feat(iptables): First draft of firewall-based clocking

hypery2k · hypery2k · commit 4b3d58665ea7 · 2019-06-10T16:14:25.000+02:00
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -1 +1,51 @@
 ---
+# Global config
+iptables_supported_distributions: [ Debian ]
+iptables_packages: [ iptables-persistent ]
+iptables_template_header:
+  - "WARNING: This file is generated automatically with Ansible, do not edit directly!!"
+  - "---"
+
+# Network config
+iptables_v4_enabled: true
+iptables_v6_enabled: true
+
+# Begining of the firewall rules (top of the rules file)
+iptables_v4_rules_header:
+  - name: "Create the BEFORE_DOCKER chain"
+    rules:
+      - "*filter"
+      - ":INPUT ACCEPT [0:0]"
+      - ":FORWARD ACCEPT [0:0]"
+      - ":OUTPUT ACCEPT [0:0]"
+      - ":BEFORE_DOCKER - [0:0]"
+  - name: "Default action"
+    rules:
+      - "-A BEFORE_DOCKER -j DROP"
+  - name: "Allow Docker internal"
+    rules:
+      - "-A BEFORE_DOCKER -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
+      - "-A BEFORE_DOCKER -i docker0 -o docker0 -j ACCEPT"
+  - name: "Allow local connections"
+    rules:
+      - "-A BEFORE_DOCKER -i lo -j ACCEPT"
+      - "-A FORWARD -o docker0 -j BEFORE_DOCKER"
+iptables_v6_rules_header:
+  - name: "Default policy"
+    rules:
+      - "*filter"
+      - ":INPUT ACCEPT [0:0]"
+      - ":FORWARD ACCEPT [0:0]"
+      - ":OUTPUT ACCEPT [0:0]"
+
+# End of the firewall rules (bottom of the rules file)
+iptables_v4_rules_footer:
+  - name: "Finally insert the BEFORE_DOCKER table before the DOCKER table in the FORWARD chain."
+    rules:
+      - "-I BEFORE_DOCKER -i lo -j ACCEPT"
+      - "-I FORWARD -o docker0 -j BEFORE_DOCKER"
+iptables_v6_rules_footer: []
+
+
+# Misc
+TEST_ENV: "{{ 'molecule_' in ansible_hostname }}"
diff --git a/molecule/default/Dockerfile.j2 b/molecule/default/Dockerfile.j2
@@ -6,7 +6,7 @@ FROM {{ item.registry.url }}/{{ item.image }}
 FROM {{ item.image }}
 {% endif %}
 
-RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates cron gpg nginx systemd systemd-sysv vim && apt-get clean; \
+RUN if [ $(command -v apt-get) ]; then apt-get update && apt-get install -y python sudo bash ca-certificates cron gpg nginx systemd systemd-sysv curl vim && apt-get clean; \
     elif [ $(command -v dnf) ]; then dnf makecache && dnf --assumeyes install python sudo python-devel python*-dnf bash && dnf clean all; \
     elif [ $(command -v yum) ]; then yum makecache fast && yum install -y python sudo yum-plugin-ovl bash && sed -i 's/plugins=0/plugins=1/g' /etc/yum.conf && yum clean all; \
     elif [ $(command -v zypper) ]; then zypper refresh && zypper install -y python sudo bash python-xml && zypper clean -a; \
diff --git a/molecule/default/molecule.yml b/molecule/default/molecule.yml
@@ -15,6 +15,12 @@ platforms:
     command: /sbin/init
     capabilities:
       - SYS_ADMIN
+    exposed_ports:
+      - 80/udp
+      - 80/tcp
+    published_ports:
+      - 0.0.0.0:8888:80/udp
+      - 0.0.0.0:8888:80/tcp
     groups:
       - debian
 provisioner:
@@ -27,6 +33,20 @@ provisioner:
   log: true
   lint:
     name: ansible-lint
+scenario:
+  name: default
+  test_sequence:
+    - lint
+    - destroy
+    - dependency
+    - syntax
+    - create
+    - prepare
+    - converge
+    # - idempotence
+    - side_effect
+    - verify
+    - destroy
 verifier:
   name: testinfra
   lint:
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
@@ -11,15 +11,13 @@
     - include_role:
         name: geerlingguy.docker
 
