Workaround for ufw+docker issue: moby/moby#4737

ksylvan · Sep 18, 2017 · ed6b02f · ed6b02f · ksylvan · Sep 18, 2017
1 parent b319ffc
commit ed6b02f
Show file tree

Hide file tree

Showing 7 changed files with 52 additions and 7 deletions.
diff --git a/roles/mailserver/files/fail2ban/docker-badbots.conf b/roles/mailserver/files/fail2ban/docker-badbots.conf
@@ -2,10 +2,12 @@
 backend = pyinotify
 enabled = yes
 logpath  = /mnt/docker/nginx/log/access.log
+banaction = ufw-with-docker
 
 [bots-redirect]
 backend = pyinotify
 enabled = yes
 logpath  = /mnt/docker/nginx/log/access.log
 bantime = 172800
 maxretry = 1
+banaction = ufw-with-docker
diff --git a/roles/mailserver/files/fail2ban/ufw-docker-hack b/roles/mailserver/files/fail2ban/ufw-docker-hack
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# simple shell scrip to work around problems with using ufw+docker
+# See https://github.com/moby/moby/issues/4737
+#
+# This script is called by the fail2ban jails that monitor docker services.
+# It uses "ufw" to insert the (ineffective!) rules into the firewall,
+# and in addition makes changes to the DOCKER-USER table to deny the banned
+# IP addresses.
+#
+export PATH=/sbin:/usr/sbin:$PATH
+
+case "$1" in
+  ban)
+    ufw insert 1 deny from "$2" to any
+    iptables -I DOCKER-USER -p tcp -s "$2" -j DROP
+    ;;
+  unban)
+    ufw delete deny from "$2" to any
+    iptables -D DOCKER-USER -p tcp -s "$2" -j DROP
+    ;;
+  *)
+    echo "ERROR: unknown action: $1"
+    ;;
+esac
diff --git a/roles/mailserver/files/fail2ban/ufw-with-docker.conf b/roles/mailserver/files/fail2ban/ufw-with-docker.conf
@@ -0,0 +1,6 @@
+[Definition]
+actionstart =
+actionstop =
+actioncheck =
+actionban = /usr/local/bin/ufw-docker-hack ban <ip>
+actionunban = /usr/local/bin/ufw-docker-hack unban <ip>
diff --git a/roles/mailserver/tasks/main.yml b/roles/mailserver/tasks/main.yml
@@ -207,10 +207,16 @@
     owner: 991
     group: 991
 
-- name: fail2ban setup for apache_badbots
+- name: Install the ufw-docker-hack script
   copy:
-    src: files/fail2ban/docker-badbots.conf
-    dest: /etc/fail2ban/jail.d/docker-badbots.conf
+    src: files/fail2ban/ufw-docker-hack
+    dest: /usr/local/bin/ufw-docker-hack
+    mode: 0755
+
+- name: Install ufw-with-docker action for fail2ban
+  copy:
+    src: files/fail2ban/ufw-with-docker.conf
+    dest: /etc/fail2ban/action.d/ufw-with-docker.conf
   notify: Restart fail2ban
 
 - name: fail2ban filter for bots that hit the php apps (301)
@@ -219,6 +225,12 @@
     dest: /etc/fail2ban/filter.d/bots-redirect.conf
   notify: Restart fail2ban
 
+- name: fail2ban setup for apache_badbots and bots-redirect
+  copy:
+    src: files/fail2ban/docker-badbots.conf
+    dest: /etc/fail2ban/jail.d/docker-badbots.conf
+  notify: Restart fail2ban
+
 # Runs as root, not the deploy user this time.
 - name: Start stack if needed
   shell: /usr/local/bin/docker-compose up -d

diff --git a/roles/secure-server/files/ufw-action.conf → roles/secure-server/files/ufw.conf b/roles/secure-server/files/ufw-action.conf → roles/secure-server/files/ufw.conf
diff --git a/roles/secure-server/tasks/RedHat.yml b/roles/secure-server/tasks/RedHat.yml
@@ -23,6 +23,10 @@
 - name: Update all packages
   dnf: state=latest name='*'
 
+- name: Install ufw action for fail2ban for Redhat
+  copy: src=files/ufw-action.conf dest=/etc/fail2ban/action.d/ufw.conf
+  notify: Restart fail2ban
+
 - name: Set up fail2ban sshd jail on Redhat
   copy:
     src: files/sshd.conf

diff --git a/roles/secure-server/tasks/main.yml b/roles/secure-server/tasks/main.yml
@@ -81,10 +81,6 @@
               state=present
   notify: Restart ssh
 
-- name: Install ufw action for fail2ban
-  copy: src=files/ufw-action.conf dest=/etc/fail2ban/action.d/ufw.conf
-  notify: Restart fail2ban
-
 - name: Make fail2ban use ufw as default action
   copy: src=files/jail.local dest=/etc/fail2ban/jail.local
   notify: Restart fail2ban