-
-
Save richp10/1c367d3c67aec762788e to your computer and use it in GitHub Desktop.
// This systemd runs iptables-restore on boot: | |
[Unit] | |
Description=Packet Filtering Framework | |
DefaultDependencies=no | |
After=systemd-sysctl.service | |
Before=sysinit.target | |
[Service] | |
Type=oneshot | |
ExecStart=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules | |
ExecReload=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules | |
ExecStop=/usr/sbin/iptables --flush | |
RemainAfterExit=yes | |
[Install] | |
WantedBy=multi-user.target | |
// This is my iptables.rules file | |
# Adapted from here: http://wiki.centos.org/HowTos/OS_Protection | |
*filter | |
:INPUT DROP [0:0] | |
:FORWARD DROP [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:RH-Firewall-1-INPUT - [0:0] | |
-A INPUT -j RH-Firewall-1-INPUT | |
-A FORWARD -j RH-Firewall-1-INPUT | |
-A RH-Firewall-1-INPUT -i lo -j ACCEPT | |
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
-A RH-Firewall-1-INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT | |
-A RH-Firewall-1-INPUT -p icmp --icmp-type time-exceeded -j ACCEPT | |
# Block Spoofing IP Addresses | |
-A INPUT -i eth0 -s 10.0.0.0/8 -j DROP | |
-A INPUT -i eth0 -s 172.16.0.0/12 -j DROP | |
-A INPUT -i eth0 -s 192.168.0.0/16 -j DROP | |
-A INPUT -i eth0 -s 224.0.0.0/4 -j DROP | |
-A INPUT -i eth0 -s 240.0.0.0/5 -j DROP | |
-A INPUT -i eth0 -d 127.0.0.0/8 -j DROP | |
# Accept Pings | |
-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
# Accept any established connections | |
-A RH-Firewall-1-INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
# Accept ssh, http, https - add other tcp traffic ports here | |
-A RH-Firewall-1-INPUT -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443 -j ACCEPT | |
#Log and drop everything else | |
-A RH-Firewall-1-INPUT -j LOG | |
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited | |
COMMIT | |
// After the machine has rebooted and a couple of docker containers also started, this is the output of iptables -L | |
Chain INPUT (policy DROP) | |
target prot opt source destination | |
RH-Firewall-1-INPUT all -- anywhere anywhere | |
DROP all -- 10.0.0.0/8 anywhere | |
DROP all -- 172.16.0.0/12 anywhere | |
DROP all -- 192.168.0.0/16 anywhere | |
DROP all -- base-address.mcast.net/4 anywhere | |
DROP all -- 240.0.0.0/5 anywhere | |
DROP all -- anywhere loopback/8 | |
Chain FORWARD (policy DROP) | |
target prot opt source destination | |
ACCEPT udp -- anywhere 172.17.0.3 udp dpt:domain | |
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:5000 | |
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
ACCEPT all -- anywhere anywhere | |
ACCEPT all -- anywhere anywhere | |
RH-Firewall-1-INPUT all -- anywhere anywhere | |
Chain OUTPUT (policy ACCEPT) | |
target prot opt source destination | |
Chain RH-Firewall-1-INPUT (2 references) | |
target prot opt source destination | |
ACCEPT all -- anywhere anywhere | |
ACCEPT icmp -- anywhere anywhere icmp echo-reply | |
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable | |
ACCEPT icmp -- anywhere anywhere icmp time-exceeded | |
ACCEPT icmp -- anywhere anywhere icmp echo-request | |
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED | |
ACCEPT tcp -- anywhere anywhere ctstate NEW multiport dports ssh,http,https | |
LOG all -- anywhere anywhere LOG level warning | |
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | |
Thanks. If, like me, you need IPv6 rules aswell, the unit file can be extended as follows:
ExecStart=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules ; /usr/sbin/ip6tables-restore /opt/docker/scripts/iptables/ip6tables.rules
ExecReload=/usr/sbin/iptables-restore /opt/docker/scripts/iptables/iptables.rules ; /usr/sbin/ip6tables-restore /opt/docker/scripts/iptables/ip6tables.rules
ExecStop=/usr/sbin/iptables --flush ; /usr/sbin/ip6tables --flush
Then create /opt/docker/scripts/iptables/ip6tables.rules
with required ruleset.
If you have an INPUT policy of DROP, stopping with only a --flush is a very bad idea. You will be immediately kicked off the system with no way back in if you did not create a console accessible account. Setting the POLICY for the default tables (INPUT, OUTPUT, and FORWARD) to ACCEPT before flushing is necessary.
Replace the iptables --flush line with iptables-restore and reference a file with this content:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
this firewall breaks name resolution in my containers.
Thought I'd reference this here in case anyone who stumbles upon this Gist would find it useful: A cloud-config file for CoreOS with persistent iptables rules using the built-in iptables-restore.service: https://gist.github.com/jimmycuadra/fe79ae8857f3f0d0cae1
Nice. I dropped the script into
/etc/systemd/system/iptables.service
and my rules into/etc/systemd/system/iptables.rules
. The rules path aside, the unit worked as advertised. For those coming here via search engines, see also the CoreOS documentation for getting started with systemd.