Automatically manage firewall rules (iptables) for services #1

Merged
quentin merged 7 commits from add-firewall-rules into master 2020-07-04 15:16:23 +00:00
6 changed files with 12 additions and 19 deletions
Showing only changes of commit a59ed38121 - Show all commits

4
Cargo.lock generated
View file

@ -1210,9 +1210,9 @@ dependencies = [
[[package]] [[package]]
name = "tokio" name = "tokio"
version = "0.2.11" version = "0.2.21"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fdd17989496f49cdc57978c96f0c9fe5e4a58a8bddc6813c449a4624f6a030b" checksum = "d099fa27b9702bed751524694adbe393e18b36b204da91eb1cbbbbb4a5ee2d58"
dependencies = [ dependencies = [
"bytes 0.5.4", "bytes 0.5.4",
"fnv", "fnv",

View file

@ -11,7 +11,7 @@ reqwest = { version = "0.10", features = ["json"] }
igd = { version = "0.10.0", features = ["aio"] } igd = { version = "0.10.0", features = ["aio"] }
log = "0.4" log = "0.4"
pretty_env_logger = "0.4" pretty_env_logger = "0.4"
tokio = "0.2.11" tokio = "0.2"
futures = "0.3.5" futures = "0.3.5"
serde = { version = "1.0.107", features = ["derive"] } serde = { version = "1.0.107", features = ["derive"] }
serde_json = "1.0.53" serde_json = "1.0.53"

View file

@ -1,5 +1,4 @@
use anyhow::Result; use anyhow::Result;
use log::*;
use tokio::try_join; use tokio::try_join;
use crate::consul_actor::ConsulActor; use crate::consul_actor::ConsulActor;
use crate::igd_actor::IgdActor; use crate::igd_actor::IgdActor;

View file

@ -1,7 +1,6 @@
use iptables; use iptables;
use regex::Regex; use regex::Regex;
use std::collections::HashSet; use std::collections::HashSet;
use std::io;
use crate::messages; use crate::messages;
#[derive(Debug)] #[derive(Debug)]
@ -15,14 +14,16 @@ impl From<iptables::error::IPTError> for FirewallError {
pub fn setup(ipt: &iptables::IPTables) -> Result<(), FirewallError> { pub fn setup(ipt: &iptables::IPTables) -> Result<(), FirewallError> {
if !ipt.chain_exists("filter", "DIPLONAT")? {
ipt.new_chain("filter", "DIPLONAT")?; ipt.new_chain("filter", "DIPLONAT")?;
ipt.insert("filter", "INPUT", "-j DIPLONAT", 1)?; }
ipt.insert_unique("filter", "INPUT", "-j DIPLONAT", 1)?;
Ok(()) Ok(())
} }
pub fn open_ports(ipt: &iptables::IPTables, ports: messages::PublicExposedPorts) -> Result<(), FirewallError> { pub fn open_ports(ipt: &iptables::IPTables, ports: messages::PublicExposedPorts) -> Result<(), FirewallError> {
for p in ports.tcp_ports { for p in ports.tcp_ports {
ipt.append("filter", "DIPLONAT", &format!("-p tcp --dport {} -j ACCEPT", p))?; ipt.append("filter", "DIPLONAT", &format!("-p tcp --dport {} -j ACCEPT", p))?;
} }

View file

@ -1,8 +1,4 @@
use igd::aio::*; use anyhow::Result;
use igd::PortMappingProtocol;
use std::net::SocketAddrV4;
use log::*;
use anyhow::{Result, Context};
use tokio::{ use tokio::{
select, select,
sync::watch, sync::watch,
@ -10,6 +6,7 @@ use tokio::{
self, self,
Duration Duration
}}; }};
use log::*;
use iptables; use iptables;
use crate::messages; use crate::messages;
@ -17,7 +14,7 @@ use crate::fw;
use std::collections::HashSet; use std::collections::HashSet;
pub struct FirewallActor { pub struct FirewallActor {
ipt: iptables::IPTables, pub ipt: iptables::IPTables,
rx_ports: watch::Receiver<messages::PublicExposedPorts>, rx_ports: watch::Receiver<messages::PublicExposedPorts>,
last_ports: messages::PublicExposedPorts, last_ports: messages::PublicExposedPorts,
refresh: Duration refresh: Duration
@ -25,8 +22,6 @@ pub struct FirewallActor {
impl FirewallActor { impl FirewallActor {
pub async fn new(_refresh: Duration, rxp: &watch::Receiver<messages::PublicExposedPorts>) -> Result<Self> { pub async fn new(_refresh: Duration, rxp: &watch::Receiver<messages::PublicExposedPorts>) -> Result<Self> {
let ctx = Self { let ctx = Self {
ipt: iptables::new(false).unwrap(), ipt: iptables::new(false).unwrap(),
rx_ports: rxp.clone(), rx_ports: rxp.clone(),
@ -61,7 +56,6 @@ impl FirewallActor {
} }
pub async fn do_fw_update(&self) -> Result<()> { pub async fn do_fw_update(&self) -> Result<()> {
let curr_opened_ports = fw::get_opened_ports(&self.ipt).unwrap(); let curr_opened_ports = fw::get_opened_ports(&self.ipt).unwrap();
let diff_tcp = self.last_ports.tcp_ports.difference(&curr_opened_ports.tcp_ports).copied().collect::<HashSet<u16>>(); let diff_tcp = self.last_ports.tcp_ports.difference(&curr_opened_ports.tcp_ports).copied().collect::<HashSet<u16>>();
quentin marked this conversation as resolved
Review

Nice idea the set difference ;)

Nice idea the set difference ;)
Review

Thanks a lot :)

Thanks a lot :)

View file

@ -7,7 +7,6 @@ mod diplonat;
mod fw; mod fw;
mod fw_actor; mod fw_actor;
use iptables;
use log::*; use log::*;
use diplonat::Diplonat; use diplonat::Diplonat;