Better handling of Docker to match the usual minifirewall behaviour
Revert some changes from 0ec2cb2f4b
like the SERVICESTCP4 SERVICESUDP4
Instead, we'll re-create the usual behaviour of public, privileged and
trusted ports for docker when the variable DOCKER is set to "on"
This commit is contained in:
parent
0ec2cb2f4b
commit
7c384a777b
GPG Key ID:
6F563E6A4DD5DCEF
118
minifirewall
118
minifirewall
|
|
@ -123,19 +123,6 @@ $IPT -N LOG_ACCEPT
|
||||||
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
$IPT -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
|
||||||
$IPT -A LOG_ACCEPT -j ACCEPT
|
$IPT -A LOG_ACCEPT -j ACCEPT
|
||||||
|
|
||||||
if [ "$DOCKER" != "off" ]; then
|
|
||||||
|
|
||||||
if chain_exists 'DOCKER-USER'; then
|
|
||||||
$IPT -F DOCKER-USER
|
|
||||||
else
|
|
||||||
$IPT -N DOCKER-USER
|
|
||||||
fi;
|
|
||||||
|
|
||||||
iptables -A DOCKER-USER -i $INT -m state --state NEW -j DROP
|
|
||||||
iptables -A DOCKER-USER -j RETURN
|
|
||||||
|
|
||||||
fi
|
|
||||||
|
|
||||||
if test -f $oldconfigfile; then
|
if test -f $oldconfigfile; then
|
||||||
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
echo "$oldconfigfile is deprecated, rename to $configfile" >&2
|
||||||
exit 1
|
exit 1
|
||||||
|
|
@ -188,6 +175,33 @@ $IPT -A OUTPUT -o lo -j ACCEPT
|
||||||
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
$IPT -A INPUT -s $LOOPBACK ! -i lo -j DROP
|
||||||
|
|
||||||
|
|
||||||
|
if [ "$DOCKER" = "on" ]; then
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -A MINIFW-DOCKER-TRUSTED -j DROP
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -A MINIFW-DOCKER-PRIVILEGED -j MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -A MINIFW-DOCKER-PRIVILEGED -j RETURN
|
||||||
|
|
||||||
|
$IPT -N MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A MINIFW-DOCKER-PUB -j MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -A MINIFW-DOCKER-PUB -j RETURN
|
||||||
|
|
||||||
|
# Flush DOCKER-USER if exist, create it if absent
|
||||||
|
if chain_exists 'DOCKER-USER'; then
|
||||||
|
$IPT -F DOCKER-USER
|
||||||
|
else
|
||||||
|
$IPT -N DOCKER-USER
|
||||||
|
fi;
|
||||||
|
|
||||||
|
# Pipe new connection through MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A DOCKER-USER -i $INT -m state --state NEW -j MINIFW-DOCKER-PUB
|
||||||
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
# Local services restrictions
|
# Local services restrictions
|
||||||
#############################
|
#############################
|
||||||
|
|
||||||
|
|
@ -240,16 +254,64 @@ for x in $SERVICESUDP3
|
||||||
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
|
$IPT -A INPUT -p udp --dport $x -j ONLYTRUSTED
|
||||||
done
|
done
|
||||||
|
|
||||||
# Docker services (IPv4)
|
|
||||||
for x in $SERVICESTCP4
|
|
||||||
do
|
|
||||||
$IPT -I DOCKER-USER -p tcp --dport $x -j RETURN
|
|
||||||
done
|
|
||||||
|
|
||||||
for x in $SERVICESUDP4
|
if [ "$DOCKER" = "on" ]; then
|
||||||
do
|
|
||||||
$IPT -I DOCKER-USER -p udp --dport $x -j RETURN
|
# Public services defined in SERVICESTCP1 & SERVICESUDP1
|
||||||
done
|
for dstport in $SERVICESTCP1
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PUB -p tcp --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP1
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PUB -p udp --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
# Privileged services (accessible from privileged & trusted IPs)
|
||||||
|
for dstport in $SERVICESTCP2
|
||||||
|
do
|
||||||
|
for srcip in $PRIVILEGIEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP2
|
||||||
|
do
|
||||||
|
for srcip in $PRIVILEGIEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-PRIVILEGED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Trusted services (accessible from trusted IPs)
|
||||||
|
for dstport in $SERVICESTCP3
|
||||||
|
do
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-TRUSTED -p tcp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
for dstport in $SERVICESUDP3
|
||||||
|
do
|
||||||
|
for srcip in $TRUSTEDIPS
|
||||||
|
do
|
||||||
|
$IPT -I MINIFW-DOCKER-TRUSTED -p udp -s "$srcip" --dport "$dstport" -j RETURN
|
||||||
|
done
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# External services
|
# External services
|
||||||
###################
|
###################
|
||||||
|
|
@ -356,14 +418,22 @@ trap - INT TERM EXIT
|
||||||
$IPT -F ONLYTRUSTED
|
$IPT -F ONLYTRUSTED
|
||||||
$IPT -F ONLYPRIVILEGIED
|
$IPT -F ONLYPRIVILEGIED
|
||||||
$IPT -F NEEDRESTRICT
|
$IPT -F NEEDRESTRICT
|
||||||
[ "$DOCKER" != "on" ] && $IPT -t nat -F
|
[ "$DOCKER" = "off" ] && $IPT -t nat -F
|
||||||
$IPT -t mangle -F
|
$IPT -t mangle -F
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F INPUT
|
||||||
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
[ "$IPV6" != "off" ] && $IPT6 -F OUTPUT
|
||||||
|
|
||||||
if [ "$DOCKER" != "off" ]; then
|
if [ "$DOCKER" = "on" ]; then
|
||||||
$IPT -F DOCKER-USER
|
$IPT -F DOCKER-USER
|
||||||
$IPT -A DOCKER-USER -j RETURN
|
$IPT -A DOCKER-USER -j RETURN
|
||||||
|
|
||||||
|
$IPT -F MINIFW-DOCKER-PUB
|
||||||
|
$IPT -X MINIFW-DOCKER-PUB
|
||||||
|
$IPT -F MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -X MINIFW-DOCKER-PRIVILEGED
|
||||||
|
$IPT -F MINIFW-DOCKER-TRUSTED
|
||||||
|
$IPT -X MINIFW-DOCKER-TRUSTED
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Accept all
|
# Accept all
|
||||||
|
|
|
||||||
|
|
@ -46,9 +46,6 @@ SERVICESUDP2=''
|
||||||
SERVICESTCP3='5666'
|
SERVICESTCP3='5666'
|
||||||
SERVICESUDP3=''
|
SERVICESUDP3=''
|
||||||
|
|
||||||
# Docker services (IPv4)
|
|
||||||
SERVICESTCP4='8080'
|
|
||||||
SERVICESUDP4=''
|
|
||||||
|
|
||||||
# Standard output IPv4 access restrictions
|
# Standard output IPv4 access restrictions
|
||||||
##########################################
|
##########################################
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue