generate iptables rules dynamically from docker-compose.yml

2025-07-02 01:27:27 -04:00 · 2018-03-15 10:59:27 +00:00
parent fc0f3ad0fb
commit 565ecddafd
4 changed files with 85 additions and 14 deletions
--- a/host/etc/systemd/tpot.service
+++ b/host/etc/systemd/tpot.service
@ -31,13 +31,7 @@ ExecStartPre=-/bin/chmod 666 /var/run/docker.sock

 # Set iptables accept rules to avoid forwarding to honeytrap / NFQUEUE
 # Forward all other connections to honeytrap / NFQUEUE
-ExecStartPre=/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set

 # Compose T-Pot up
 ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
@ -46,13 +40,7 @@ ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
 ExecStop=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v

 # Remove only previously set iptables rules
-ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+ExecStopPost=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml unset

 [Install]
 WantedBy=multi-user.target