Last active
November 24, 2024 11:38
-
-
Save tehmoon/b1c3ae5e9a67d66186361d4728bed799 to your computer and use it in GitHub Desktop.
Revisions
-
tehmoon revised this gist
Aug 24, 2020 . 1 changed file with 3 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,6 +3,9 @@ set -e ## SEE https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45 ## You need to add rules in DOCKER-BLOCK AND INPUT for traffic that does not go to a container. ## You only need to add one rule if the traffic goes to the container CWD=$(cd "$(dirname "${0}")"; pwd -P) FILE="${CWD}/$(basename "${0}")" chown root:root "${FILE}" -
Aug 24, 2020 . 1 changed file with 2 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -66,7 +66,8 @@ done /sbin/iptables -t filter -P INPUT DROP /sbin/iptables -t filter -F INPUT /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT # Add your non docker rules here #/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A INPUT -j DROP /sbin/iptables -t filter -P INPUT ACCEPT -
Jan 4, 2020 . 1 changed file with 8 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,9 +10,12 @@ chmod o-rwx "${FILE}" set -x install_docker_block() { ## One time install rules for the DOCKER-BLOCK chain /sbin/iptables -t nat -N DOCKER-BLOCK && ## Deploy the new rules. After this, everything goes to DOCKER-BLOCK then to RETURN /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -g DOCKER-BLOCK || true } ## install the PREROUTING rules for the DOCKER chain in case docker starts after @@ -21,11 +24,7 @@ deploy_docker_block() { ## Block new connections while we restore the first PREROUTING RULES /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state NEW -j RETURN install_docker_block ## Delete installed rules, we need to ensure they always are at the top ## If rules were already installed, it would mean that the second and third rule @@ -38,7 +37,7 @@ while true; do done ## Re-deploy the right rules on the top. After this, the flow is restored to DOCKER-BLOCK /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -g DOCKER-BLOCK ## Remove the blocking rule, which should be unreachable after deploy_docker_block anyway while true; do -
Jul 18, 2019 . 1 changed file with 25 additions and 5 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,22 +8,42 @@ FILE="${CWD}/$(basename "${0}")" chown root:root "${FILE}" chmod o-rwx "${FILE}" set -x deploy_docker_block() { /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK } ## install the PREROUTING rules for the DOCKER chain in case docker starts after /sbin/iptables -t nat -N DOCKER || true ## Block new connections while we restore the first PREROUTING RULES /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state NEW -j RETURN ## One time install rules for the DOCKER-BLOCK chain /sbin/iptables -t nat -N DOCKER-BLOCK && { ## Deploy the new rules. After this, everything goes to DOCKER-BLOCK then to RETURN deploy_docker_block } || true ## Delete installed rules, we need to ensure they always are at the top ## If rules were already installed, it would mean that the second and third rule ## are going to be deleted. We still have the RETURN on top. while true; do /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j RETURN || break done while true; do /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK || break done ## Re-deploy the right rules on the top. After this, the flow is restored to DOCKER-BLOCK deploy_docker_block ## Remove the blocking rule, which should be unreachable after deploy_docker_block anyway while true; do /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state NEW -j RETURN || break done ## Only let established connections go through while we flush the rules /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER -
Jul 18, 2019 . 1 changed file with 4 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -36,7 +36,10 @@ deploy_docker_block #/sbin/iptables -t nat -A DOCKER-BLOCK -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j DOCKER ## Restore the flow ## Loop trying to delete the rule in case the script failed above, we don't want to add more than one rule while true; do /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || break done ## The INPUT chain is set to drop, then we flush it and reinstall the rules. ## Finally we restore the policy on the chain -
Jul 11, 2019 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -33,7 +33,7 @@ deploy_docker_block ## Add your new rules below, allowing new connections ## Don't forget the NEW and ESTABLISHED states #/sbin/iptables -t nat -A DOCKER-BLOCK -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j DOCKER ## Restore the flow /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || true -
Jul 11, 2019 . 1 changed file with 23 additions and 9 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -8,25 +8,39 @@ FILE="${CWD}/$(basename "${0}")" chown root:root "${FILE}" chmod o-rwx "${FILE}" deploy_docker_block() { /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK } ## Install and restore the PREROUTING rules for the DOCKER-BLOCK chain /sbin/iptables -t nat -N DOCKER-BLOCK && { deploy_docker_block } || true deploy_docker_block /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j RETURN || true /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK || true ## install the PREROUTING rules for the DOCKER chain in case docker starts after /sbin/iptables -t nat -N DOCKER || true ## Only let established connections go through while we flush the rules /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER ## Flush the rules of DOCKER-BLOCK, at this point new connections will be blocked /sbin/iptables -t nat -F DOCKER-BLOCK ## Add your new rules below, allowing new connections ## Don't forget the NEW and ESTABLISHED states /sbin/iptables -t nat -A DOCKER-BLOCK -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j DOCKER ## Restore the flow /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || true ## The INPUT chain is set to drop, then we flush it and reinstall the rules. ## Finally we restore the policy on the chain ## Remember that those rules don't apply to docker /sbin/iptables -t filter -P INPUT DROP /sbin/iptables -t filter -F INPUT /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT -
Feb 24, 2019 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,36 @@ #!/bin/sh set -e ## SEE https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45 CWD=$(cd "$(dirname "${0}")"; pwd -P) FILE="${CWD}/$(basename "${0}")" chown root:root "${FILE}" chmod o-rwx "${FILE}" ## Restore/install the PREROUTING rules for the DOCKER-BLOCK chain ## Careful about the reverse order /sbin/iptables -t nat -N DOCKER-BLOCK || true /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j RETURN || true /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK || true ## Restore/install the PREROUTING rules for the DOCKER chain in case docker starts after /sbin/iptables -t nat -N DOCKER || true /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || true ## Flush the rules of DOCKER-BLOCK /sbin/iptables -t nat -F DOCKER-BLOCK #/sbin/iptables -t nat -A DOCKER-BLOCK -p tcp -m tcp --dport 8080 -m state --state NEW -j DOCKER ## The INPUT chain is set to drop, then we flush it and reinstall the rules. ## Finally we restore the policy on the chain /sbin/iptables -t filter -P INPUT DROP /sbin/iptables -t filter -F INPUT /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT /sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT /sbin/iptables -t filter -A INPUT -j DROP /sbin/iptables -t filter -P INPUT ACCEPT