├── .gitignore
├── roles
    └── iptables-docker
    │   ├── vars
    │       └── .placeholder
    │   ├── handlers
    │       └── main.yml
    │   ├── defaults
    │       └── main.yml
    │   ├── files
    │       ├── iptables-docker.service
    │       └── awk.firewall
    │   ├── tasks
    │       ├── main.yml
    │       ├── iptables-legacy.yml
    │       ├── uninstall.yml
    │       └── install.yml
    │   └── templates
    │       └── iptables-docker.sh.j2
├── site.yml
├── src
    ├── iptables-docker.service
    ├── awk.firewall
    └── iptables-docker.sh
├── group_vars
    └── all.yml
├── uninstall.sh
├── install.sh
├── README.md
└── LICENSE


/.gitignore:
--------------------------------------------------------------------------------
1 | *.ini
2 | 


--------------------------------------------------------------------------------
/roles/iptables-docker/vars/.placeholder:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/site.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: all
3 |   remote_user: "ubuntu" # <- change this with your user
4 |   become: yes
5 |   roles: 
6 |      - role: roles/iptables-docker


--------------------------------------------------------------------------------
/roles/iptables-docker/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: reload iptables-docker
3 |   service:
4 |     name: iptables-docker
5 |     state: restarted
6 |     enabled: yes


--------------------------------------------------------------------------------
/roles/iptables-docker/defaults/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | docker_preserve: yes
 3 | swarm_enabled: no
 4 | ebable_icmp_messages: yes
 5 | swarm_cidr: 192.168.1.0/24
 6 | ssh_allow_cidr: 0.0.0.0/0
 7 | iptables_allow_rules: []
 8 | iptables_docker_uninstall: no
 9 | firewall_services:
10 |   - ufw
11 |   - firewalld


--------------------------------------------------------------------------------
/src/iptables-docker.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Simple firewall script with docker rules preserve function
 3 | After=network.target docker.service
 4 | 
 5 | [Service]
 6 | Type=oneshot
 7 | RemainAfterExit=yes
 8 | WorkingDirectory=/usr/local/sbin/
 9 | ExecStart=/usr/local/sbin/iptables-docker.sh start
10 | ExecStop=/usr/local/sbin/iptables-docker.sh stop
11 | 
12 | [Install]
13 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/roles/iptables-docker/files/iptables-docker.service:
--------------------------------------------------------------------------------
 1 | [Unit]
 2 | Description=Simple firewall script with docker rules preserve function
 3 | After=network.target docker.service
 4 | 
 5 | [Service]
 6 | Type=oneshot
 7 | RemainAfterExit=yes
 8 | WorkingDirectory=/usr/local/sbin/
 9 | ExecStart=/usr/local/sbin/iptables-docker.sh start
10 | ExecStop=/usr/local/sbin/iptables-docker.sh stop
11 | 
12 | [Install]
13 | WantedBy=multi-user.target


--------------------------------------------------------------------------------
/group_vars/all.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | docker_preserve: yes
 3 | swarm_enabled: no
 4 | ebable_icmp_messages: yes
 5 | swarm_cidr: 192.168.25.0/24
 6 | ssh_allow_cidr: 0.0.0.0/0
 7 | iptables_allow_rules:
 8 |   - desc: "Allow port 6466 tcp from 192.168.25.0/24"
 9 |     proto: tcp
10 |     port: 6446
11 |     from: 192.168.25.0/24
12 |   - desc: "Allow port 8443 tcp from 192.168.25.0/24"
13 |     proto: tcp
14 |     port: 8443
15 |     from: 192.168.25.0/24


--------------------------------------------------------------------------------
/uninstall.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | echo "Disable iptables-docker"
 4 | 
 5 | systemctl stop iptables-docker
 6 | systemctl disable iptables-docker
 7 | 
 8 | echo "remove iptables-docker.sh"
 9 | 
10 | rm -rf /usr/local/sbin/iptables-docker.sh
11 | rm -rf /usr/local/sbin/awk.firewall
12 | 
13 | echo "remove systemd unit"
14 | 
15 | rm -rf /etc/systemd/system/iptables-docker.service
16 | 
17 | echo "Reload systemd"
18 | 
19 | systemctl daemon-reload


--------------------------------------------------------------------------------
/roles/iptables-docker/tasks/main.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Populate service facts
 3 |   ansible.builtin.service_facts:
 4 | 
 5 | - include_tasks:
 6 |     file: iptables-legacy.yml
 7 |     apply:
 8 |       tags: iptables-legacy,legacy
 9 |   tags: iptables-legacy,legacy
10 | 
11 | - include_tasks:
12 |     file: install.yml
13 |     apply:
14 |       tags: iptables-install,install
15 |   tags: iptables-install,install
16 |   when: iptables_docker_uninstall is false
17 | 
18 | - include_tasks:
19 |     file: uninstall.yml
20 |     apply:
21 |       tags: uninstall-install,uninstall
22 |   tags: uninstall-install,uninstall
23 |   when: iptables_docker_uninstall is true
24 | 


--------------------------------------------------------------------------------
/roles/iptables-docker/tasks/iptables-legacy.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: check iptables version
 3 |   shell: iptables --version
 4 |   register: iptables_version
 5 |   changed_when: false
 6 | 
 7 | - block:
 8 |     - alternatives:
 9 |         name: iptables
10 |         path: /usr/sbin/iptables-legacy
11 | 
12 |     - alternatives:
13 |         name: ip6tables
14 |         path: /usr/sbin/ip6tables-legacy
15 | 
16 |     - reboot:
17 |         msg: "Reboot initiated by Ansible for iptables-legacy"
18 |         connect_timeout: 5
19 |         reboot_timeout: 300
20 |         pre_reboot_delay: 0
21 |         post_reboot_delay: 30
22 |         test_command: uptime
23 |   when: '"nf_tables" in iptables_version.stdout'
24 | 


--------------------------------------------------------------------------------
/roles/iptables-docker/tasks/uninstall.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Enable firewall services
 4 |   service: 
 5 |     name: "{{ item }}" 
 6 |     state: started 
 7 |     enabled: yes
 8 |   with_items: "{{ firewall_services }}"
 9 |   ignore_errors: yes
10 | 
11 | - name: disable iptables-docker
12 |   service:
13 |     name: iptables-docker
14 |     enabled: no
15 |     state: stopped
16 | 
17 | - name: remove iptables-docker.sh
18 |   file:
19 |     path: /usr/local/sbin/iptables-docker.sh
20 |     state: absent
21 | 
22 | - name: remove awk.firewall
23 |   file:
24 |     path: /usr/local/sbin/awk.firewall
25 |     state: absent
26 | 
27 | - name: remove iptables-docker.service
28 |   file:
29 |     path: /etc/systemd/system/iptables-docker.service
30 |     state: absent
31 | 
32 | - name: reload systemd
33 |   systemd:
34 |     daemon_reload: yes


--------------------------------------------------------------------------------
/roles/iptables-docker/tasks/install.yml:
--------------------------------------------------------------------------------
 1 | ---
 2 | 
 3 | - name: Disable firewall services
 4 |   service:
 5 |     name: "{{ item }}"
 6 |     state: stopped
 7 |     enabled: no
 8 |   with_items: "{{ firewall_services }}"
 9 |   when: item in services
10 | 
11 | - name: render iptables-docker.sh
12 |   template:
13 |     src: iptables-docker.sh.j2
14 |     dest: /usr/local/sbin/iptables-docker.sh
15 |     owner: root
16 |     group: root
17 |     mode: 0700
18 |   notify:
19 |     - reload iptables-docker
20 | 
21 | - name: copy awk.firewall
22 |   copy:
23 |     src: awk.firewall
24 |     dest: /usr/local/sbin/awk.firewall
25 |     owner: root
26 |     group: root
27 |     mode: 0600
28 |   notify:
29 |     - reload iptables-docker
30 | 
31 | - name: copy iptables-docker.service
32 |   copy:
33 |     src: iptables-docker.service
34 |     dest: /etc/systemd/system/iptables-docker.service
35 |     owner: root
36 |     group: root
37 |     mode: 0600
38 | 
39 | - name: reload systemd
40 |   systemd:
41 |     daemon_reload: yes
42 | 
43 | - name: enable iptables-docker
44 |   service:
45 |     name: iptables-docker
46 |     enabled: yes
47 |     state: started
48 | 


