From 980aa80f198dee61cd455a1b4182efaa2e64b51d Mon Sep 17 00:00:00 2001 From: Noah Date: Thu, 28 May 2020 14:57:54 +0200 Subject: [PATCH] Add ferm installation instructions --- 06_firewall_ferm.md | 139 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) create mode 100644 06_firewall_ferm.md diff --git a/06_firewall_ferm.md b/06_firewall_ferm.md new file mode 100644 index 0000000..3fd5bb4 --- /dev/null +++ b/06_firewall_ferm.md @@ -0,0 +1,139 @@ +# Firewall setup (iptables) with ferm +* https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely + +* `sudo apt install ferm` +* select no on the prompt if it should be enabled at boot +* `sudo vim /etc/ferm/ferm.conf` +``` +# /etc/ferm/ferm.conf + +# Default rules +domain (ip ip6) { + table filter { + # Default Policies + chain INPUT { + policy DROP; + + # respond to ping + proto icmp ACCEPT; + + # allow SSH connections + proto tcp dport ssh ACCEPT; + } + + chain OUTPUT policy ACCEPT; + + # loopback traffic + chain INPUT interface lo ACCEPT; + chain OUTPUT outerface lo ACCEPT; + + chain (INPUT OUTPUT) { + # connection tracking + mod state state INVALID DROP; + mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; + } + } +} + +# Local rules +@include ferm.d/; +``` + +* `sudo vim /etc/ferm/ferm.d/00-docker.ferm` +``` +# /etc/ferm/ferm.d/00-docker.ferm + +domain (ip ip6) { + table filter { + chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve; + } + + table nat { + chain (DOCKER DOCKER-INGRESS PREROUTING OUTPUT POSTROUTING) @preserve; + } +} + +``` + +* `sudo vim /etc/ferm/ferm.d/20-in.ssh.ferm` +* **is in default, not necessary** +``` +domain (ip ip6) { + table filter chain INPUT proto tcp dport 22 ACCEPT; +} +``` + +* `sudo vim /etc/ferm/ferm.d/20-in.docker.nginx.ferm` +``` +domain (ip ip6) { + table filter chain DOCKER-USER + + # Incoming traffic bound for a docker service will come in + # to the FORWARD chain on eth0 and exit on docker_gwbridge + interface eth0 outerface docker_gwbridge + + # The destination port here is the port listening IN THE DOCKER CONTAINER + # Often times that is the same as the host port, but not always + proto tcp dport (80 443) + + ACCEPT; +} +``` + +* `sudo vim /etc/ferm/ferm.d/20-in.docker.mailcow.ferm` +``` +domain (ip ip6) { + table filter chain DOCKER-USER + + # Incoming traffic bound for a docker service will come in + # to the FORWARD chain on eth0 and exit on docker_gwbridge + interface eth0 outerface docker_gwbridge + + # The destination port here is the port listening IN THE DOCKER CONTAINER + # Often times that is the same as the host port, but not always + proto tcp dport (25 465 587 143 993 110 995 4190) + + ACCEPT; +} +``` + +* `sudo vim /etc/ferm/ferm.d/20-in.docker.ts3.ferm` +``` +domain (ip ip6) { + table filter chain DOCKER-USER + + # Incoming traffic bound for a docker service will come in + # to the FORWARD chain on eth0 and exit on docker_gwbridge + interface eth0 outerface docker_gwbridge + + # The destination port here is the port listening IN THE DOCKER CONTAINER + # Often times that is the same as the host port, but not always + proto tcp dport (10011 30033) + + ACCEPT; +} + +domain (ip ip6) { + table filter chain DOCKER-USER + + interface eth0 outerface docker_gwbridge + + proto udp dport (9987 9988) + + ACCEPT; +} +``` + +* `/etc/ferm/ferm.d/99-docker.ferm` +``` +domain (ip ip6) table filter chain DOCKER-USER { + interface eth0 outerface docker_gwbridge { + mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; + DROP; + } + RETURN; +} +``` + +* edit /etc/default/ferm to enable it +* sudo systemctl enable ferm \ No newline at end of file