1

I'm trying to do the following:

  • Block all internal traffic
  • Allow access to ports 81, 82 only if IP is X.X.X.X
  • Allow all traffic out including port 22

I think I got it working BUT now I can't telnet to port 22 as it's being blocked:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -s 10.0.0.0/16 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o br-007253d18d56 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-007253d18d56 -j DOCKER
-A FORWARD -i br-007253d18d56 ! -o br-007253d18d56 -j ACCEPT
-A FORWARD -i br-007253d18d56 -o br-007253d18d56 -j ACCEPT
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER -d 172.20.0.3/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.20.0.5/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.20.0.6/32 ! -i br-007253d18d56 -o br-007253d18d56 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i br-007253d18d56 ! -o br-007253d18d56 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o br-007253d18d56 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -p tcp -m multiport --dports 81:82 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -j RETURN

Updated rules:

-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-378207e135f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-378207e135f2 -j DOCKER
-A FORWARD -i br-378207e135f2 ! -o br-378207e135f2 -j ACCEPT
-A FORWARD -i br-378207e135f2 -o br-378207e135f2 -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -j DOCKER
-A FORWARD -i br-465a6988e9e5 ! -o br-465a6988e9e5 -j ACCEPT
-A FORWARD -i br-465a6988e9e5 -o br-465a6988e9e5 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.19.0.5/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-378207e135f2 ! -o br-378207e135f2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-378207e135f2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -i eth1 -p tcp -m multiport --dports 81:82 -j DROP
-A DOCKER-USER -j RETURN
Tom Trebicky
  • 248
  • 1
  • 2
  • 4
Alex Latour
  • 11
  • 3

1 Answers1

0

It would be best to know the state of how the interfaces are connected.

This would be the best shot but may not be optimal

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-378207e135f2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-378207e135f2 -j DOCKER
-A FORWARD -i br-378207e135f2 ! -o br-378207e135f2 -j ACCEPT
-A FORWARD -i br-378207e135f2 -o br-378207e135f2 -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-465a6988e9e5 -j DOCKER
-A FORWARD -i br-465a6988e9e5 ! -o br-465a6988e9e5 -j ACCEPT
-A FORWARD -i br-465a6988e9e5 -o br-465a6988e9e5 -j ACCEPT
-A DOCKER -d 172.19.0.2/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 601 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 82 -j ACCEPT
-A DOCKER -d 172.19.0.3/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 81 -j ACCEPT
-A DOCKER -d 172.19.0.5/32 ! -i br-378207e135f2 -o br-378207e135f2 -p tcp -m tcp --dport 11211 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-378207e135f2 ! -o br-378207e135f2 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-378207e135f2 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER ! -s 10.0.0.16/32 -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-USER -p tcp -m tcp --dport 22 -j ACCEPT
-A DOCKER-USER -j RETURN

If you have more than one IP address to allow, you could use ipset:

Create ipset

ipset create allowed hash:ip

and add your IP addresses

ipset add allowed 10.0.0.1

and finally enter the rule into iptables

-A INPUT -p tcp --dport 81 -m set --match-set allowed src -j ACCEPT
-A INPUT -p tcp --dport 82 -m set --match-set allowed src -j ACCEPT
Tom Trebicky
  • 248
  • 1
  • 2
  • 4
  • Thanks for your help! It doesn't seem to be working unfortunately, could it be due to the rules added by DOCKER? – Alex Latour Sep 12 '19 at 13:35
  • @AlexLatour the only reason for it not to work would be if my assumptions were incorrect. Is that the case? What purpose does the machine serve? Is traffic passing through it or is it just an originator or sink? – Tom Trebicky Sep 12 '19 at 13:38
  • The machine is used to run one of the two website apps behind a LB. I only want to accept traffic from the load balancer to be able to communicate with the docker containers. Besides traffic from the LB everything needs to be blocked (except SSH, ports for monitoring etc). I'm using OpenStack and it doesn't seem like I can block internal traffic with the filewall as the port security module isn't enabled within the Horizon/OVH. – Alex Latour Sep 12 '19 at 14:03
  • I found somewhat of a solution from the Docker docs, the reason why it wasn't working originally was because I forgot to replace the ext_if with the actual interface. I modified my original question with my new rules – Alex Latour Sep 12 '19 at 14:12
  • @AlexLatour ok, my assumptions were incorrect. Check the solution now. – Tom Trebicky Sep 12 '19 at 14:37
  • Works well, After reading the docs I re-worked it and it was the same what you suggested. The only issue im having now is that other instances on the internal network can telnet to port 22 which is odd since internal traffic is blocked? The odds are basically 0 that somebody can get into the server through SSH but I'm interested on how it could be also blocked unless specified as there's only once instance (deployments) that should be able to 22. – Alex Latour Sep 12 '19 at 15:04
  • @AlexLatour that should not happen in the latest iteration. Port 22 will only be accessible by `10.0.0.16`. – Tom Trebicky Sep 12 '19 at 15:23
  • It's working now, got everything sorted and applied similar rules to my other instances on my network, thanks for help! – Alex Latour Sep 13 '19 at 13:15