Automatically manage firewall rules (iptables) for services #1

Merged
quentin merged 7 commits from add-firewall-rules into master 2020-07-04 15:16:23 +00:00
4 changed files with 17 additions and 15 deletions
Showing only changes of commit 6fe86469ee - Show all commits

View file

@ -18,6 +18,6 @@ COPY ./src ./src
RUN cargo build --release RUN cargo build --release
FROM debian:bullseye-slim FROM debian:bullseye-slim
RUN apt-get update && apt-get install -y libssl1.1 RUN apt-get update && apt-get install -y libssl1.1 iptables
COPY --from=builder /srv/target/release/diplonat /usr/local/sbin/diplonat COPY --from=builder /srv/target/release/diplonat /usr/local/sbin/diplonat
CMD ["/usr/local/sbin/diplonat"] CMD ["/usr/local/sbin/diplonat"]

View file

@ -4,7 +4,7 @@ Diplonat
## Feature set ## Feature set
* [X] (Re)Configure NAT via UPNP/IGD (prio: high) * [X] (Re)Configure NAT via UPNP/IGD (prio: high)
* [ ] (Re)Configure nftable (prio: low) * [X] (Re)Configure iptables (prio: low)
* [ ] (Re)Configure DNS via ??? (prio: low) * [ ] (Re)Configure DNS via ??? (prio: low)
## Understand scope ## Understand scope
@ -17,11 +17,24 @@ Diplonat
## Operate ## Operate
You need to add the following to your nomad config file :
```
client {
[...]
options {
docker.privileged.enabled = "true"
darkgallium marked this conversation as resolved
Review

Uuuuh nicely spot, I did not think to it but it makes sense :)
Thanks for testing the whole pipeline!

Uuuuh nicely spot, I did not think to it but it makes sense :) Thanks for testing the whole pipeline!
}
}
```
```bash ```bash
cargo build cargo build
consul agent -dev # in a separate terminal consul agent -dev # in a separate terminal
# adapt following values to your configuratio # adapt following values to your configuration
export DIPLONAT_PRIVATE_IP="192.168.0.18" export DIPLONAT_PRIVATE_IP="192.168.0.18"
export DIPLONAT_REFRESH_TIME="60" export DIPLONAT_REFRESH_TIME="60"
export DIPLONAT_EXPIRATION_TIME="300" export DIPLONAT_EXPIRATION_TIME="300"

View file

@ -73,15 +73,3 @@ pub fn cleanup(ipt: &iptables::IPTables) -> Result<(), FirewallError> {
Ok(()) Ok(())
} }
/*
fn main() {
let ipt = iptables::new(false).unwrap();
setup(&ipt);
let mut test: HashSet<Port> = HashSet::new();
test.insert(Port { proto: String::from("tcp"), number: 443 });
let a = get_opened_ports(&ipt);
let l = test.difference(&a).collect::<Vec<&Port>>();
println!("{:?}", l);
}
*/

View file

@ -78,3 +78,4 @@ impl FirewallActor {
} }
} }