-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathcustom-firewall.sh
More file actions
executable file
·79 lines (59 loc) · 2.24 KB
/
custom-firewall.sh
File metadata and controls
executable file
·79 lines (59 loc) · 2.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/bin/env bash
if [ ! -f /opt/bin/jq ]; then
echo "/opt/bin/jq is missing. Downloading..."
curl -sSL -o /opt/bin/jq http://stedolan.github.io/jq/download/linux64/jq
chmod +x /opt/bin/jq
fi
# obtain the etcd node members and check that at least there is three
ETCD_NODES=$(curl -s http://localhost:4001/v2/members | jq '.[] | .[].peerURLs | length' | wc -l)
if test $ETCD_NODES -lt 3; then
echo "etcd is not working correctly. Verify the etcd cluster is running before the execution of this script."
fi
echo "Obtaining IP addresses of the nodes in the cluster..."
MACHINES_IP=$(fleetctl list-machines --fields=ip --no-legend | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/')
if [ -n "$NEW_NODE" ]; then
MACHINES_IP+=,$NEW_NODE
fi
echo "Cluster IPs: $MACHINES_IP"
echo "Creating firewall Rules..."
# Firewall Template
template=$(cat <<EOF
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Firewall-INPUT - [0:0]
-A INPUT -j Firewall-INPUT
-A FORWARD -j Firewall-INPUT
-A Firewall-INPUT -i lo -j ACCEPT
-A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
-A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
-A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
# Ping
-A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept any established connections
-A Firewall-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Enable the traffic between the nodes of the cluster
-A Firewall-INPUT -s $MACHINES_IP -j ACCEPT
# Allow connections from docker container
-A Firewall-INPUT -i docker0 -j ACCEPT
# Accept ssh, http, https and git
-A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT
# Log and drop everything else
-A Firewall-INPUT -j LOG
-A Firewall-INPUT -j REJECT
COMMIT
EOF
)
if [[ -z "$DEBUG" ]]; then
echo "$template"
fi
echo "Saving firewall Rules"
echo "$template" | sudo tee /var/lib/iptables/rules-save > /dev/null
echo "Enabling iptables service"
sudo systemctl enable iptables-restore.service
# Flush custom rules before the restore (so this script is idempotent)
sudo /usr/sbin/iptables -F Firewall-INPUT 2> /dev/null
echo "Loading custom iptables firewall"
sudo /sbin/iptables-restore --noflush /var/lib/iptables/rules-save
echo "Done"