github.com/mgood/deis@v1.0.2-0.20141120022609-9a185b756e7d/contrib/util/custom-firewall.sh (about) 1 #!/bin/env bash 2 3 echo "Obtaining IP addresses of the nodes in the cluster..." 4 MACHINES_IP=$(fleetctl list-machines --fields=ip --no-legend | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/') 5 echo "Cluster IPs: $MACHINES_IP" 6 7 echo "Creating firewall Rules..." 8 # Firewall Template 9 template=$(cat <<EOF 10 *filter 11 12 :INPUT DROP [0:0] 13 :FORWARD DROP [0:0] 14 :OUTPUT ACCEPT [0:0] 15 :Firewall-INPUT - [0:0] 16 -A INPUT -j Firewall-INPUT 17 -A FORWARD -j Firewall-INPUT 18 -A Firewall-INPUT -i lo -j ACCEPT 19 -A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT 20 -A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT 21 -A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT 22 23 # Ping 24 -A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT 25 26 # Accept any established connections 27 -A Firewall-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 28 29 # Enable the traffic between the nodes of the cluster 30 -A Firewall-INPUT -s $MACHINES_IP -j ACCEPT 31 32 # Allow connections from docker container 33 -A Firewall-INPUT -i docker0 -j ACCEPT 34 35 # Accept ssh, http, https and git 36 -A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT 37 38 # Log and drop everything else 39 -A Firewall-INPUT -j LOG 40 -A Firewall-INPUT -j REJECT --reject-with icmp-host-prohibited 41 42 COMMIT 43 EOF 44 ) 45 46 if [[ -z "$DEBUG" ]]; then 47 echo "$template" 48 fi 49 50 echo "Saving firewall Rules" 51 echo "$template" | sudo tee /var/lib/iptables/rules-save > /dev/null 52 53 echo "Enabling iptables service" 54 sudo systemctl enable iptables-restore.service 55 56 echo "Loading custom iptables firewall" 57 sudo /sbin/iptables-restore --noflush /var/lib/iptables/rules-save 58 59 echo "Done" 60