Browse Source

Better handling of Docker to match the usual minifirewall behaviour

Revert some changes from 0ec2cb2f4b
like the SERVICESTCP4 SERVICESUDP4

Instead, we'll re-create the usual behaviour of public, privileged and
trusted ports for docker when the variable DOCKER is set to "on"
docker
Ludovic Poujol 3 months ago
parent
commit
7c384a777b
Signed by: lpoujol GPG Key ID: 6F563E6A4DD5DCEF
2 changed files with 94 additions and 27 deletions
  1. +94
    -24
      minifirewall
  2. +0
    -3
      minifirewall.conf

+ 94
- 24
minifirewall View File

@@ -123,19 +123,6 @@ $IPT -N LOG_ACCEPT
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
$IPT -A LOG_ACCEPT -j ACCEPT

if [ "$DOCKER" != "off" ]; then

if chain_exists 'DOCKER-USER'; then
$IPT -F DOCKER-USER
else
$IPT -N DOCKER-USER
fi;

iptables -A DOCKER-USER -i $INT -m state --state NEW -j DROP
iptables -A DOCKER-USER -j RETURN

fi

if test -f $oldconfigfile; then
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
exit 1
@@ -188,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP


if [ "$DOCKER" = "on" ]; then

$IPT -N MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP

$IPT -N MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN

$IPT -N MINIFW-DOCKER-PUB
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
$IPT -A MINIFW-DOCKER-PUB -j RETURN

# Flush DOCKER-USER if exist, create it if absent
if chain_exists 'DOCKER-USER'; then
$IPT -F DOCKER-USER
else
$IPT -N DOCKER-USER
fi;

# Pipe new connection through MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
$IPT -A DOCKER-USER -j RETURN

fi


# Local services restrictions
#############################

@@ -240,16 +254,64 @@ for x in $SERVICESUDP3
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
done

# Docker services (IPv4)
for x in $SERVICESTCP4
do
$IPT -I DOCKER-USER -p tcp --dport $x -j RETURN
done

for x in $SERVICESUDP4
do
$IPT -I DOCKER-USER -p udp --dport $x -j RETURN
done
if [ "$DOCKER" = "on" ]; then

# Public services defined in SERVICESTCP1 & SERVICESUDP1
for dstport in $SERVICESTCP1
do
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
done

for dstport in $SERVICESUDP1
do
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
done

# Privileged services (accessible from privileged & trusted IPs)
for dstport in $SERVICESTCP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done

for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done

for dstport in $SERVICESUDP2
do
for srcip in $PRIVILEGIEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done

for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done

# Trusted services (accessible from trusted IPs)
for dstport in $SERVICESTCP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
done
done

for dstport in $SERVICESUDP3
do
for srcip in $TRUSTEDIPS
do
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
done
done
fi

# External services
###################
@@ -356,14 +418,22 @@ trap - INT TERM EXIT
$IPT -F ONLYTRUSTED
$IPT -F ONLYPRIVILEGIED
$IPT -F NEEDRESTRICT
[ "$DOCKER" != "on" ] && $IPT -t nat -F
[ "$DOCKER" = "off" ] && $IPT -t nat -F
$IPT -t mangle -F
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT

if [ "$DOCKER" != "off" ]; then
if [ "$DOCKER" = "on" ]; then
$IPT -F DOCKER-USER
$IPT -A DOCKER-USER -j RETURN

$IPT -F MINIFW-DOCKER-PUB
$IPT -X MINIFW-DOCKER-PUB
$IPT -F MINIFW-DOCKER-PRIVILEGED
$IPT -X MINIFW-DOCKER-PRIVILEGED
$IPT -F MINIFW-DOCKER-TRUSTED
$IPT -X MINIFW-DOCKER-TRUSTED

fi

# Accept all


+ 0
- 3
minifirewall.conf View File

@@ -46,9 +46,6 @@ SERVICESUDP2=''
SERVICESTCP3='5666'
SERVICESUDP3=''

# Docker services (IPv4)
SERVICESTCP4='8080'
SERVICESUDP4=''

# Standard output IPv4 access restrictions
##########################################


Loading…
Cancel
Save