From e9c3d96415034054b9e0e8efcc4162f8a4ed1adf Mon Sep 17 00:00:00 2001 From: Sebastian Schmittner Date: Fri, 1 Apr 2022 10:08:56 +0200 Subject: [PATCH 1/4] improved docker ip rules script Signed-off-by: Sebastian Schmittner --- git-filter-add-signoff.py | 14 -------- run/{idu_ips => ips} | 2 ++ run/set_iptables_for_idu.sh | 69 ------------------------------------- 3 files changed, 2 insertions(+), 83 deletions(-) delete mode 100644 git-filter-add-signoff.py rename run/{idu_ips => ips} (84%) delete mode 100755 run/set_iptables_for_idu.sh diff --git a/git-filter-add-signoff.py b/git-filter-add-signoff.py deleted file mode 100644 index 1cc4a0a..0000000 --- a/git-filter-add-signoff.py +++ /dev/null @@ -1,14 +0,0 @@ - # This file is supposed to be used as `python3 .../git-filter-repo.py --force --commit-callback "$(cat git-filter-add-signoff.py)"` - # Mind to adapt the following before: - usernames = [b"Sebastian Schmittner", b"HackMD", b"Artur A Philipp", b"debian"] - email = b"sebastian.schmittner@eecc.de" - # See https://htmlpreview.github.io/?https://github.com/newren/git-filter-repo/blob/docs/html/git-filter-repo.html#CALLBACKS - # - # * Commit: `branch`, `original_id`, `author_name`, `author_email`, - # `author_date`, `committer_name`, `committer_email`, - # `committer_date`, `message`, `file_changes` (list of - # FileChange objects, each containing a `type`, `filename`, - # `mode`, and `blob_id`), `parents` (list of hashes or integer - # marks) - if commit.author_name in usernames and b"Signed-off-by:" not in commit.message: - commit.message = commit.message + b"\n\nSigned-off-by: " + usernames[0] + b" <" + email + b">" diff --git a/run/idu_ips b/run/ips similarity index 84% rename from run/idu_ips rename to run/ips index 14b1c7f..30fd583 100644 --- a/run/idu_ips +++ b/run/ips @@ -1,3 +1,4 @@ +# Example ip list file of ID Union 141.23.35.186 185.27.183.119 185.40.248.112 @@ -10,6 +11,7 @@ 20.52.50.218 3.120.0.165 3.126.145.208 +3.68.130.199 35.207.81.15 54.93.174.90 81.200.193.110 diff --git a/run/set_iptables_for_idu.sh b/run/set_iptables_for_idu.sh deleted file mode 100755 index 5e2a1bc..0000000 --- a/run/set_iptables_for_idu.sh +++ /dev/null @@ -1,69 +0,0 @@ -#!/bin/bash - -set -e - -usage() -{ - echo "Usage:" - echo "INTERFACE=[your_network_interface] IP_FILE=[path_to_ip_addresses_file] $0" - echo "Where the ip adresses file should contain the white list of nodes" - echo "in your network. One ip address per line." - echo "The network interface should be the physical one used for incoming connections from the internet" - echo - echo "This script needs to be run as root/via sudo." - echo -} - -# skip existing rules to avoid duplicates -add_new_rule() -{ - RULE="$@" - - if iptables -C $RULE 2>/dev/null 1>&2; then - echo "[skip] $RULE already exists" - elif [[ "$RULE" == *"DROP"* ]]; then - iptables -A $RULE - echo "[ok] $RULE added to the end of the chain" - else - iptables -I $RULE - echo "[ok] $RULE added" - fi -} - -# -h --help --whatever -if ! [ -z "$*" ]; then - usage - exit 0 -fi - - -echo "INTERFACE=${INTERFACE:=ens18}" - -# check if INTERFACE is set to an inet facing interface -if ! ip a | grep inet | grep "$INTERFACE" >/dev/null; then - echo "interface $INTERFACE does not seem to be an internet facing interface" - usage - exit 1 -fi - -echo "IP_FILE=${IP_FILE:=idu_ips}" - -if ! [ -f "$IP_FILE" ]; then - echo "file $IP_FILE not found" - usage - exit 1 -fi - - - -# 9701 whitelist approach: drop all others INCOMING (-i) connections -add_new_rule DOCKER-USER -p tcp -i $INTERFACE --dport 9701 -j DROP - -# 9701 create IP whitelist from file -while read IP; do - add_new_rule DOCKER-USER -p tcp --dport 9701 -s $IP -j ACCEPT -done < "$IP_FILE" - -# 9702 connlimit -add_new_rule DOCKER-USER -p tcp --syn --dport 9702 -m connlimit --connlimit-above 16 -j REJECT - From 27be990a9172ef3f4535a652aa07c7cfe2639b83 Mon Sep 17 00:00:00 2001 From: Sebastian Schmittner Date: Fri, 1 Apr 2022 10:16:00 +0200 Subject: [PATCH 2/4] readme Signed-off-by: Sebastian Schmittner --- run/README.md | 9 +++++++++ run/ips | 21 --------------------- 2 files changed, 9 insertions(+), 21 deletions(-) delete mode 100644 run/ips diff --git a/run/README.md b/run/README.md index ac0ccd1..ee6953d 100644 --- a/run/README.md +++ b/run/README.md @@ -27,6 +27,15 @@ The relevant directories are mounted as giving direct access to the relevant config files from the host machine, if needed. Note that the `NETWORK_NAME` in `indy_config.py` is overridden at startup with the value from `INDY_NETWORK_NAME` from `.env`. +## Firewall (IP Tables) + +If the firewall rules for your indy node are not set elsewhere (on the docker host or upstream), you may want to use the +[set_iptables.sh](./set_iptables.sh) script to set the recommended firewall settings for your node in the DOCKER-USER +chain. +See `./set_iptables.sh -h` for usage information. You will need to provide the list of ip addresses of nodes in your +network in a suitable file. + + ## Logging The log dir is mounted to `./log_indy` by default to ease access to the log files. diff --git a/run/ips b/run/ips deleted file mode 100644 index 30fd583..0000000 --- a/run/ips +++ /dev/null @@ -1,21 +0,0 @@ -# Example ip list file of ID Union -141.23.35.186 -185.27.183.119 -185.40.248.112 -193.28.64.163 -194.110.133.202 -194.94.127.49 -20.50.220.191 -20.52.38.11 -20.52.50.218 -20.52.50.218 -3.120.0.165 -3.126.145.208 -3.68.130.199 -35.207.81.15 -54.93.174.90 -81.200.193.110 -81.200.193.232 -81.200.196.255 -91.102.136.153 -94.130.34.253 From 878b00953a05cbe53c7ecfc7acdb4b1e2a6f8168 Mon Sep 17 00:00:00 2001 From: Sebastian Schmittner Date: Fri, 8 Apr 2022 09:32:01 +0200 Subject: [PATCH 3/4] maned to be renamed, not deleted Signed-off-by: Sebastian Schmittner --- run/set_iptables.sh | 92 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100755 run/set_iptables.sh diff --git a/run/set_iptables.sh b/run/set_iptables.sh new file mode 100755 index 0000000..592b163 --- /dev/null +++ b/run/set_iptables.sh @@ -0,0 +1,92 @@ +#!