $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT @@ -384,4 +420,3 @@ trap - INT TERM EXIT esac exit 0 - diff --git a/minifirewall.conf b/minifirewall.conf index 2599124..07324f1 100644 --- a/minifirewall.conf +++ b/minifirewall.conf @@ -8,6 +8,12 @@ INT='eth0' # IPv6 IPV6=on +# Docker Mode +# Changes the behaviour of minifirewall to not break the containers' network +# For instance, turning it on will disable nat table purge +# Also, we'll add the DOCKER-USER chain, in iptable +DOCKER='off' + # Trusted IPv4 local network # ...will be often IP/32 if you don't trust anything INTLAN='192.168.0.2/32' @@ -40,6 +46,10 @@ SERVICESUDP2='' SERVICESTCP3='5666' SERVICESUDP3='' +# Docker services (IPv4) +SERVICESTCP4='8080' +SERVICESUDP4='' + # Standard output IPv4 access restrictions ########################################## From 7c384a777b2d11a2c46dca6e2d3d1e2f9ecf63ad Mon Sep 17 00:00:00 2001 From: Ludovic Poujol Date: Thu, 2 Jul 2020 17:48:22 +0200 Subject: [PATCH 2/2] Better handling of Docker to match the usual minifirewall behaviour Revert some changes from 0ec2cb2f4bde60ca8fb81d8853ef47a848ee94b2 like the SERVICESTCP4 SERVICESUDP4 Instead, we'll re-create the usual behaviour of public, privileged and trusted ports for docker when the variable DOCKER is set to "on" --- minifirewall | 118 ++++++++++++++++++++++++++++++++++++---------- minifirewall.conf | 3 -- 2 files changed, 94 insertions(+), 27 deletions(-) diff --git a/minifirewall b/minifirewall index d51afde..a2c4a15 100755 --- a/minifirewall +++ b/minifirewall @@ -123,19 +123,6 @@ $IPT -N LOG_ACCEPT $IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : ' $IPT -A LOG_ACCEPT -j ACCEPT -if [ "$DOCKER" != "off" ]; then - - if chain_exists 'DOCKER-USER'; then - $IPT -F DOCKER-USER - else - $IPT -N DOCKER-USER - fi; - - iptables -A DOCKER-USER -i $INT -m state --state NEW -j DROP - iptables -A DOCKER-USER -j RETURN - -fi - if test -f $oldconfigfile; then echo "$oldconfigfile is deprecated, rename to $configfile" >&2 exit 1 @@ -188,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP +if [ "$DOCKER" = "on" ]; then + + $IPT -N MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-TRUSTED -j DROP + + $IPT -N MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED + $IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN + + $IPT -N MINIFW-DOCKER-PUB + $IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED + $IPT -A MINIFW-DOCKER-PUB -j RETURN + + # Flush DOCKER-USER if exist, create it if absent + if chain_exists 'DOCKER-USER'; then + $IPT -F DOCKER-USER + else + $IPT -N DOCKER-USER + fi; + + # Pipe new connection through MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB + $IPT -A DOCKER-USER -j RETURN + +fi + + # Local services restrictions ############################# @@ -240,16 +254,64 @@ for x in $SERVICESUDP3 $IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED done -# Docker services (IPv4) -for x in $SERVICESTCP4 - do - $IPT -I DOCKER-USER -p tcp --dport $x -j RETURN - done -for x in $SERVICESUDP4 - do - $IPT -I DOCKER-USER -p udp --dport $x -j RETURN - done +if [ "$DOCKER" = "on" ]; then + + # Public services defined in SERVICESTCP1 & SERVICESUDP1 + for dstport in $SERVICESTCP1 + do + $IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN + done + + for dstport in $SERVICESUDP1 + do + $IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN + done + + # Privileged services (accessible from privileged & trusted IPs) + for dstport in $SERVICESTCP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP2 + do + for srcip in $PRIVILEGIEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + # Trusted services (accessible from trusted IPs) + for dstport in $SERVICESTCP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN + done + done + + for dstport in $SERVICESUDP3 + do + for srcip in $TRUSTEDIPS + do + $IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN + done + done +fi # External services ################### @@ -356,14 +418,22 @@ trap - INT TERM EXIT $IPT -F ONLYTRUSTED $IPT -F ONLYPRIVILEGIED $IPT -F NEEDRESTRICT - [ "$DOCKER" != "on" ] && $IPT -t nat -F + [ "$DOCKER" = "off" ] && $IPT -t nat -F $IPT -t mangle -F [ "$IPV6" != "off" ] && $IPT6 -F INPUT [ "$IPV6" != "off" ] && $IPT6 -F OUTPUT - if [ "$DOCKER" != "off" ]; then + if [ "$DOCKER" = "on" ]; then $IPT -F DOCKER-USER $IPT -A DOCKER-USER -j RETURN + + $IPT -F MINIFW-DOCKER-PUB + $IPT -X MINIFW-DOCKER-PUB + $IPT -F MINIFW-DOCKER-PRIVILEGED + $IPT -X MINIFW-DOCKER-PRIVILEGED + $IPT -F MINIFW-DOCKER-TRUSTED + $IPT -X MINIFW-DOCKER-TRUSTED + fi # Accept all diff --git a/minifirewall.conf b/minifirewall.conf index 07324f1..14a973a 100644 --- a/minifirewall.conf +++ b/minifirewall.conf @@ -46,9 +46,6 @@ SERVICESUDP2='' SERVICESTCP3='5666' SERVICESUDP3='' -# Docker services (IPv4) -SERVICESTCP4='8080' -SERVICESUDP4='' # Standard output IPv4 access restrictions ##########################################