github.com/arkadijs/deis@v1.5.1/contrib/util/custom-firewall.sh (about) 1 #!/bin/env bash 2 3 echo "Obtaining IP addresses of the nodes in the cluster..." 4 MACHINES_IP=$(fleetctl list-machines --fields=ip --no-legend | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/') 5 6 if [ -n "$NEW_NODE" ]; then 7 MACHINES_IP+=,$NEW_NODE 8 fi 9 10 echo "Cluster IPs: $MACHINES_IP" 11 12 echo "Creating firewall Rules..." 13 # Firewall Template 14 template=$(cat <<EOF 15 *filter 16 17 :INPUT DROP [0:0] 18 :FORWARD DROP [0:0] 19 :OUTPUT ACCEPT [0:0] 20 :Firewall-INPUT - [0:0] 21 -A INPUT -j Firewall-INPUT 22 -A FORWARD -j Firewall-INPUT 23 -A Firewall-INPUT -i lo -j ACCEPT 24 -A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT 25 -A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT 26 -A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT 27 28 # Ping 29 -A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT 30 31 # Accept any established connections 32 -A Firewall-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 33 34 # Enable the traffic between the nodes of the cluster 35 -A Firewall-INPUT -s $MACHINES_IP -j ACCEPT 36 37 # Allow connections from docker container 38 -A Firewall-INPUT -i docker0 -j ACCEPT 39 40 # Accept ssh, http, https and git 41 -A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT 42 43 # Log and drop everything else 44 -A Firewall-INPUT -j LOG 45 -A Firewall-INPUT -j REJECT 46 47 COMMIT 48 EOF 49 ) 50 51 if [[ -z "$DEBUG" ]]; then 52 echo "$template" 53 fi 54 55 echo "Saving firewall Rules" 56 echo "$template" | sudo tee /var/lib/iptables/rules-save > /dev/null 57 58 echo "Enabling iptables service" 59 sudo systemctl enable iptables-restore.service 60 61 # Flush custom rules before the restore (so this script is idempotent) 62 sudo /usr/sbin/iptables -F Firewall-INPUT 63 64 echo "Loading custom iptables firewall" 65 sudo /sbin/iptables-restore --noflush /var/lib/iptables/rules-save 66 67 echo "Done"