--------------------------------------------------------------------------------
/install.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | set -o errexit
 4 | set -o nounset
 5 | if [ "${TRACE-0}" -eq 1 ]; then set -o xtrace; fi
 6 | 
 7 | readonly SCRIPT_DIR=$(dirname -- "$0");
 8 | 
 9 | echo "Set iptables to iptables-legacy"
10 | 
11 | iptables --version | grep legacy > /dev/null
12 | iptables_rc=$?
13 | if [ $iptables_rc -ne 0 ]; then
14 |     update-alternatives --set iptables /usr/sbin/iptables-legacy
15 |     update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
16 |     echo "You need to reboot your machine"
17 | fi
18 | 
19 | echo "Disable ufw,firewalld"
20 | 
21 | systemctl stop ufw
22 | systemctl disable ufw
23 | 
24 | systemctl stop firewalld
25 | systemctl disable firewalld
26 | 
27 | echo "Install iptables-docker.sh"
28 | 
29 | cp "$SCRIPT_DIR/src/iptables-docker.sh" /usr/local/sbin/
30 | cp "$SCRIPT_DIR/src/awk.firewall" /usr/local/sbin/
31 | 
32 | chmod 700 /usr/local/sbin/iptables-docker.sh
33 | chmod 600 /usr/local/sbin/awk.firewall
34 | 
35 | echo "Create systemd unit"
36 | 
37 | cp "$SCRIPT_DIR/src/iptables-docker.service" /etc/systemd/system/
38 | 
39 | echo "Enable iptables-docker.service"
40 | 
41 | systemctl daemon-reload
42 | systemctl enable iptables-docker
43 | 
44 | echo "start iptables-docker.service"
45 | 
46 | systemctl start iptables-docker
47 | 
48 | if [ $iptables_rc -ne 0 ]; then
49 |     echo "Reboot your machine"
50 | fi


--------------------------------------------------------------------------------
/src/awk.firewall:
--------------------------------------------------------------------------------
 1 | {
 2 |     if ( $0 ~ /^*/ ) {
 3 |         in_nat=0
 4 |         in_filter=0
 5 |     }
 6 |     if ( $0 ~ /^*filter/ ) {
 7 |         in_filter=1
 8 |         in_nat=0
 9 |         print "*filter"
10 |         print ":DOCKER-USER - [0:0]"
11 |         print ":DOCKER - [0:0]"
12 |         print ":DOCKER-INGRESS - [0:0]"
13 |         print ":DOCKER-ISOLATION-STAGE-2 - [0:0]"
14 |         print ":DOCKER-ISOLATION-STAGE-1 - [0:0]"
15 |         print ":FORWARD DROP [0:0]"
16 |     }
17 |     if ( $0 ~ /^*nat/ ) {
18 |         in_nat=1
19 |         in_filter=0
20 |         print "*nat"
21 |         print ":PREROUTING ACCEPT [0:0]"
22 |         print ":OUTPUT ACCEPT [0:0]"
23 |         print ":POSTROUTING ACCEPT [0:0]"
24 |         print ":DOCKER - [0:0]"
25 |         print ":DOCKER-INGRESS - [0:0]"
26 |     }
27 |     if (in_nat==1) {
28 |         if ($3 ~ /^(POSTROUTING|PREROUTING|DOCKER|DOCKER-INGRESS|OUTPUT)$/) {print $0}
29 |         if ($0 ~ /^COMMIT/ ) {print "COMMIT"}
30 |     }
31 |     if (in_filter==1) {
32 |         if ($3 ~ /^(DOCKER-ISOLATION-STAGE-1|DOCKER-ISOLATION-STAGE-2|DOCKER|DOCKER-INGRESS|DOCKER-USER)$/) {
33 |             print $0
34 |         } else {
35 |             if ($7 ~ /^DOCKER$/) {
36 |                 bridge=$5
37 |                 print last_line
38 |             }
39 |             if (length(bridge) >0 && $5 == bridge) {
40 |                 print $0
41 |             }
42 |         }
43 |         if ($0 ~ /^COMMIT/ ) {print "COMMIT"}
44 |     }
45 | 
46 |     # remeber last line
47 |     last_line=$0
48 | }
49 | 


--------------------------------------------------------------------------------
/roles/iptables-docker/files/awk.firewall:
--------------------------------------------------------------------------------
 1 | {
 2 |     if ( $0 ~ /^*/ ) {
 3 |         in_nat=0
 4 |         in_filter=0
 5 |     }
 6 |     if ( $0 ~ /^*filter/ ) {
 7 |         in_filter=1
 8 |         in_nat=0
 9 |         print "*filter"
10 |         print ":DOCKER-USER - [0:0]"
11 |         print ":DOCKER - [0:0]"
12 |         print ":DOCKER-INGRESS - [0:0]"
13 |         print ":DOCKER-ISOLATION-STAGE-2 - [0:0]"
14 |         print ":DOCKER-ISOLATION-STAGE-1 - [0:0]"
15 |         print ":FORWARD DROP [0:0]"
16 |     }
17 |     if ( $0 ~ /^*nat/ ) {
18 |         in_nat=1
19 |         in_filter=0
20 |         print "*nat"
21 |         print ":PREROUTING ACCEPT [0:0]"
22 |         print ":OUTPUT ACCEPT [0:0]"
23 |         print ":POSTROUTING ACCEPT [0:0]"
24 |         print ":DOCKER - [0:0]"
25 |         print ":DOCKER-INGRESS - [0:0]"
26 |     }
27 |     if (in_nat==1) {
28 |         if ($3 ~ /^(POSTROUTING|PREROUTING|DOCKER|DOCKER-INGRESS|OUTPUT)$/) {print $0}
29 |         if ($0 ~ /^COMMIT/ ) {print "COMMIT"}
30 |     }
31 |     if (in_filter==1) {
32 |         if ($3 ~ /^(DOCKER-ISOLATION-STAGE-1|DOCKER-ISOLATION-STAGE-2|DOCKER|DOCKER-INGRESS|DOCKER-USER)$/) {
33 |             print $0
34 |         } else {
35 |             if ($7 ~ /^DOCKER$/) {
36 |                 bridge=$5
37 |                 print last_line
38 |             }
39 |             if (length(bridge) >0 && $5 == bridge) {
40 |                 print $0
41 |             }
42 |         }
43 |         if ($0 ~ /^COMMIT/ ) {print "COMMIT"}
44 |     }
45 | 
46 |     # remeber last line
47 |     last_line=$0
48 | }
49 | 


