github.com/naphatkrit/deis@v1.12.3/contrib/util/custom-firewall.sh

github.com/naphatkrit/deis@v1.12.3/contrib/util/custom-firewall.sh (about)

     1  #!/bin/env bash
     2  
     3  # obtain the etcd node members and check that at least there is three
     4  ETCD_NODES=$(curl -s http://localhost:4001/v2/members | jq '.[] | .[].peerURLs | length' | wc -l)
     5  if test $ETCD_NODES -lt 3; then
     6    echo "etcd is not working correctly. Verify the etcd cluster is running before the execution of this script."
     7  fi
     8  
     9  echo "Obtaining IP addresses of the nodes in the cluster..."
    10  MACHINES_IP=$(fleetctl list-machines --fields=ip --no-legend | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/')
    11  
    12  if [ -n "$NEW_NODE" ]; then
    13    MACHINES_IP+=,$NEW_NODE
    14  fi
    15  
    16  echo "Cluster IPs: $MACHINES_IP"
    17  
    18  echo "Creating firewall Rules..."
    19  # Firewall Template
    20  template=$(cat <<EOF
    21  *filter
    22  
    23  :INPUT DROP [0:0]
    24  :FORWARD DROP [0:0]
    25  :OUTPUT ACCEPT [0:0]
    26  :Firewall-INPUT - [0:0]
    27  -A INPUT -j Firewall-INPUT
    28  -A FORWARD -j Firewall-INPUT
    29  -A Firewall-INPUT -i lo -j ACCEPT
    30  -A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    31  -A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    32  -A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    33  
    34  # Ping
    35  -A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT
    36  
    37  # Accept any established connections
    38  -A Firewall-INPUT -m conntrack --ctstate  ESTABLISHED,RELATED -j ACCEPT
    39  
    40  # Enable the traffic between the nodes of the cluster
    41  -A Firewall-INPUT -s $MACHINES_IP -j ACCEPT
    42  
    43  # Allow connections from docker container
    44  -A Firewall-INPUT -i docker0 -j ACCEPT
    45  
    46  # Accept ssh, http, https and git
    47  -A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT
    48  
    49  # Log and drop everything else
    50  -A Firewall-INPUT -j LOG
    51  -A Firewall-INPUT -j REJECT
    52  
    53  COMMIT
    54  EOF
    55  )
    56  
    57  if [[ -z "$DEBUG" ]]; then
    58    echo "$template"
    59  fi
    60  
    61  echo "Saving firewall Rules"
    62  echo "$template" | sudo tee /var/lib/iptables/rules-save > /dev/null
    63  
    64  echo "Enabling iptables service"
    65  sudo systemctl enable iptables-restore.service
    66  
    67  # Flush custom rules before the restore (so this script is idempotent)
    68  sudo /usr/sbin/iptables -F Firewall-INPUT 2> /dev/null
    69  
    70  echo "Loading custom iptables firewall"
    71  sudo /sbin/iptables-restore --noflush /var/lib/iptables/rules-save
    72  
    73  echo "Done"