Skip to content

Commit

Permalink
Prevent docker from overriding firewall rules (feat. @flavio-fernandes
Browse files Browse the repository at this point in the history 
…) (#187)
  • Loading branch information
@notthebee
notthebee committed May 9, 2023
1 parent ff5f721 commit 10ee590
Show file tree
Hide file tree
Showing 10 changed files with 78 additions and 18 deletions.
4 changes: 4 additions & 0 deletions handlers/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,7 @@
community.general.docker_container:
name: bunkerweb
restart: yes

- name: Enable and reload ufw
community.general.ufw:
state: enabled

Check warning on line 14 in handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 14 in handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 14 in handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file
14 changes: 5 additions & 9 deletions inventory.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,7 @@ all:
enable_passwordless_sudo: yes

# Whether or not you want to generate a public key pair for SSH auth
# The playbook will not generate a new pair if $HOME/.ssh/authorized_keys exists and isn't empty
enable_ssh_keygen: yes

# The playbook will not generate a new pair if $HOME/.ssh/authorized_keys exists and isn't empty enable_ssh_keygen: yes
# Uncomment this line if you already have a public SSH key and put your public key in it
# This overrides `enable_ssh_keygen`
# ssh_public_key: ""
Expand Down Expand Up @@ -59,6 +57,10 @@ all:

docker_dir: "/opt/docker"

docker_subnet: "10.8.2.0/24"

docker_subnet_prefix: "{{ docker_subnet | regex_replace('.0/[0-9]{1,2}') }}"

# You can set it to a different port in order to avoid automated scanner bots
ssh_port: 22

Expand Down Expand Up @@ -90,12 +92,6 @@ all:

enable_firewall: true
firewall_ports:
- port: "{{ wireguard_port }}"
proto: "udp"
- port: "80"
proto: "tcp"
- port: "443"
proto: "tcp"
- port: "{{ ssh_port }}"
proto: "tcp"

Expand Down
4 changes: 2 additions & 2 deletions roles/authelia/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
image: "redis:alpine"
networks:
- name: wg_network
ipv4_address: 10.8.2.3
ipv4_address: "{{ docker_subnet_prefix }}.3"
pull: yes
state: "started"
restart_policy: unless-stopped
Expand All @@ -49,7 +49,7 @@
image: "authelia/authelia:{{ authelia_version }}"
networks:
- name: wg_network
ipv4_address: 10.8.2.4
ipv4_address: "{{ docker_subnet_prefix }}.4"
pull: yes
state: "started"
volumes:
Expand Down
14 changes: 13 additions & 1 deletion roles/bunkerweb/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
image: "bunkerity/bunkerweb:{{ bunkerweb_version }}"
networks:
- name: wg_network
ipv4_address: 10.8.2.5
ipv4_address: "{{ docker_subnet_prefix }}.5"
pull: yes
state: "started"
env_file: "{{ docker_dir }}/bunkerweb/.env"
Expand All @@ -38,3 +38,15 @@
- "{{ docker_dir }}/bunkerweb/data:/data"
- "/lib/modules:/lib/modules"
restart_policy: unless-stopped

- name: Allow access to the container via UFW
notify: Enable and reload ufw
community.general.ufw:
rule: allow
proto: tcp
port: "{{ item }}"
from: any
to: "{{ docker_subnet_prefix }}.5"
loop:
- 8443
- 8080

Check warning on line 52 in roles/bunkerweb/tasks/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 52 in roles/bunkerweb/tasks/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 52 in roles/bunkerweb/tasks/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file
2 changes: 1 addition & 1 deletion roles/dns/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@
image: adguard-unbound-doh
networks:
- name: wg_network
ipv4_address: 10.8.2.2
ipv4_address: "{{ docker_subnet_prefix }}.2"
state: "started"
restart_policy: unless-stopped
volumes:
Expand Down
6 changes: 3 additions & 3 deletions roles/docker_network/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,6 @@
community.general.docker_network:
name: wg_network
ipam_config:
- subnet: 10.8.2.0/24
gateway: 10.8.2.1
iprange: 10.8.2.0/24
- subnet: "{{ docker_subnet }}"
gateway: "{{ docker_subnet_prefix }}.1"
iprange: "{{ docker_subnet }}"
3 changes: 3 additions & 0 deletions roles/system/handlers/main.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
- name: UFW enable

