Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- set -e
- ## SEE https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45
- CWD=$(cd "$(dirname "${0}")"; pwd -P)
- FILE="${CWD}/$(basename "${0}")"
- chown root:root "${FILE}"
- chmod o-rwx "${FILE}"
- set -x
- deploy_docker_block() {
- /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN
- /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK
- }
- ## install the PREROUTING rules for the DOCKER chain in case docker starts after
- /sbin/iptables -t nat -N DOCKER || true
- ## Block new connections while we restore the first PREROUTING RULES
- /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER
- ## One time install rules for the DOCKER-BLOCK chain
- # ! ChANGES
- /sbin/iptables -t nat -N DOCKER-BLOCK || true
- ## Delete installed rules, we need to ensure they always are at the top
- ## If rules were already installed, it would mean that the second and third rule
- ## are going to be deleted. We still have the RETURN on top.
- while true; do
- /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j RETURN || break
- done
- while true; do
- /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK || break
- done
- ## Re-deploy the right rules on the top. After this, the flow is restored to DOCKER-BLOCK
- deploy_docker_block
- ## Flush the rules of DOCKER-BLOCK, at this point new connections will be blocked
- /sbin/iptables -t nat -F DOCKER-BLOCK
- ## Add your new rules below, allowing new connections
- ## Don't forget the NEW and ESTABLISHED states
- #/sbin/iptables -t nat -A DOCKER-BLOCK -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j DOCKER
- ## Restore the flow
- ## Loop trying to delete the rule in case the script failed above, we don't want to add more than one rule
- while true; do
- /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || break
- done
- ## The INPUT chain is set to drop, then we flush it and reinstall the rules.
- ## Finally we restore the policy on the chain
- ## Remember that those rules don't apply to docker
- /sbin/iptables -t filter -P INPUT DROP
- /sbin/iptables -t filter -F INPUT
- /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
- /sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
- /sbin/iptables -t filter -A INPUT -j DROP
- /sbin/iptables -t filter -P INPUT ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement