API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jul 18th, 2019
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.51 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/sh
  2. set -e
  3.  
  4. ## SEE https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45
  5.  
  6. CWD=$(cd "$(dirname "${0}")"; pwd -P)
  7. FILE="${CWD}/$(basename "${0}")"
  8. chown root:root "${FILE}"
  9. chmod o-rwx "${FILE}"
  10.  
  11. set -x
  12.  
  13. deploy_docker_block() {
  14.   /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j RETURN
  15.   /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK
  16. }
  17.  
  18. ## install the PREROUTING rules for the DOCKER chain in case docker starts after
  19. /sbin/iptables -t nat -N DOCKER || true
  20.  
  21. ## Block new connections while we restore the first PREROUTING RULES
  22. /sbin/iptables -t nat -I PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER
  23.  
  24. ## One time install rules for the DOCKER-BLOCK chain
  25. # ! ChANGES
  26. /sbin/iptables -t nat -N DOCKER-BLOCK || true
  27.  
  28. ## Delete installed rules, we need to ensure they always are at the top
  29. ## If rules were already installed, it would mean that the second and third rule
  30. ## are going to be deleted. We still have the RETURN on top.
  31. while true; do
  32.   /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j RETURN || break
  33. done
  34. while true; do
  35.   /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -j DOCKER-BLOCK || break
  36. done
  37.  
  38. ## Re-deploy the right rules on the top. After this, the flow is restored to DOCKER-BLOCK
  39. deploy_docker_block
  40.  
  41.  
  42. ## Flush the rules of DOCKER-BLOCK, at this point new connections will be blocked
  43. /sbin/iptables -t nat -F DOCKER-BLOCK
  44.  
  45. ## Add your new rules below, allowing new connections
  46. ## Don't forget the NEW and ESTABLISHED states
  47. #/sbin/iptables -t nat -A DOCKER-BLOCK -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j DOCKER
  48.  
  49. ## Restore the flow
  50. ## Loop trying to delete the rule in case the script failed above, we don't want to add more than one rule
  51. while true; do
  52.   /sbin/iptables -t nat -D PREROUTING -m addrtype --dst-type LOCAL -m state --state ESTABLISHED -j DOCKER || break
  53. done
  54.  
  55. ## The INPUT chain is set to drop, then we flush it and reinstall the rules.
  56. ## Finally we restore the policy on the chain
  57. ## Remember that those rules don't apply to docker
  58. /sbin/iptables -t filter -P INPUT DROP
  59. /sbin/iptables -t filter -F INPUT
  60. /sbin/iptables -t filter -A INPUT -i lo -j ACCEPT
  61. /sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  62. /sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT
  63. /sbin/iptables -t filter -A INPUT -j DROP
  64. /sbin/iptables -t filter -P INPUT ACCEPT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!