telekom-security/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-07-02 01:27:27 -04:00
Code Issues Packages Projects Releases Wiki Activity

generate iptables rules dynamically from docker-compose.yml

Browse Source
This commit is contained in:
Marco Ochse
2018-03-15 10:59:27 +00:00
parent fc0f3ad0fb
commit 565ecddafd
4 changed files with 85 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
bin/rules.sh Executable file
View File

@ -0,0 +1,78 @@
#!/bin/bash
### Vars, Ports for Standard services
myHOSTPORTS="64295"
myDOCKERCOMPOSEYML="$1"
myRULESFUNCTION="$2"
function fuCHECKFORARGS {
### Check if args are present, if not throw error
if [ "$myDOCKERCOMPOSEYML" != "" ] && ([ "$myRULESFUNCTION" == "set" ] || [ "$myRULESFUNCTION" == "unset" ]);
then
echo "All arguments met. Continuing."
else
echo "Usage: rules.sh <docker-compose.yml> <[set, unset]>"
exit
fi
}
function fuNFQCHECK {
### Check if honeytrap is actively enabled in docker-compose.yml
myNFQCHECK=$(grep -e '^\s*honeytrap:' $myDOCKERCOMPOSEYML | tr -d ': ' | wc -l)
if [ "$myNFQCHECK" == "0" ];
then
echo "No NFQ related honeypot detected, no firewall rules needed. Exiting."
exit
else
echo "Detected at least one NFQ based honeypot, firewall rules needed. Continuing."
fi
}
function fuGETPORTS {
### Get ports from docker-compose.yml
myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' )
myDOCKERCOMPOSEPORTS+=" $myHOSTPORTS"
myRULESPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo $i; done | sort -gu)
}
function fuSETRULES {
### Setting up iptables rules
/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
for myPORT in $myRULESPORTS; do
/sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
done
/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
}
function fuUNSETRULES {
### Removing iptables rules
/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
for myPORT in $myRULESPORTS; do
/sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
done
/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
}
# Main
fuCHECKFORARGS
fuNFQCHECK
fuGETPORTS
if [ "$myRULESFUNCTION" == "set" ];
then
fuSETRULES
else
fuUNSETRULES
fi