--------------------------------------------------------------------------------
/src/iptables-docker.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | set -o errexit
  4 | set -o nounset
  5 | if [ "${TRACE-0}" -eq 1 ]; then set -o xtrace; fi
  6 | 
  7 | cd "$(dirname "$0")" || exit 1
  8 | 
  9 | dir=$(pwd)
 10 | 
 11 | IPT=$(which iptables)
 12 | 
 13 | interface=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//")
 14 | 
 15 | readonly backup_dir_firwall_rules="/tmp/backup/firewall/"
 16 | 
 17 | #### util functions
 18 | 
 19 | beginswith() { case $2 in "$1"*) true;; *) false;; esac; }
 20 | 
 21 | skip_docker_ifaces() {
 22 |   
 23 |   ## Skip all the interfaces created by docker:
 24 |   ##    vethXXXXXX
 25 |   ##    docker0
 26 |   ##    docker_gwbridge
 27 |   ##    br-XXXXXXXXXXX
 28 | 
 29 |   ifaces=$(ip -o link show | awk -F': ' '{print $2}')
 30 | 
 31 |   for i in $ifaces
 32 |   do
 33 |       if beginswith vet "$i"; then
 34 |           vet_value=${i%%@*}
 35 |           echo "Allow traffic on vet iface: $vet_value"
 36 |           $IPT -A INPUT -i "$vet_value" -j ACCEPT
 37 |           $IPT -A OUTPUT -o "$vet_value" -j ACCEPT
 38 |       fi
 39 |       if beginswith br- "$i"; then
 40 |           echo "Allow traffic on br- iface: $i"
 41 |           $IPT -A INPUT -i "$i" -j ACCEPT
 42 |           $IPT -A OUTPUT -o "$i" -j ACCEPT
 43 |       fi
 44 |       if beginswith docker "$i"; then
 45 |           echo "Allow traffic on docker iface: $i"
 46 |           $IPT -A INPUT -i "$i" -j ACCEPT
 47 |           $IPT -A OUTPUT -o "$i" -j ACCEPT
 48 |       fi
 49 |   done
 50 | }
 51 | 
 52 | #### end util functions
 53 | 
 54 | start() {
 55 |     echo "############ <START> ##############"
 56 | 
 57 |     mkdir -p "$backup_dir_firwall_rules"
 58 |     IPTABLES_SAVE_FILE="$backup_dir_firwall_rules/rules_$(date +%Y%m%d%H%M%S%N)"
 59 | 
 60 |     touch "$IPTABLES_SAVE_FILE"
 61 |     chmod 600 "$IPTABLES_SAVE_FILE"
 62 |     iptables-save -c >"$IPTABLES_SAVE_FILE"
 63 | 
 64 |     # flush all rules
 65 |     $IPT -F
 66 |     $IPT -X
 67 |     $IPT -Z
 68 |     $IPT -t filter --flush
 69 |     $IPT -t nat    --flush
 70 |     $IPT -t mangle --flush
 71 | 
 72 |     # Preserve docker rules
 73 |     docker_restore
 74 | 
 75 |     # Skip filter on docker ifaces
 76 |     skip_docker_ifaces
 77 | 
 78 |     ### BLOCK INPUT BY DEFAULT ALLOW OUTPUT ###
 79 |     $IPT -P INPUT DROP
 80 |     $IPT -P OUTPUT ACCEPT
 81 | 
 82 |     # Enable free use of loopback interfaces
 83 |     $IPT -A INPUT -i lo -j ACCEPT
 84 |     $IPT -A OUTPUT -o lo -j ACCEPT
 85 | 
 86 |     ###############
 87 |     ###  INPUT  ###
 88 |     ###############
 89 | 
 90 |     # === anti scan ===
 91 |     $IPT -N SCANS
 92 |     $IPT -A SCANS -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
 93 |     $IPT -A SCANS -p tcp --tcp-flags ALL ALL -j DROP
 94 |     $IPT -A SCANS -p tcp --tcp-flags ALL NONE -j DROP
 95 |     $IPT -A SCANS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 96 |     ####################
 97 |     echo "[Anti-scan is ready]"
 98 | 
 99 |     #No spoofing
100 |     if [ -e /proc/sys/net/ipv4/conf/all/ip_filter ]; then
101 |         for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
102 |         do
103 |             echo > 1 "$filtre"
104 |         done
105 |     fi
106 |     echo "[Anti-spoofing is ready]"
107 | 
108 |     #No synflood
109 |     if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
110 |         echo 1 > /proc/sys/net/ipv4/tcp_syncookies
111 |     fi
112 |     echo "[Anti-synflood is ready]"
113 | 
114 |     ####################
115 |     # === Clean particulars packets ===
116 |     #Make sure NEW incoming tcp connections are SYN packets
117 |     $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
118 |     # Packets with incoming fragments
119 |     $IPT -A INPUT -f -j DROP
120 |     # incoming malformed XMAS packets
121 |     $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
122 |     # Incoming malformed NULL packets
123 |     $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
124 | 
125 |     #Drop broadcast
126 |     $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
127 | 
128 |     # Accept inbound TCP packets
129 |     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
130 |     $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
131 |     
132 |     # Other firewall rules
133 |     # insert here your firewall rules
134 | 
135 |     # Swarm mode - uncomment to enable swarm access (adjust source lan)
136 |     # $IPT -A INPUT -p tcp --dport 2377 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
137 |     # $IPT -A INPUT -p tcp --dport 7946 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
138 |     # $IPT -A INPUT -p udp --dport 7946 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
139 |     # $IPT -A INPUT -p udp --dport 4789 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
140 | 
141 |     # Accept inbound ICMP messages
142 |     $IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
143 |     $IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
144 | 
145 |     ###############
146 |     ###   LOG   ###
147 |     ###############
148 | 
149 |     $IPT -N LOGGING
150 |     $IPT -A INPUT -j LOGGING
151 |     $IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
152 |     $IPT -A LOGGING -j DROP
153 | }
154 | 
155 | docker_restore() {
156 |   awk -f "$dir/awk.firewall" <"$IPTABLES_SAVE_FILE" | iptables-restore
157 | }
158 | 
159 | stop() {
160 |     ### OPEN ALL !!! ###
161 |     echo "############ <STOP> ##############"
162 | 
163 |     mkdir -p "$backup_dir_firwall_rules"
164 |     IPTABLES_SAVE_FILE="$backup_dir_firwall_rules/rules_$(date +%Y%m%d%H%M%S%N)"
165 | 
166 |     touch "$IPTABLES_SAVE_FILE"
167 |     chmod 600 "$IPTABLES_SAVE_FILE"
168 |     iptables-save -c >"$IPTABLES_SAVE_FILE"
169 | 
170 |     # set the default policy to ACCEPT
171 |     $IPT --policy INPUT   ACCEPT
172 |     $IPT --policy OUTPUT  ACCEPT
173 |     $IPT --policy FORWARD ACCEPT
174 | 
175 |     $IPT           --flush
176 |     $IPT -t nat    --flush
177 |     $IPT -t mangle --flush
178 | 
179 |     # Preserve docker rules
180 |     docker_restore
181 |  }
182 | 
183 | case "$1" in
184 |   start)
185 |     start
186 |     ;;
187 |   stop)
188 |     stop
189 |     ;;
190 |   restart)
191 |     stop
192 |     start
193 |     ;;
194 |   *)
195 |     echo "systemctl {start|stop} iptables-docker.service" >&2
196 |     echo "or" >&2
197 |     echo "iptables-docker.sh {start|stop}" >&2
198 |     exit 1
199 |     ;;
200 | esac
201 | 
202 | exit 0
203 | 