Check warning on line 1 in roles/system/handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[document-start] 

Missing document start "---"

Check warning on line 1 in roles/system/handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[document-start] 

Missing document start "---"

Check warning on line 1 in roles/system/handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[document-start] 

Missing document start "---"
community.general.ufw:
state: enabled

Check warning on line 3 in roles/system/handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 3 in roles/system/handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 3 in roles/system/handlers/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file
9 changes: 9 additions & 0 deletions roles/system/tasks/firewall-Debian.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,12 @@
community.general.ufw:
state: enabled
policy: deny

Check warning on line 41 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[trailing-spaces] 

Trailing spaces

Check warning on line 41 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[trailing-spaces] 

Trailing spaces

Check warning on line 41 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[trailing-spaces] 

Trailing spaces
- name: Template the UFW after.rules
notify: Enable and reload ufw
ansible.builtin.blockinfile:
content: "{{ lookup('template', 'templates/ufw/after.rules.j2') }}"
insertbefore: "COMMIT"
dest: /etc/ufw/after.rules
notify:

Check warning on line 48 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[key-duplicates] 

Duplication of key "notify" in mapping

Check warning on line 48 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[trailing-spaces] 

Trailing spaces

Check warning on line 48 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[key-duplicates] 

Duplication of key "notify" in mapping

Check warning on line 48 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[trailing-spaces] 

Trailing spaces

Check warning on line 48 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[key-duplicates] 

Duplication of key "notify" in mapping

Check warning on line 48 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[trailing-spaces] 

Trailing spaces
- UFW enable

Check warning on line 49 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 49 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 49 in roles/system/tasks/firewall-Debian.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file
27 changes: 27 additions & 0 deletions roles/system/templates/ufw/after.rules.j2
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# BEGIN UFW AND DOCKER
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s {{ docker_subnet }}
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d {{ docker_subnet }}
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d {{ docker_subnet }}

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

# END UFW AND DOCKER
13 changes: 11 additions & 2 deletions roles/wireguard/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
ansible.builtin.set_fact:
wg_dns: >-
{%- if enable_adguard_unbound_doh -%}
{%- set wg_dns = "10.8.2.2" -%}
{%- set wg_dns = "{{ docker_subnet_prefix }}.2" -%}
{%- else -%}
{%- if "cloudflare" in dns_nameservers -%}
{%- set wg_dns = "1.1.1.1,1.0.0.1" -%}
Expand Down Expand Up @@ -31,7 +31,7 @@
pull: yes
networks:
- name: wg_network
ipv4_address: 10.8.2.8
ipv4_address: "{{ docker_subnet_prefix }}.8"
sysctls:
"net.ipv4.conf.all.src_valid_mark": "1"
"net.ipv4.ip_forward": "1"
Expand All @@ -50,3 +50,12 @@
volumes:
- "{{ docker_dir }}/wg-easy:/etc/wireguard"
restart_policy: unless-stopped

- name: Allow access to the container via UFW
notify: Enable and reload ufw
community.general.ufw:
rule: allow
proto: udp
port: "51820"
from: any
to: "{{ docker_subnet_prefix }}.8"

Check warning on line 61 in roles/wireguard/tasks/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 61 in roles/wireguard/tasks/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

Check warning on line 61 in roles/wireguard/tasks/main.yml

View workflow job for this annotation

GitHub Actions / lint

yaml[new-line-at-end-of-file] 

No new line character at the end of file

0 comments on commit 10ee590

Please sign in to comment.