noah
/
dreckbude-docs-pub
1
0
Fork 0
Koodi Ongelmat 0 Pull-pyynnöt 0 Julkaisut 0 Wiki Toiminta
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commitit
1 Haara
22 KiB
 
Haara: master
Branchit Tagit
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
dreckbude-docs-pub/06_firewall_ferm.md

3.3 KiB
Raaka Pysyvä linkki Blame Historia

Firewall setup (iptables) with ferm

# /etc/ferm/ferm.conf

# Default rules
domain (ip ip6) {
    table filter {
        # Default Policies
        chain INPUT {
            policy DROP;

            # respond to ping
            proto icmp ACCEPT; 

            # allow SSH connections
            proto tcp dport ssh ACCEPT;
        }

        chain OUTPUT policy ACCEPT;

        # loopback traffic
        chain INPUT interface lo ACCEPT;
        chain OUTPUT outerface lo ACCEPT;

        chain (INPUT OUTPUT) {
            # connection tracking
            mod state state INVALID DROP;
            mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
        }
    }
}

# Local rules
@include ferm.d/;
  • sudo vim /etc/ferm/ferm.d/00-docker.ferm
# /etc/ferm/ferm.d/00-docker.ferm

domain (ip ip6) {
    table filter {
        chain (DOCKER DOCKER-INGRESS DOCKER-ISOLATION-STAGE-1 DOCKER-ISOLATION-STAGE-2 FORWARD) @preserve;
    }

    table nat {
        chain (DOCKER DOCKER-INGRESS PREROUTING OUTPUT POSTROUTING) @preserve;
    }
}
  • sudo vim /etc/ferm/ferm.d/20-in.ssh.ferm
  • is in default, not necessary
domain (ip ip6) {
    table filter chain INPUT proto tcp dport 22 ACCEPT;
}
  • sudo vim /etc/ferm/ferm.d/20-in.docker.nginx.ferm
domain (ip ip6) {
    table filter chain DOCKER-USER

    # Incoming traffic bound for a docker service will come in
    # to the FORWARD chain on eth0 and exit on docker_gwbridge
    interface eth0 outerface docker_gwbridge

    # The destination port here is the port listening IN THE DOCKER CONTAINER
    # Often times that is the same as the host port, but not always
    proto tcp dport (80 443)

    ACCEPT;
}
  • sudo vim /etc/ferm/ferm.d/20-in.docker.mailcow.ferm
domain (ip ip6) {
    table filter chain DOCKER-USER

    # Incoming traffic bound for a docker service will come in
    # to the FORWARD chain on eth0 and exit on docker_gwbridge
    interface eth0 outerface docker_gwbridge

    # The destination port here is the port listening IN THE DOCKER CONTAINER
    # Often times that is the same as the host port, but not always
    proto tcp dport (25 465 587 143 993 110 995 4190)

    ACCEPT;
}
  • sudo vim /etc/ferm/ferm.d/20-in.docker.ts3.ferm
domain (ip ip6) {
    table filter chain DOCKER-USER

    # Incoming traffic bound for a docker service will come in
    # to the FORWARD chain on eth0 and exit on docker_gwbridge
    interface eth0 outerface docker_gwbridge

    # The destination port here is the port listening IN THE DOCKER CONTAINER
    # Often times that is the same as the host port, but not always
    proto tcp dport (10011 30033)

    ACCEPT;
}

domain (ip ip6) {
    table filter chain DOCKER-USER

    interface eth0 outerface docker_gwbridge

    proto udp dport (9987 9988)

    ACCEPT;
}
  • /etc/ferm/ferm.d/99-docker.ferm
domain (ip ip6) table filter chain DOCKER-USER {
    interface eth0 outerface docker_gwbridge {
        mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
        DROP;
    }
    RETURN;
}
  • edit /etc/default/ferm to enable it
  • sudo systemctl enable ferm