├── Dockerfile
├── README.md
└── start


/Dockerfile:
--------------------------------------------------------------------------------
 1 | FROM alpine
 2 | 
 3 | RUN \
 4 |   apk --update add iptables bash
 5 | 
 6 | COPY start /start
 7 | 
 8 | CMD /start
 9 | 
10 | 
11 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # IPTABLES firewall container
 2 | 
 3 | If you don't have access to iptables on the host that you're running on this might be useful to you.
 4 | 
 5 | To protect your host with this ... you'll need to set `--net=host` and `--cap-add=NET_ADMIN` in
 6 | your `docker run` command.
 7 | 
 8 | takes two inputs in the form of environment variables with comma seperated values.
 9 | 
10 | * TCP_PORTS:  A list of TCP Ports which we should accept all traffic to
11 | * HOSTS: A list of hosts for which we should accept all traffic
12 | 
13 | any other traffic is DROPped.
14 | 
15 | example usage:
16 | 
17 | ```
18 | $ docker run --name firewall -e TCP_PORTS=22 -e HOSTS=172.12.1.1/32 --rm -ti --cap-add=NET_ADMIN paulczar/iptables
19 | ```
20 | 


--------------------------------------------------------------------------------
/start:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | TCP_PORTS=${TCP_PORTS:-""}
 4 | HOSTS=${HOSTS:-""}
 5 | 
 6 | iptables -P INPUT ACCEPT
 7 | iptables -F
 8 | iptables -A INPUT -i lo -j ACCEPT
 9 | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
10 |  
11 | # Allow incoming ssh only
12 | for port in ${TCP_PORTS//,/ }; do
13 |   echo Allowing traffic to TCP $port
14 |   iptables -A INPUT -p tcp -s 0/0 --dport ${port} -m state --state NEW,ESTABLISHED -j ACCEPT
15 | done
16 | 
17 | for host in ${HOSTS//,/ }; do
18 |   echo Allowing traffic from ${host}
19 |   iptables -A INPUT -p tcp -s ${host} -m state --state NEW,ESTABLISHED -j ACCEPT
20 | done
21 | 
22 | iptables -P INPUT DROP
23 | iptables -P FORWARD DROP
24 | iptables -P OUTPUT ACCEPT
25 | 
26 | 
27 | 
28 | exec syslogd -n -O -
29 | 


--------------------------------------------------------------------------------