/bin/bash + +set +x +set -e + +DEFAULT_ADRESS_FILE=ips +echo "INTERNAL_PORT=${INTERNAL_PORT:=9701}" +echo "CLI_PORT=${CLI_PORT:=9702}" +echo "CHAIN=${CHAIN:=DOCKER-USER}" +echo "MAX_CONN=${MAX_CONN:=500}" + +usage() { + echo + echo "Usage:" + echo -n "INTERFACE=[your_network_interface] IP_FILE=[path_to_ip_addresses_file, defaults to $DEFAULT_ADRESS_FILE] " + echo -n "INTERNAL_PORT[default 9701] CLI_PORT=[default 9702] CHAIN[default DOCKER-USER] MAX_CONN[default 500]" + echo "$0" + echo + echo "This script will add rules to your ip tables chain CHAIN to allow incoming connections on port INTERNAL_PORT" + echo "only from ips listed in the IP_FILE. It will also restrict the number of connections to port CLI_PORT to MAX_CONN." + echo + echo "The ip adresses file should contain the list of nodes" + echo "in your network. One ip address per line." + echo "The network interface should be the physical one used for incoming connections from the internet" + echo + echo "This script needs to be run as root/via sudo." + echo +} + +# skip existing rules to avoid duplicates +add_new_rule() { + RULE="$@" + + if iptables -C $RULE 2>/dev/null 1>&2; then + echo "[skip] $RULE already exists" + elif [[ "$RULE" == *"DROP"* ]] || [[ "$RULE" == *"RETURN"* ]]; then + iptables -A $RULE + echo "[ok] $RULE added to the end of the chain" + else + iptables -I $RULE + echo "[ok] $RULE added to the beginning of the chain" + fi +} + +make_last_rule() { + RULE="$@" + while iptables -C $RULE 2>/dev/null 1>&2; do + iptables -D $RULE + echo "[ok] $RULE deleted" + done + iptables -A $RULE + echo "[ok] $RULE added to the end of the chain" +} + +# -h --help --whatever +if ! [ -z "$*" ]; then + usage + exit 0 +fi + +echo "INTERFACE=${INTERFACE:=ens18}" + +# check if INTERFACE is set to an inet facing interface +if ! ip a | grep inet | grep "$INTERFACE" >/dev/null; then + echo "interface '$INTERFACE' does not seem to be an internet facing interface" + usage + exit 1 +fi + +echo "IP_FILE=${IP_FILE:=$DEFAULT_ADRESS_FILE}" + +if ! [ -f "$IP_FILE" ]; then + echo "file '$IP_FILE' not found" + usage + exit 1 +fi + +# 9701 whitelist approach: drop all others INCOMING (-i) connections +add_new_rule $CHAIN -p tcp -i $INTERFACE --dport $INTERNAL_PORT -j DROP + +# 9701 create IP whitelist from file +while read IP; do + if [[ "$IP" != "#"* ]] && [[ "$IP" != "" ]]; then + add_new_rule $CHAIN -p tcp --dport $INTERNAL_PORT -s $IP -j ACCEPT + fi +done <"$IP_FILE" + +# 9702 connlimit +add_new_rule $CHAIN -p tcp --syn --dport $CLI_PORT -m connlimit --connlimit-above $MAX_CONN -j REJECT + +# make sure, RETURN ist the last rule +make_last_rule $CHAIN -j RETURN From d38bb0d8b722bd29af09545ba8986d2a27f60b1e Mon Sep 17 00:00:00 2001 From: Sebastian Schmittner Date: Fri, 8 Apr 2022 09:40:57 +0200 Subject: [PATCH 4/4] more explanation Signed-off-by: Sebastian Schmittner --- run/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/run/README.md b/run/README.md index ee6953d..7584c74 100644 --- a/run/README.md +++ b/run/README.md @@ -33,7 +33,8 @@ If the firewall rules for your indy node are not set elsewhere (on the docker ho [set_iptables.sh](./set_iptables.sh) script to set the recommended firewall settings for your node in the DOCKER-USER chain. See `./set_iptables.sh -h` for usage information. You will need to provide the list of ip addresses of nodes in your -network in a suitable file. +network in a suitable file. To this end, create a file called `ips` (filename can be changed via variables `IP_FILE=... ./set_iptables.sh`) and put your network's IP addresses into this file, one per line. + ## Logging