--------------------------------------------------------------------------------
/roles/iptables-docker/templates/iptables-docker.sh.j2:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | 
  3 | set -o errexit
  4 | set -o nounset
  5 | if [ "${TRACE-0}" -eq 1 ]; then set -o xtrace; fi
  6 | 
  7 | cd "$(dirname "$0")" || exit 1
  8 | 
  9 | dir=$(pwd)
 10 | 
 11 | IPT=$(which iptables)
 12 | 
 13 | interface=$(ip route | grep default | sed -e "s/^.*dev.//" -e "s/.proto.*//")
 14 | 
 15 | readonly backup_dir_firwall_rules="/tmp/backup/firewall/"
 16 | 
 17 | #### util functions
 18 | 
 19 | beginswith() { case $2 in "$1"*) true;; *) false;; esac; }
 20 | 
 21 | skip_docker_ifaces() {
 22 |   
 23 |   ## Skip all the interfaces created by docker:
 24 |   ##    vethXXXXXX
 25 |   ##    docker0
 26 |   ##    docker_gwbridge
 27 |   ##    br-XXXXXXXXXXX
 28 | 
 29 |   ifaces=$(ip -o link show | awk -F': ' '{print $2}')
 30 | 
 31 |   for i in $ifaces
 32 |   do
 33 |       if beginswith vet "$i"; then
 34 |           vet_value=${i%%@*}
 35 |           echo "Allow traffic on vet iface: $vet_value"
 36 |           $IPT -A INPUT -i "$vet_value" -j ACCEPT
 37 |           $IPT -A OUTPUT -o "$vet_value" -j ACCEPT
 38 |       fi
 39 |       if beginswith br- "$i"; then
 40 |           echo "Allow traffic on br- iface: $i"
 41 |           $IPT -A INPUT -i "$i" -j ACCEPT
 42 |           $IPT -A OUTPUT -o "$i" -j ACCEPT
 43 |       fi
 44 |       if beginswith docker "$i"; then
 45 |           echo "Allow traffic on docker iface: $i"
 46 |           $IPT -A INPUT -i "$i" -j ACCEPT
 47 |           $IPT -A OUTPUT -o "$i" -j ACCEPT
 48 |       fi
 49 |   done
 50 | }
 51 | 
 52 | #### end util functions
 53 | 
 54 | start() {
 55 |     echo "############ <START> ##############"
 56 | 
 57 |     mkdir -p "$backup_dir_firwall_rules"
 58 |     IPTABLES_SAVE_FILE="$backup_dir_firwall_rules/rules_$(date +%Y%m%d%H%M%S%N)"
 59 | 
 60 |     touch "$IPTABLES_SAVE_FILE"
 61 |     chmod 600 "$IPTABLES_SAVE_FILE"
 62 |     iptables-save -c >"$IPTABLES_SAVE_FILE"
 63 | 
 64 |     # flush all rules
 65 |     $IPT -F
 66 |     $IPT -X
 67 |     $IPT -Z
 68 |     $IPT -t filter --flush
 69 |     $IPT -t nat    --flush
 70 |     $IPT -t mangle --flush
 71 | 
 72 |     {% if docker_preserve|default(true) -%}
 73 |     # Preserve docker rules
 74 |     docker_restore
 75 | 
 76 |     # Skip filter on docker ifaces
 77 |     skip_docker_ifaces
 78 |     {% endif %}
 79 | 
 80 |     ### BLOCK INPUT BY DEFAULT ALLOW OUTPUT ###
 81 |     $IPT -P INPUT DROP
 82 |     $IPT -P OUTPUT ACCEPT
 83 | 
 84 |     # Enable free use of loopback interfaces
 85 |     $IPT -A INPUT -i lo -j ACCEPT
 86 |     $IPT -A OUTPUT -o lo -j ACCEPT
 87 | 
 88 |     ###############
 89 |     ###  INPUT  ###
 90 |     ###############
 91 | 
 92 |     # === anti scan ===
 93 |     $IPT -N SCANS
 94 |     $IPT -A SCANS -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP
 95 |     $IPT -A SCANS -p tcp --tcp-flags ALL ALL -j DROP
 96 |     $IPT -A SCANS -p tcp --tcp-flags ALL NONE -j DROP
 97 |     $IPT -A SCANS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 98 |     ####################
 99 |     echo "[Anti-scan is ready]"
100 | 
101 |     #No spoofing
102 |     if [ -e /proc/sys/net/ipv4/conf/all/ip_filter ]; then
103 |         for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
104 |         do
105 |             echo > 1 "$filtre"
106 |         done
107 |     fi
108 |     echo "[Anti-spoofing is ready]"
109 | 
110 |     #No synflood
111 |     if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
112 |         echo 1 > /proc/sys/net/ipv4/tcp_syncookies
113 |     fi
114 |     echo "[Anti-synflood is ready]"
115 | 
116 |     ####################
117 |     # === Clean particulars packets ===
118 |     #Make sure NEW incoming tcp connections are SYN packets
119 |     $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
120 |     # Packets with incoming fragments
121 |     $IPT -A INPUT -f -j DROP
122 |     # incoming malformed XMAS packets
123 |     $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
124 |     # Incoming malformed NULL packets
125 |     $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
126 | 
127 |     #Drop broadcast
128 |     $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP
129 | 
130 |     # Accept inbound TCP packets
131 |     $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
132 |     $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s {{ ssh_allow_cidr|default('0.0.0.0/0') }} -j ACCEPT
133 | 
134 |     {% if iptables_allow_rules|length > 0 -%}
135 |     # Other firewall rules
136 |     {% for iptables_rule in iptables_allow_rules -%}
137 |     $IPT -A INPUT -p {{ iptables_rule.proto }} --dport {{ iptables_rule.port }} -m state --state NEW -s {{ iptables_rule.from|default('0.0.0.0/0') }} -j ACCEPT -m comment --comment "{{ iptables_rule.desc }}"
138 |     {% endfor %}
139 |     {% endif %}
140 | 
141 |     {% if swarm_enabled|default(false) -%}
142 |     # Swarm mode
143 |     $IPT -A INPUT -p tcp --dport 2377 -m state --state NEW -s {{ swarm_cidr|default('0.0.0.0/0') }} -j ACCEPT
144 |     $IPT -A INPUT -p tcp --dport 7946 -m state --state NEW -s {{ swarm_cidr|default('0.0.0.0/0') }} -j ACCEPT
145 |     $IPT -A INPUT -p udp --dport 7946 -m state --state NEW -s {{ swarm_cidr|default('0.0.0.0/0') }} -j ACCEPT
146 |     $IPT -A INPUT -p udp --dport 4789 -m state --state NEW -s {{ swarm_cidr|default('0.0.0.0/0') }} -j ACCEPT
147 |     {% endif %}
148 | 
149 |     {% if ebable_icmp_messages|default(true) -%}
150 |     # Accept inbound ICMP messages
151 |     $IPT -A INPUT -p ICMP --icmp-type 8 -s 0.0.0.0/0 -j ACCEPT
152 |     $IPT -A INPUT -p ICMP --icmp-type 11 -s 0.0.0.0/0 -j ACCEPT
153 |     {% endif %}
154 | 
155 |     ###############
156 |     ###   LOG   ###
157 |     ###############
158 | 
159 |     $IPT -N LOGGING
160 |     $IPT -A INPUT -j LOGGING
161 |     $IPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
162 |     $IPT -A LOGGING -j DROP
163 | }
164 | 
165 | docker_restore() {
166 |   awk -f "$dir/awk.firewall" <"$IPTABLES_SAVE_FILE" | iptables-restore
167 | }
168 | 
169 | stop() {
170 |     ### OPEN ALL !!! ###
171 |     echo "############ <STOP> ##############"
172 | 
173 |     mkdir -p "$backup_dir_firwall_rules"
174 |     IPTABLES_SAVE_FILE="$backup_dir_firwall_rules/rules_$(date +%Y%m%d%H%M%S%N)"
175 | 
176 |     touch "$IPTABLES_SAVE_FILE"
177 |     chmod 600 "$IPTABLES_SAVE_FILE"
178 |     iptables-save -c >"$IPTABLES_SAVE_FILE"
179 | 
180 |     # set the default policy to ACCEPT
181 |     $IPT --policy INPUT   ACCEPT
182 |     $IPT --policy OUTPUT  ACCEPT
183 |     $IPT --policy FORWARD ACCEPT
184 | 
185 |     $IPT           --flush
186 |     $IPT -t nat    --flush
187 |     $IPT -t mangle --flush
188 |     
189 |     {% if docker_preserve|default(true) -%}
190 |     # Preserve docker rules
191 |     docker_restore
192 |     {% endif %}
193 | 
194 | }
195 | 
196 | case "$1" in
197 |   start)
198 |     start
199 |     ;;
200 |   stop)
201 |     stop
202 |     ;;
203 |   restart)
204 |     stop
205 |     start
206 |     ;;
207 |   *)
208 |     echo "systemctl {start|stop} iptables-docker.service" >&2
209 |     echo "or" >&2
210 |     echo "iptables-docker.sh {start|stop}" >&2
211 |     exit 1
212 |     ;;
213 | esac
214 | 
215 | exit 0
216 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # iptables-docker
  2 | 
  3 | [![GitHub forks](https://img.shields.io/github/forks/garutilorenzo/iptables-docker)](https://github.com/garutilorenzo/iptables-docker/network)
  4 | [![GitHub stars](https://img.shields.io/github/stars/garutilorenzo/iptables-docker)](https://github.com/garutilorenzo/iptables-docker/stargazers)
  5 | ![GitHub](https://img.shields.io/github/license/garutilorenzo/iptables-docker)
  6 | [![GitHub issues](https://img.shields.io/github/issues/garutilorenzo/iptables-docker)](https://github.com/garutilorenzo/iptables-docker/issues)
  7 | 
  8 | ### A bash solution for docker and iptables conflict
  9 | 
 10 | If you’ve ever tried to setup firewall rules on the same machine where docker daemon is running you may have noticed that docker (by default) manipulate your iptables chains.
 11 | If you want the full control of your iptables rules this might be a problem.
 12 | 
 13 | Before you proceed read carefully the [important notes](#important-notes) section.
 14 | 
 15 | ### Table of Contents
 16 | 
 17 | * [Docker and iptables](#docker-and-iptables)
 18 | * [The problem](#the-problem)
 19 | * [The solution](#the-solution)
 20 | * [Usage](#usage)
 21 | * [Test](#test-iptables-docker)
 22 | * [Notes](#important-notes)
 23 | * [Extending iptables-docker](#extending-iptables-docker)
 24 | 
 25 | ### Docker and iptables
 26 | 
 27 | Docker is utilizing the iptables "nat" to resolve packets from and to its containers and "filter" for isolation purposes, by default docker creates some chains in your iptables setup:
 28 | 
 29 | ```
 30 | sudo iptables -L
 31 | 
 32 | Chain INPUT (policy ACCEPT)
 33 | target     prot opt source               destination         
 34 | 
 35 | Chain FORWARD (policy DROP)
 36 | target     prot opt source               destination         
 37 | DOCKER-USER  all  --  anywhere             anywhere            
 38 | DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
 39 | ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 40 | DOCKER     all  --  anywhere             anywhere            
 41 | ACCEPT     all  --  anywhere             anywhere            
 42 | ACCEPT     all  --  anywhere             anywhere            
 43 | 
 44 | Chain OUTPUT (policy ACCEPT)
 45 | target     prot opt source               destination         
 46 | 
 47 | Chain DOCKER (1 references)
 48 | target     prot opt source               destination         
 49 | 
 50 | Chain DOCKER-INGRESS (0 references)
 51 | target     prot opt source               destination         
 52 | 
 53 | Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 54 | target     prot opt source               destination         
 55 | DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
 56 | RETURN     all  --  anywhere             anywhere            
 57 | 
 58 | Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 59 | target     prot opt source               destination         
 60 | DROP       all  --  anywhere             anywhere            
 61 | RETURN     all  --  anywhere             anywhere            
 62 | 
 63 | Chain DOCKER-USER (1 references)
 64 | target     prot opt source               destination         
 65 | RETURN     all  --  anywhere             anywhere 
 66 | ```
 67 | 
 68 | now for example we have the need to expose our nginx container to the world:
 69 | 
 70 | ```
 71 | docker run --name some-nginx -d -p 8080:80 nginx:latest
 72 | 47a12adff13aa7609020a1aa0863b0dff192fbcf29507788a594e8b098ffe47a
 73 | 
 74 | docker ps
 75 | CONTAINER ID   IMAGE          COMMAND                  CREATED          STATUS          PORTS                                   NAMES
 76 | 47a12adff13a   nginx:latest   "/docker-entrypoint.…"   27 seconds ago   Up 24 seconds   0.0.0.0:8080->80/tcp, :::8080->80/tcp   some-nginx
 77 | ```
 78 | 
 79 | and now we can reach our nginx default page:
 80 | 
 81 | ```
 82 | curl -v http://192.168.25.200:8080
 83 | 
 84 | *   Trying 192.168.25.200:8080...
 85 | * TCP_NODELAY set
 86 | * Connected to 192.168.25.200 (192.168.25.200) port 8080 (#0)
 87 | > GET / HTTP/1.1
 88 | > Host: 192.168.25.200:8080
 89 | > User-Agent: curl/7.68.0
 90 | > Accept: */*
 91 | > 
 92 | * Mark bundle as not supporting multiuse
 93 | < HTTP/1.1 200 OK
 94 | < Server: nginx/1.21.1
 95 | < Date: Thu, 14 Oct 2021 10:31:38 GMT
 96 | < Content-Type: text/html
 97 | < Content-Length: 612
 98 | < Last-Modified: Tue, 06 Jul 2021 14:59:17 GMT
 99 | < Connection: keep-alive
100 | < ETag: "60e46fc5-264"
101 | < Accept-Ranges: bytes
102 | < 
103 | <!DOCTYPE html>
104 | <html>
105 | <head>
106 | <title>Welcome to nginx!</title>
107 | <style>
108 |     body {
109 |         width: 35em;
110 |         margin: 0 auto;
111 |         font-family: Tahoma, Verdana, Arial, sans-serif;
112 |     }
113 | ...
114 | * Connection #0 to host 192.168.25.200 left intact
115 | ```
116 | 
117 | **NOTE** the connection test is made using an external machine, not the same machine where the docker container is running.
118 | 
119 | Docker also add a "magic" iptables rule, which allow our container to reach the outside world:
120 | 
121 | ```
122 | docker run --rm nginx curl ipinfo.io/ip
123 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
124 |                                  Dload  Upload   Total   Spent    Left  Speed
125 | 100    15  100    15    0     0     94      0 --:--:-- --:--:-- --:--:--    94
126 | 
127 | 1.2.3.4
128 | ```
129 | 
130 | Now check what happened to our iptables rules:
131 | 
132 | ```
133 | iptables -L
134 | 
135 | ...
136 | Chain DOCKER (1 references)
137 | target     prot opt source               destination         
138 | ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:http
139 | ...
140 | ```
141 | 
142 | a new rule is appeared, but is not the only rule added to our chains.
143 | 
144 | To get a more detailed view of our iptables chain we can dump the full iptables rules with  *iptables-save*:
145 | 
146 | ```
147 | # Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021
148 | *mangle
149 | :PREROUTING ACCEPT [33102:3022248]
150 | :INPUT ACCEPT [33102:3022248]
151 | :FORWARD ACCEPT [0:0]
152 | :OUTPUT ACCEPT [32349:12119113]
153 | :POSTROUTING ACCEPT [32357:12120329]
154 | COMMIT
155 | # Completed on Thu Oct 14 12:32:46 2021
156 | # Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021
157 | *nat
158 | :PREROUTING ACCEPT [1:78]
159 | :INPUT ACCEPT [1:78]
160 | :OUTPUT ACCEPT [13:1118]
161 | :POSTROUTING ACCEPT [13:1118]
162 | :DOCKER - [0:0]
163 | :DOCKER-INGRESS - [0:0]
164 | -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
165 | -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
166 | -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
167 | -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
168 | -A DOCKER -i docker0 -j RETURN
169 | -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
170 | COMMIT
171 | # Completed on Thu Oct 14 12:32:46 2021
172 | # Generated by iptables-save v1.8.4 on Thu Oct 14 12:32:46 2021
173 | *filter
174 | :INPUT ACCEPT [4758:361293]
175 | :FORWARD DROP [0:0]
176 | :OUTPUT ACCEPT [4622:357552]
177 | :DOCKER - [0:0]
178 | :DOCKER-INGRESS - [0:0]
179 | :DOCKER-ISOLATION-STAGE-1 - [0:0]
180 | :DOCKER-ISOLATION-STAGE-2 - [0:0]
181 | :DOCKER-USER - [0:0]
182 | -A FORWARD -j DOCKER-USER
183 | -A FORWARD -j DOCKER-ISOLATION-STAGE-1
184 | -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
185 | -A FORWARD -o docker0 -j DOCKER
186 | -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
187 | -A FORWARD -i docker0 -o docker0 -j ACCEPT
188 | -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
189 | -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
190 | -A DOCKER-ISOLATION-STAGE-1 -j RETURN
191 | -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
192 | -A DOCKER-ISOLATION-STAGE-2 -j RETURN
193 | -A DOCKER-USER -j RETURN
194 | COMMIT
195 | # Completed on Thu Oct 14 12:32:46 2021
196 | ```
197 | 
198 | in our dump we can see some other rules added by docker:
199 | 
200 | **DOCKER-INGRESS (nat table)**
201 | 
202 | ```
203 | -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
204 | -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
205 | -A DOCKER -i docker0 -j RETURN
206 | -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
207 | ```
208 | 
209 | **DOCKER-USER (filter table)**
210 | 
211 | ```
212 | -A FORWARD -j DOCKER-USER
213 | -A FORWARD -j DOCKER-ISOLATION-STAGE-1
214 | -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
215 | -A FORWARD -o docker0 -j DOCKER
216 | -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
217 | -A FORWARD -i docker0 -o docker0 -j ACCEPT
218 | -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
219 | -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
220 | -A DOCKER-ISOLATION-STAGE-1 -j RETURN
221 | -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
222 | -A DOCKER-ISOLATION-STAGE-2 -j RETURN
223 | -A DOCKER-USER -j RETURN
224 | ```
225 | 
226 | to explore in detail how iptables and docker work:
227 | 
228 | * Docker [docs](https://docs.docker.com/network/iptables/)
229 | * Docker forum [question](https://forums.docker.com/t/understanding-iptables-rules-added-by-docker/77210)
230 | * [gist](https://gist.github.com/x-yuri/abf90a18895c62f8d4c9e4c0f7a5c188) from x-yuri 
231 | * argus-sec.com [post](https://argus-sec.com/docker-networking-behind-the-scenes/)
232 | 
233 | ### The problem
234 | 
235 | But what happen if we stop and restart our firewall?
236 | 
237 | ```
238 | systemctl stop ufw|firewalld # <- the service (ufw or firewalld) may change from distro to distro
239 | systemctl stop ufw|firewalld
240 | 
241 | 
242 | curl -v http://192.168.25.200:8080
243 | *   Trying 192.168.25.200:8080...
244 | * TCP_NODELAY set
245 | 
246 | 
247 | docker run --rm nginx curl ipinfo.io/ip
248 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
249 |                                  Dload  Upload   Total   Spent    Left  Speed
250 |   0     0    0     0    0     0      0      0 --:--:--  0:00:06 --:--:--     0
251 | 
252 | ```
253 | 
254 | we can see that:
255 | 
256 | * our container is not reachable from the outside world
257 | * our container is not able to reach internet
258 | 
259 | ### The solution
260 | 
261 | The solution for this problem is a simple bash script (combined to an awk script) to manage our iptables rules.
262 | In short the script parse the output of the *iptables-save* command and preserve a set of chains. The chains preserved are:
263 | 
264 | for table nat:
265 | 
266 | * POSTROUTING
267 | * PREROUTING
268 | * DOCKER
269 | * DOCKER-INGRESS
270 | * OUTPUT
271 | 
272 | for table filter:
273 | 
274 | * FORWARD
275 | * DOCKER-ISOLATION-STAGE-1
276 | * DOCKER-ISOLATION-STAGE-2
277 | * DOCKER
278 | * DOCKER-INGRESS
279 | * DOCKER-USER
280 | 
