Minifirewall is shellscripts for easy firewalling on a standalone server we used netfilter/iptables http://netfilter.org/ designed for recent Linux kernel See https://gitea.evolix.org/evolix/minifirewall
install --mode 0700 minifirewall /etc/init.d/minifirewall
install --mode 0600 minifirewall.conf /etc/default/minifirewall
mkdir --mode 0700 /etc/minifirewall.d
Edit /etc/default/minifirewall file:
- If your interface is not
eth0, changeINTvariable - If you don't use IPv6, set
IPv6='off' - Modify
INTLANvariable, probably with your<IP>/32or your local network if you trust it - Set your trusted and privilegied IP addresses in
TRUSTEDIPSandPRIVILEGIEDIPSvariables - Authorize your public services with
SERVICESTCP1andSERVICESUDP1variables - Authorize your semi-public services (only for
TRUSTEDIPSandPRIVILEGIEDIPS) withSERVICESTCP2andSERVICESUDP2variables - Authorize your private services (only for
TRUSTEDIPS) withSERVICESTCP3andSERVICESUDP3variables - Configure your authorizations for external services : DNS, HTTP, HTTPS, SMTP, SSH, NTP
- Add your specific rules
To use minifirewall with Docker you must to change the variable DOCKER='on'
By default, exposed services won't be reachable outside the host.
If you need to allow/deny access to outside hosts, you can rely on the chain MINIFW-DOCKER-INPUT-MANUAL
Note : this chain is only crossed by incoming 'tcp syn' packets.
Examples :
# Open publicly the docker service exposed on port 80
/sbin/iptables -I MINIFW-DOCKER-INPUT-MANUAL -p tcp -m conntrack --ctorigdstport 80 -j RETURN
# Open to 192.0.2.0/24 the docker service exposed on port 22
/sbin/iptables -I MINIFW-DOCKER-INPUT-MANUAL -p tcp -s 192.0.2.0/24 -m conntrack --ctorigdstport 22 -j RETURN
# Block 192.0.2.42 access the docker service exposed on port 22
/sbin/iptables -I MINIFW-DOCKER-INPUT-MANUAL -p tcp -s 192.0.2.42 -m conntrack --ctorigdstport 80 -j DROP
Also, in DOCKER='on', host services will be reachable to the containers that are connected on the default bridge (docker0).
From the container, you can reach them at 172.17.0.1 (unless docker0 has a different IP).
Ensure that your services listen on either 0.0.0.0 or 172.17.0.1/docker0. Keep in mind that some services may require you to allow the containers IP ranges (Postfix, PostgreSQL,...) For this case, you can allow 172.16.0.0/12
If you use different docker network bridge, you'll need to add rules for your network. You can use this one
# Accept all trafic from 172.16.0.0/12 (RFC1918) to reach 172.17.0.1
/sbin/iptables -I INPUT -p tcp --sport 1024:65535 -s 172.16.0.0/12 -d 172.17.0.1 -j ACCEPT
If you want to have fine-grained rules for controling the communication from containers to the host services, you can set DOCKER='manual'.
This way, no rules allowing communication from containers host services are created.
You can then create your own set of rules.
# Allow the containers to reach PostgreSQL (5432/tcp) on 172.17.0.1
/sbin/iptables -I INPUT -p tcp --sport 1024:65535 --dport 5432 -s 172.16.0.0/12 -d 172.17.0.1 -j ACCEPT
/etc/init.d/minifirewall start/stop/restart
If you want to add minifirewall in boot sequence, add the start command to /usr/share/scripts/alert5.
This is an Evolix project and is licensed under the GPLv3, see the LICENSE file for details.