handle docker rules & templatize custom rules

2026-05-27 19:13:33 +02:00
parent 9304fdc851
commit 6ced9cbcfa
3 changed files with 91 additions and 31 deletions
@@ -11,6 +11,7 @@ NAME=firewall
 DESC="packet filter"

 PUBIF="{{ firewall_public_interface | default(ansible_default_ipv4.interface | default('eth0')) }}"
+FIREWALL_DOCKER_SAFE="{{ firewall_docker_safe | default(true) | ternary('1', '0') }}"
 #PRIVATEIF=eth1

 case "$1" in
@@ -18,10 +19,28 @@ case "$1" in
        echo -n "Initializing $DESC. \n"
 	### IPv4 ###
 	echo " \033[33mIPv4 : \033[0m"
+
+        HAS_DOCKER4=0
+        if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT4 -S DOCKER >/dev/null 2>&1; then
+                HAS_DOCKER4=1
+        fi
+
+        # Reset only chains managed by this role.
+        $IPT4 -F INPUT
+        $IPT4 -F OUTPUT
+        $IPT4 -F ADMIN >/dev/null 2>&1 || true
+        $IPT4 -X ADMIN >/dev/null 2>&1 || true
+
+        if [ "$HAS_DOCKER4" -eq 0 ]; then
+                $IPT4 -F FORWARD
+                $IPT4 -P FORWARD DROP
+        else
+                echo " * Docker detected, preserving IPv4 FORWARD chain : \033[32m[OK] \033[0m"
+        fi
+
 	# DROP all incomming traffic
        $IPT4 -P INPUT DROP
 	$IPT4 -P OUTPUT DROP
-	$IPT4 -P FORWARD DROP
 	echo " * Deny all input and output IPv4 connections : \033[32m[OK] \033[0m"

 	# Unlimited access to loopback
@@ -67,10 +86,26 @@ case "$1" in

 	### IPv6 ###
 	echo " \033[33mIPv6 : \033[0m"
+
+        HAS_DOCKER6=0
+        if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT6 -S DOCKER >/dev/null 2>&1; then
+                HAS_DOCKER6=1
+        fi
+
+        # Reset only chains managed by this role.
+        $IPT6 -F INPUT
+        $IPT6 -F OUTPUT
+
+        if [ "$HAS_DOCKER6" -eq 0 ]; then
+                $IPT6 -F FORWARD
+                $IPT6 -P FORWARD DROP
+        else
+                echo " * Docker detected, preserving IPv6 FORWARD chain : \033[32m[OK] \033[0m"
+        fi
+
 	# DROP all incomming traffic
 	$IPT6 -P INPUT DROP
 	$IPT6 -P OUTPUT DROP
-	$IPT6 -P FORWARD DROP
        echo " * Deny all input and output IPv6 connections : \033[32m[OK] \033[0m"

        # Unlimited access to loopback
@@ -112,26 +147,43 @@ case "$1" in

  stop)
        echo -n "Resetting $DESC. \n"
+
+        HAS_DOCKER4=0
+        if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT4 -S DOCKER >/dev/null 2>&1; then
+                HAS_DOCKER4=1
+        fi
+
+        HAS_DOCKER6=0
+        if [ "$FIREWALL_DOCKER_SAFE" = "1" ] && $IPT6 -S DOCKER >/dev/null 2>&1; then
+                HAS_DOCKER6=1
+        fi
+
        ### IPv4 ###
-        $IPT4 -F
-        $IPT4 -X
-        $IPT4 -P FORWARD ACCEPT
+        $IPT4 -F INPUT
+        $IPT4 -F OUTPUT
+        $IPT4 -F ADMIN >/dev/null 2>&1 || true
+        $IPT4 -X ADMIN >/dev/null 2>&1 || true
+        if [ "$HAS_DOCKER4" -eq 0 ]; then
+                $IPT4 -F FORWARD
+                $IPT4 -P FORWARD ACCEPT
+        else
+                echo " * Docker detected, preserving IPv4 FORWARD chain : \033[32m[OK] \033[0m"
+        fi
        $IPT4 -P INPUT ACCEPT
        $IPT4 -P OUTPUT ACCEPT
-        $IPT4 -t nat -F
-        $IPT4 -t nat -X
-        $IPT4 -t mangle -F
-        $IPT4 -t mangle -X
        echo " * Cleaning IPv4 chains and rules : \033[32m[OK] \033[0m"

        ### IPv6 ###
-        $IPT6 -F
-        $IPT6 -X
-        $IPT6 -P FORWARD ACCEPT
+        $IPT6 -F INPUT
+        $IPT6 -F OUTPUT
+        if [ "$HAS_DOCKER6" -eq 0 ]; then
+                $IPT6 -F FORWARD
+                $IPT6 -P FORWARD ACCEPT
+        else
+                echo " * Docker detected, preserving IPv6 FORWARD chain : \033[32m[OK] \033[0m"
+        fi
        $IPT6 -P INPUT ACCEPT
        $IPT6 -P OUTPUT ACCEPT
-        $IPT6 -t mangle -F
-        $IPT6 -t mangle -X
        echo " * Cleaning IPv6 chains and rules : \033[32m[OK] \033[0m"
        echo
        ;;