281 | ### Install iptables-docker
282 | 
283 | #### Local install (sh)
284 | 
285 | **NOTE** this kind of install use a static file (src/iptables-docker.sh). By default **only** ssh access to local machine is allowd. To allow specific traffic you have to edit manually this file with your own rules:
286 | 
287 | ```  
288 |     # Other firewall rules
289 |     # insert here your firewall rules
290 |     $IPT -A INPUT -p tcp --dport 1234 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT
291 | ```
292 | 
293 | **NOTE2** if you use a swarm cluster uncomment the lines under *Swarm mode - uncomment to enable swarm access (adjust source lan)* and adjust your LAN subnet
294 | 
295 | To install iptables-docker on a local machine, clone this repository and run *sudo sh install.sh*
296 | 
297 | ```
298 | sudo sh install.sh 
299 | 
300 | Set iptables to iptables-legacy
301 | Disable ufw,firewalld
302 | Synchronizing state of ufw.service with SysV service script with /lib/systemd/systemd-sysv-install.
303 | Executing: /lib/systemd/systemd-sysv-install disable ufw
304 | Failed to stop firewalld.service: Unit firewalld.service not loaded.
305 | Failed to disable unit: Unit file firewalld.service does not exist.
306 | Install iptables-docker.sh
307 | Create systemd unit
308 | Enable iptables-docker.service
309 | Created symlink /etc/systemd/system/multi-user.target.wants/iptables-docker.service → /etc/systemd/system/iptables-docker.service.
310 | start iptables-docker.service
311 | ```
312 | 
313 | #### Automated install (ansible)
314 | 
315 | You can also use ansible to deploy iptables-docker everywhere. To do this adjust the settings under group_vars/main.yml.
316 | 
317 | | Label   | Default | Description |
318 | | ------- | ------- | ----------- |
319 | | `docker_preserve` | `yes`      | Preserve docker iptables rules  |
320 | | `swarm_enabled` | `no`        | Tells to ansible to open the required ports for the swarm cluster  |
321 | | `ebable_icmp_messages` | `yes`        | Enable response to ping requests  |
322 | | `swarm_cidr` | `192.168.1.0/24`        | Local docker swarm subnet  |
323 | | `ssh_allow_cidr` | `0.0.0.0/0`        | SSH alloed subnet (default everywhere)  |
324 | | `iptables_allow_rules` | `[]`        | List of dict to dynamically open ports. Each dict has the following key: desc, proto, from, port. See group_vars/all.yml for examples |
325 | | `iptables_docker_uninstall` | `no`        | Uninstall iptables-docker  |
326 | 
327 | Now create the inventory (hosts.ini file) or use an inline inventory and run the playbook:
328 | 
329 | ```
330 | ansible-playbook -i hosts.ini site.yml
331 | ```
332 | 
333 | ### Usage
334 | 
335 | To start the service use:
336 | 
337 | ```
338 | sudo systemctl start iptables-docker
339 | 
340 | or 
341 | 
342 | sudo iptables-docker.sh start
343 | ```
344 | 
345 | To stop the srevice use:
346 | 
347 | ```
348 | sudo systemctl stop iptables-docker
349 | 
350 | or 
351 | 
352 | sudo iptables-docker.sh stop
353 | ```
354 | 
355 | ### Test iptables-docker
356 | 
357 | Now if you turn off the firewall with *sudo systemctl stop iptables-docker* and if you check the iptable-save output, you will see that the docker rules are still there:
358 | 
359 | ```
360 | sudo iptables-save
361 | 
362 | # Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021
363 | *mangle
364 | :PREROUTING ACCEPT [346:23349]
365 | :INPUT ACCEPT [346:23349]
366 | :FORWARD ACCEPT [0:0]
367 | :OUTPUT ACCEPT [340:24333]
368 | :POSTROUTING ACCEPT [340:24333]
369 | COMMIT
370 | # Completed on Thu Oct 14 15:52:30 2021
371 | # Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021
372 | *nat
373 | :PREROUTING ACCEPT [0:0]
374 | :INPUT ACCEPT [0:0]
375 | :OUTPUT ACCEPT [0:0]
376 | :POSTROUTING ACCEPT [0:0]
377 | :DOCKER - [0:0]
378 | :DOCKER-INGRESS - [0:0]
379 | -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
380 | -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
381 | -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
382 | -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
383 | -A DOCKER -i docker0 -j RETURN
384 | -A DOCKER ! -i docker0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.17.0.2:80
385 | COMMIT
386 | # Completed on Thu Oct 14 15:52:30 2021
387 | # Generated by iptables-save v1.8.4 on Thu Oct 14 15:52:30 2021
388 | *filter
389 | :INPUT ACCEPT [357:24327]
390 | :FORWARD DROP [0:0]
391 | :OUTPUT ACCEPT [355:26075]
392 | :DOCKER - [0:0]
393 | :DOCKER-INGRESS - [0:0]
394 | :DOCKER-ISOLATION-STAGE-1 - [0:0]
395 | :DOCKER-ISOLATION-STAGE-2 - [0:0]
396 | :DOCKER-USER - [0:0]
397 | -A FORWARD -j DOCKER-USER
398 | -A FORWARD -j DOCKER-ISOLATION-STAGE-1
399 | -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
400 | -A FORWARD -o docker0 -j DOCKER
401 | -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
402 | -A FORWARD -i docker0 -o docker0 -j ACCEPT
403 | -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
404 | -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
405 | -A DOCKER-ISOLATION-STAGE-1 -j RETURN
406 | -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
407 | -A DOCKER-ISOLATION-STAGE-2 -j RETURN
408 | -A DOCKER-USER -j RETURN
409 | COMMIT
410 | # Completed on Thu Oct 14 15:52:30 2021
411 | ```
412 | 
413 | our container is still accesible form the outside:
414 | 
415 | ```
416 |  curl -v http://192.168.25.200:8080
417 | *   Trying 192.168.25.200:8080...
418 | * TCP_NODELAY set
419 | * Connected to 192.168.25.200 (192.168.25.200) port 8080 (#0)
420 | > GET / HTTP/1.1
421 | > Host: 192.168.25.200:8080
422 | > User-Agent: curl/7.68.0
423 | > Accept: */*
424 | > 
425 | * Mark bundle as not supporting multiuse
426 | < HTTP/1.1 200 OK
427 | < Server: nginx/1.21.1
428 | < Date: Thu, 14 Oct 2021 13:53:33 GMT
429 | < Content-Type: text/html
430 | < Content-Length: 612
431 | < Last-Modified: Tue, 06 Jul 2021 14:59:17 GMT
432 | < Connection: keep-alive
433 | < ETag: "60e46fc5-264"
434 | < Accept-Ranges: bytes
435 | ```
436 | 
437 | and our container can reach internet:
438 | 
439 | ```
440 | docker run --rm nginx curl ipinfo.io/ip
441 |   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
442 |                                  Dload  Upload   Total   Spent    Left  Speed
443 | 100    15  100    15    0     0     94      0 --:--:-- --:--:-- --:--:--    94
444 | my-public-ip-address
445 | ```
446 | 
447 | ### Important notes
448 | 
449 | Before install iptables-docker please read this notes:
450 | 
451 | * both local install and ansible install configure your system to use **iptables-legacy**
452 | * by default **only** port 22 is allowed
453 | * ufw and firewalld will be permanently **disabled**
454 | * filtering on all docker interfaces is disabled
455 | 
456 | Docker interfaces are:
457 | 
458 | * vethXXXXXX interfaces
459 | * br-XXXXXXXXXXX interfaces
460 | * docker0 interface
461 | * docker_gwbridge interface 
462 | 
463 | ### Extending iptables-docker
464 | 
465 | You can extend or modify iptables-docker by editing:
466 | 
467 | * src/iptables-docker.sh for the local install (sh)
468 | * roles/iptables-docker/templates/iptables-docker.sh.j2 template file for the automated install (ansible)
469 | 
470 | ### Uninstall
471 | 
472 | #### Local install (sh)
473 | 
474 | Run uninstall.sh
475 | 
476 | #### Automated install (ansible)
477 | 
478 | set the variable "iptables_docker_uninstall" to "yes" into group_vars/all.yml and run the playbook.
479 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU GENERAL PUBLIC LICENSE
  2 |                        Version 3, 29 June 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU General Public License is a free, copyleft license for
 11 | software and other kinds of works.
 12 | 
 13 |   The licenses for most software and other practical works are designed
 14 | to take away your freedom to share and change the works.  By contrast,
 15 | the GNU General Public License is intended to guarantee your freedom to
 16 | share and change all versions of a program--to make sure it remains free
 17 | software for all its users.  We, the Free Software Foundation, use the
 18 | GNU General Public License for most of our software; it applies also to
 19 | any other work released this way by its authors.  You can apply it to
 20 | your programs, too.
 21 | 
 22 |   When we speak of free software, we are referring to freedom, not
 23 | price.  Our General Public Licenses are designed to make sure that you
 24 | have the freedom to distribute copies of free software (and charge for
 25 | them if you wish), that you receive source code or can get it if you
 26 | want it, that you can change the software or use pieces of it in new
 27 | free programs, and that you know you can do these things.
 28 | 
 29 |   To protect your rights, we need to prevent others from denying you
 30 | these rights or asking you to surrender the rights.  Therefore, you have
 31 | certain responsibilities if you distribute copies of the software, or if
 32 | you modify it: responsibilities to respect the freedom of others.
 33 | 
 34 |   For example, if you distribute copies of such a program, whether
 35 | gratis or for a fee, you must pass on to the recipients the same
 36 | freedoms that you received.  You must make sure that they, too, receive
 37 | or can get the source code.  And you must show them these terms so they
 38 | know their rights.
 39 | 
 40 |   Developers that use the GNU GPL protect your rights with two steps:
 41 | (1) assert copyright on the software, and (2) offer you this License
 42 | giving you legal permission to copy, distribute and/or modify it.
 43 | 
 44 |   For the developers' and authors' protection, the GPL clearly explains
 45 | that there is no warranty for this free software.  For both users' and
 46 | authors' sake, the GPL requires that modified versions be marked as
 47 | changed, so that their problems will not be attributed erroneously to
 48 | authors of previous versions.
 49 | 
 50 |   Some devices are designed to deny users access to install or run
 51 | modified versions of the software inside them, although the manufacturer
 52 | can do so.  This is fundamentally incompatible with the aim of
 53 | protecting users' freedom to change the software.  The systematic
 54 | pattern of such abuse occurs in the area of products for individuals to
 55 | use, which is precisely where it is most unacceptable.  Therefore, we
 56 | have designed this version of the GPL to prohibit the practice for those
 57 | products.  If such problems arise substantially in other domains, we
 58 | stand ready to extend this provision to those domains in future versions
 59 | of the GPL, as needed to protect the freedom of users.
 60 | 
 61 |   Finally, every program is threatened constantly by software patents.
 62 | States should not allow patents to restrict development and use of
 63 | software on general-purpose computers, but in those that do, we wish to
 64 | avoid the special danger that patents applied to a free program could
 65 | make it effectively proprietary.  To prevent this, the GPL assures that
 66 | patents cannot be used to render the program non-free.
 67 | 
 68 |   The precise terms and conditions for copying, distribution and
 69 | modification follow.
 70 | 
 71 |                        TERMS AND CONDITIONS
 72 | 
 73 |   0. Definitions.
 74 | 
 75 |   "This License" refers to version 3 of the GNU General Public License.
 76 | 
 77 |   "Copyright" also means copyright-like laws that apply to other kinds of
 78 | works, such as semiconductor masks.
 79 | 
 80 |   "The Program" refers to any copyrightable work licensed under this
 81 | License.  Each licensee is addressed as "you".  "Licensees" and
 82 | "recipients" may be individuals or organizations.
 83 | 
 84 |   To "modify" a work means to copy from or adapt all or part of the work
 85 | in a fashion requiring copyright permission, other than the making of an
 86 | exact copy.  The resulting work is called a "modified version" of the
 87 | earlier work or a work "based on" the earlier work.
 88 | 
 89 |   A "covered work" means either the unmodified Program or a work based
 90 | on the Program.
 91 | 
 92 |   To "propagate" a work means to do anything with it that, without
 93 | permission, would make you directly or secondarily liable for
 94 | infringement under applicable copyright law, except executing it on a
 95 | computer or modifying a private copy.  Propagation includes copying,
 96 | distribution (with or without modification), making available to the
 97 | public, and in some countries other activities as well.
 98 | 
 99 |   To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies.  Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 | 
103 |   An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License.  If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 | 
112 |   1. Source Code.
113 | 
114 |   The "source code" for a work means the preferred form of the work
115 | for making modifications to it.  "Object code" means any non-source
116 | form of a work.
117 | 
118 |   A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 | 
123 |   The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form.  A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 | 
134 |   The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities.  However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work.  For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 | 
147 |   The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 | 
151 |   The Corresponding Source for a work in source code form is that
152 | same work.
153 | 
154 |   2. Basic Permissions.
155 | 
156 |   All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met.  This License explicitly affirms your unlimited
159 | permission to run the unmodified Program.  The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work.  This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 | 
164 |   You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force.  You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright.  Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 | 
175 |   Conveying under any other circumstances is permitted solely under
176 | the conditions stated below.  Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 | 
179 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 | 
181 |   No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 | 
187 |   When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 | 
195 |   4. Conveying Verbatim Copies.
196 | 
197 |   You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 | 
205 |   You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 | 
208 |   5. Conveying Modified Source Versions.
209 | 
210 |   You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 | 
214 |     a) The work must carry prominent notices stating that you modified
215 |     it, and giving a relevant date.
216 | 
217 |     b) The work must carry prominent notices stating that it is
218 |     released under this License and any conditions added under section
219 |     7.  This requirement modifies the requirement in section 4 to
220 |     "keep intact all notices".
221 | 
222 |     c) You must license the entire work, as a whole, under this
223 |     License to anyone who comes into possession of a copy.  This
224 |     License will therefore apply, along with any applicable section 7
225 |     additional terms, to the whole of the work, and all its parts,
226 |     regardless of how they are packaged.  This License gives no
227 |     permission to license the work in any other way, but it does not
228 |     invalidate such permission if you have separately received it.
229 | 
230 |     d) If the work has interactive user interfaces, each must display
231 |     Appropriate Legal Notices; however, if the Program has interactive
232 |     interfaces that do not display Appropriate Legal Notices, your
233 |     work need not make them do so.
234 | 
235 |   A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit.  Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 | 
245 |   6. Conveying Non-Source Forms.
246 | 
247 |   You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 | 
252 |     a) Convey the object code in, or embodied in, a physical product
253 |     (including a physical distribution medium), accompanied by the
254 |     Corresponding Source fixed on a durable physical medium
255 |     customarily used for software interchange.
256 | 
257 |     b) Convey the object code in, or embodied in, a physical product
258 |     (including a physical distribution medium), accompanied by a
259 |     written offer, valid for at least three years and valid for as
260 |     long as you offer spare parts or customer support for that product
261 |     model, to give anyone who possesses the object code either (1) a
262 |     copy of the Corresponding Source for all the software in the
263 |     product that is covered by this License, on a durable physical
264 |     medium customarily used for software interchange, for a price no
265 |     more than your reasonable cost of physically performing this
266 |     conveying of source, or (2) access to copy the
267 |     Corresponding Source from a network server at no charge.
268 | 
269 |     c) Convey individual copies of the object code with a copy of the
270 |     written offer to provide the Corresponding Source.  This
271 |     alternative is allowed only occasionally and noncommercially, and
272 |     only if you received the object code with such an offer, in accord
273 |     with subsection 6b.
274 | 
275 |     d) Convey the object code by offering access from a designated
276 |     place (gratis or for a charge), and offer equivalent access to the
277 |     Corresponding Source in the same way through the same place at no
278 |     further charge.  You need not require recipients to copy the
279 |     Corresponding Source along with the object code.  If the place to
280 |     copy the object code is a network server, the Corresponding Source
281 |     may be on a different server (operated by you or a third party)
282 |     that supports equivalent copying facilities, provided you maintain
