1 changed files with 139 additions and 0 deletions
Split View
Diff Options
-
+139 -006_firewall_ferm.md
+ 139
- 0
06_firewall_ferm.md
View File
| @@ -0,0 +1,139 @@ | |||
| # Firewall setup (iptables) with ferm | |||
| * https://www.lullabot.com/articles/convincing-docker-and-iptables-play-nicely | |||
| * `sudo apt install ferm` | |||
| * select no on the prompt if it should be enabled at boot | |||
| * `sudo vim /etc/ferm/ferm.conf` | |||
| ``` | |||
| # /etc/ferm/ferm.conf | |||
| # Default rules | |||
| domain (ip ip6) { | |||
| table filter { | |||
| # Default Policies | |||
| chain INPUT { | |||
| policy DROP; | |||
| # respond to ping | |||
| proto icmp ACCEPT; | |||
| # allow SSH connections | |||
| proto tcp dport ssh ACCEPT; | |||
| } | |||
| chain OUTPUT policy ACCEPT; | |||
| # loopback traffic | |||
| chain INPUT interface lo ACCEPT; | |||
| chain OUTPUT outerface lo ACCEPT; | |||
| chain (INPUT OUTPUT) { | |||
| # connection tracking | |||
| mod state state INVALID DROP; | |||
| mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; | |||
| } | |||
| } | |||
| } | |||
| # Local rules | |||
| @include ferm.d/; | |||
| ``` | |||
| * `sudo vim /etc/ferm/ferm.d/00-docker.ferm` | |||
| ``` | |||
| # /etc/ferm/ferm.d/00-docker.ferm | |||
| domain (ip ip6) { | |||
| table filter { | |||
| chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve; | |||
| } | |||
| table nat { | |||
| chain (DOCKER DOCKER-INGRESS PREROUTING OUTPUT POSTROUTING) @preserve; | |||
| } | |||
| } | |||
| ``` | |||
| * `sudo vim /etc/ferm/ferm.d/20-in.ssh.ferm` | |||
| * **is in default, not necessary** | |||
| ``` | |||
| domain (ip ip6) { | |||
| table filter chain INPUT proto tcp dport 22 ACCEPT; | |||
| } | |||
| ``` | |||
| * `sudo vim /etc/ferm/ferm.d/20-in.docker.nginx.ferm` | |||
| ``` | |||
| domain (ip ip6) { | |||
| table filter chain DOCKER-USER | |||
| # Incoming traffic bound for a docker service will come in | |||
| # to the FORWARD chain on eth0 and exit on docker_gwbridge | |||
| interface eth0 outerface docker_gwbridge | |||
| # The destination port here is the port listening IN THE DOCKER CONTAINER | |||
| # Often times that is the same as the host port, but not always | |||
| proto tcp dport (80 443) | |||
| ACCEPT; | |||
| } | |||
| ``` | |||
| * `sudo vim /etc/ferm/ferm.d/20-in.docker.mailcow.ferm` | |||
| ``` | |||
| domain (ip ip6) { | |||
| table filter chain DOCKER-USER | |||
| # Incoming traffic bound for a docker service will come in | |||
| # to the FORWARD chain on eth0 and exit on docker_gwbridge | |||
| interface eth0 outerface docker_gwbridge | |||
| # The destination port here is the port listening IN THE DOCKER CONTAINER | |||
| # Often times that is the same as the host port, but not always | |||
| proto tcp dport (25 465 587 143 993 110 995 4190) | |||
| ACCEPT; | |||
| } | |||
| ``` | |||
| * `sudo vim /etc/ferm/ferm.d/20-in.docker.ts3.ferm` | |||
| ``` | |||
| domain (ip ip6) { | |||
| table filter chain DOCKER-USER | |||
| # Incoming traffic bound for a docker service will come in | |||
| # to the FORWARD chain on eth0 and exit on docker_gwbridge | |||
| interface eth0 outerface docker_gwbridge | |||
| # The destination port here is the port listening IN THE DOCKER CONTAINER | |||
| # Often times that is the same as the host port, but not always | |||
| proto tcp dport (10011 30033) | |||
| ACCEPT; | |||
| } | |||
| domain (ip ip6) { | |||
| table filter chain DOCKER-USER | |||
| interface eth0 outerface docker_gwbridge | |||
| proto udp dport (9987 9988) | |||
| ACCEPT; | |||
| } | |||
| ``` | |||
| * `/etc/ferm/ferm.d/99-docker.ferm` | |||
| ``` | |||
| domain (ip ip6) table filter chain DOCKER-USER { | |||
| interface eth0 outerface docker_gwbridge { | |||
| mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT; | |||
| DROP; | |||
| } | |||
| RETURN; | |||
| } | |||
| ``` | |||
| * edit /etc/default/ferm to enable it | |||
| * sudo systemctl enable ferm | |||