github.com/technosophos/deis@v1.7.1-0.20150915173815-f9005256004b/contrib/util/custom-firewall.sh

github.com/technosophos/deis@v1.7.1-0.20150915173815-f9005256004b/contrib/util/custom-firewall.sh (about)

     1  #!/bin/env bash
     2  
     3  if [ ! -f /opt/bin/jq ]; then
     4    echo "/opt/bin/jq is missing. Downloading..."
     5    curl -sSL -o /opt/bin/jq http://stedolan.github.io/jq/download/linux64/jq
     6    chmod +x /opt/bin/jq
     7  fi
     8  
     9  # obtain the etcd node members and check that at least there is three
    10  ETCD_NODES=$(curl -s http://localhost:4001/v2/members | jq '.[] | .[].peerURLs | length' | wc -l)
    11  if test $ETCD_NODES -lt 3; then
    12    echo "etcd is not working correctly. Verify the etcd cluster is running before the execution of this script."
    13  fi
    14  
    15  echo "Obtaining IP addresses of the nodes in the cluster..."
    16  MACHINES_IP=$(fleetctl list-machines --fields=ip --no-legend | awk -vORS=, '{ print $1 }' | sed 's/,$/\n/')
    17  
    18  if [ -n "$NEW_NODE" ]; then
    19    MACHINES_IP+=,$NEW_NODE
    20  fi
    21  
    22  echo "Cluster IPs: $MACHINES_IP"
    23  
    24  echo "Creating firewall Rules..."
    25  # Firewall Template
    26  template=$(cat <<EOF
    27  *filter
    28  
    29  :INPUT DROP [0:0]
    30  :FORWARD DROP [0:0]
    31  :OUTPUT ACCEPT [0:0]
    32  :Firewall-INPUT - [0:0]
    33  -A INPUT -j Firewall-INPUT
    34  -A FORWARD -j Firewall-INPUT
    35  -A Firewall-INPUT -i lo -j ACCEPT
    36  -A Firewall-INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    37  -A Firewall-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    38  -A Firewall-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    39  
    40  # Ping
    41  -A Firewall-INPUT -p icmp --icmp-type echo-request -j ACCEPT
    42  
    43  # Accept any established connections
    44  -A Firewall-INPUT -m conntrack --ctstate  ESTABLISHED,RELATED -j ACCEPT
    45  
    46  # Enable the traffic between the nodes of the cluster
    47  -A Firewall-INPUT -s $MACHINES_IP -j ACCEPT
    48  
    49  # Allow connections from docker container
    50  -A Firewall-INPUT -i docker0 -j ACCEPT
    51  
    52  # Accept ssh, http, https and git
    53  -A Firewall-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,2222,80,443 -j ACCEPT
    54  
    55  # Log and drop everything else
    56  -A Firewall-INPUT -j LOG
    57  -A Firewall-INPUT -j REJECT
    58  
    59  COMMIT
    60  EOF
    61  )
    62  
    63  if [[ -z "$DEBUG" ]]; then
    64    echo "$template"
    65  fi
    66  
    67  echo "Saving firewall Rules"
    68  echo "$template" | sudo tee /var/lib/iptables/rules-save > /dev/null
    69  
    70  echo "Enabling iptables service"
    71  sudo systemctl enable iptables-restore.service
    72  
    73  # Flush custom rules before the restore (so this script is idempotent)
    74  sudo /usr/sbin/iptables -F Firewall-INPUT 2> /dev/null
    75  
    76  echo "Loading custom iptables firewall"
    77  sudo /sbin/iptables-restore --noflush /var/lib/iptables/rules-save
    78  
    79  echo "Done"