283 |     clear directions next to the object code saying where to find the
284 |     Corresponding Source.  Regardless of what server hosts the
285 |     Corresponding Source, you remain obligated to ensure that it is
286 |     available for as long as needed to satisfy these requirements.
287 | 
288 |     e) Convey the object code using peer-to-peer transmission, provided
289 |     you inform other peers where the object code and Corresponding
290 |     Source of the work are being offered to the general public at no
291 |     charge under subsection 6d.
292 | 
293 |   A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 | 
297 |   A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling.  In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage.  For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product.  A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 | 
310 |   "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source.  The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 | 
318 |   If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information.  But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 | 
329 |   The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed.  Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 | 
337 |   Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 | 
343 |   7. Additional Terms.
344 | 
345 |   "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law.  If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 | 
354 |   When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it.  (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.)  You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 | 
361 |   Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 | 
365 |     a) Disclaiming warranty or limiting liability differently from the
366 |     terms of sections 15 and 16 of this License; or
367 | 
368 |     b) Requiring preservation of specified reasonable legal notices or
369 |     author attributions in that material or in the Appropriate Legal
370 |     Notices displayed by works containing it; or
371 | 
372 |     c) Prohibiting misrepresentation of the origin of that material, or
373 |     requiring that modified versions of such material be marked in
374 |     reasonable ways as different from the original version; or
375 | 
376 |     d) Limiting the use for publicity purposes of names of licensors or
377 |     authors of the material; or
378 | 
379 |     e) Declining to grant rights under trademark law for use of some
380 |     trade names, trademarks, or service marks; or
381 | 
382 |     f) Requiring indemnification of licensors and authors of that
383 |     material by anyone who conveys the material (or modified versions of
384 |     it) with contractual assumptions of liability to the recipient, for
385 |     any liability that these contractual assumptions directly impose on
386 |     those licensors and authors.
387 | 
388 |   All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10.  If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term.  If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 | 
398 |   If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 | 
403 |   Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 | 
407 |   8. Termination.
408 | 
409 |   You may not propagate or modify a covered work except as expressly
410 | provided under this License.  Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 | 
415 |   However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 | 
422 |   Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 | 
429 |   Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License.  If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 | 
435 |   9. Acceptance Not Required for Having Copies.
436 | 
437 |   You are not required to accept this License in order to receive or
438 | run a copy of the Program.  Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance.  However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work.  These actions infringe copyright if you do
443 | not accept this License.  Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 | 
446 |   10. Automatic Licensing of Downstream Recipients.
447 | 
448 |   Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License.  You are not responsible
451 | for enforcing compliance by third parties with this License.
452 | 
453 |   An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations.  If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 | 
463 |   You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License.  For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 | 
471 |   11. Patents.
472 | 
473 |   A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based.  The
475 | work thus licensed is called the contributor's "contributor version".
476 | 
477 |   A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version.  For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 | 
487 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 | 
492 |   In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement).  To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 | 
499 |   If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients.  "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 | 
513 |   If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 | 
521 |   A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License.  You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 | 
536 |   Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 | 
540 |   12. No Surrender of Others' Freedom.
541 | 
542 |   If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License.  If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all.  For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 | 
552 |   13. Use with the GNU Affero General Public License.
553 | 
554 |   Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work.  The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 | 
563 |   14. Revised Versions of this License.
564 | 
565 |   The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time.  Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 | 
570 |   Each version is given a distinguishing version number.  If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation.  If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 | 
579 |   If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 | 
584 |   Later license versions may give you additional or different
585 | permissions.  However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 | 
589 |   15. Disclaimer of Warranty.
590 | 
591 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 | 
600 |   16. Limitation of Liability.
601 | 
602 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 | 
612 |   17. Interpretation of Sections 15 and 16.
613 | 
614 |   If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 | 
621 |                      END OF TERMS AND CONDITIONS
622 | 
623 |             How to Apply These Terms to Your New Programs
624 | 
625 |   If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 | 
629 |   To do so, attach the following notices to the program.  It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 | 
634 |     <one line to give the program's name and a brief idea of what it does.>
635 |     Copyright (C) <year>  <name of author>
636 | 
637 |     This program is free software: you can redistribute it and/or modify
638 |     it under the terms of the GNU General Public License as published by
639 |     the Free Software Foundation, either version 3 of the License, or
640 |     (at your option) any later version.
641 | 
642 |     This program is distributed in the hope that it will be useful,
643 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
644 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
645 |     GNU General Public License for more details.
646 | 
647 |     You should have received a copy of the GNU General Public License
648 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
649 | 
650 | Also add information on how to contact you by electronic and paper mail.
651 | 
652 |   If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 | 
655 |     <program>  Copyright (C) <year>  <name of author>
656 |     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 |     This is free software, and you are welcome to redistribute it
658 |     under certain conditions; type `show c' for details.
659 | 
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License.  Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 | 
664 |   You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | <https://www.gnu.org/licenses/>.
668 | 
669 |   The GNU General Public License does not permit incorporating your program
670 | into proprietary programs.  If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library.  If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License.  But first, please read
674 | <https://www.gnu.org/licenses/why-not-lgpl.html>.


--------------------------------------------------------------------------------