-    - name: Install setuptools
+    - name: Install Python tools
       apt:
-        name: python-setuptools
-        state: present
-
-    - name: Install pip
-      apt:
-        name: python-pip
+        name: "{{ item.name }}"
         state: present
+      with_items:
+        - name: python-setuptools
+        - name: python-pip
 
     - name: Ensure pip_install_packages are installed.
       pip:
diff --git a/molecule/default/tests/test_default.py b/molecule/default/tests/test_default.py
@@ -9,6 +9,5 @@
 def test_docker(host):
 
     daemon = host.service("docker")
-    assert host.file("/etc/docker/daemon.json").exists
     assert daemon.is_running
     assert daemon.is_enabled
diff --git a/molecule/default/tests/test_security.py b/molecule/default/tests/test_security.py
@@ -1,4 +1,6 @@
 import os
+import requests
+from requests import ReadTimeout
 
 import testinfra.utils.ansible_runner
 
@@ -12,6 +14,9 @@ def test_webserver_connected_via_localhost(host):
     assert scks.is_listening
 
 def test_not_webserver_connected_via_public_network(host):
-
-    scks = host.socket("tcp://0.0.0.0:80")
-    assert not scks.is_listening
+    try:
+        response = requests.get('http://localhost:8888', verify=False, timeout=10)
+        # should be never reached
+        assert not response.status_code == 200
+    except ReadTimeout:
+        pass
diff --git a/tasks/main.yml b/tasks/main.yml
@@ -1,9 +1,38 @@
 ---
 
-- name: Create docker config folder
-  file:
-    path: /etc/docker/
-    state: directory
-  tags:
-    - docker
-    - security
+- name: Installing needed packages
+  become: true
+  package:
+    name: "{{ iptables_packages }}"
+    state: present
+    update_cache: true
+
+- name: Copy firewall script into place.
+  template:
+    src: docker-hardening.bash.j2
+    dest: /etc/docker-hardening.bash
+    owner: root
+    group: root
+    mode: 0744
+
+- name: Copy firewall init script into place.
+  template:
+    src: docker-hardening.init.j2
+    dest: /etc/init.d/docker-hardening
+    owner: root
+    group: root
+    mode: 0755
+  when: "ansible_service_mgr != 'systemd'"
+
+- name: Copy firewall systemd unit file into place (for systemd systems).
+  template:
+    src: docker-hardening.unit.j2
+    dest: /etc/systemd/system/docker-hardening.service
+    owner: root
+    group: root
+    mode: 0644
+  when: "ansible_service_mgr == 'systemd'"
+
+- name: Activate Rules
+  become: true
+  shell: /etc/docker-hardening.bash
diff --git a/templates/docker-hardening.bash.j2 b/templates/docker-hardening.bash.j2
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+# Check if the PRE_DOCKER chain exists, if it does there's an existing reference to it.
+iptables -C FORWARD -o docker0 -j BEFORE_DOCKER
+
+if [ $? -eq 0 ]; then
+  # Remove reference (will be re-added again later in this script)
+  iptables -D FORWARD -o docker0 -j BEFORE_DOCKER
+  # Flush all existing rules
+  iptables -F BEFORE_DOCKER
+else
+  # Create the PRE_DOCKER chain
+  iptables -N BEFORE_DOCKER
+fi
+
+# Default action
+iptables -I BEFORE_DOCKER -j DROP
+# Docker internal use
+iptables -I BEFORE_DOCKER -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -I BEFORE_DOCKER -i docker0 -o docker0 -j ACCEPT
+# allow connections from local interface
+iptables -I BEFORE_DOCKER -i lo -j ACCEPT
+# Finally insert the BEFORE_DOCKER table before the DOCKER table in the FORWARD chain.
+iptables -I FORWARD -o docker0 -j BEFORE_DOCKER
diff --git a/templates/docker-hardening.init.j2 b/templates/docker-hardening.init.j2
@@ -0,0 +1,52 @@
+#! /bin/sh
+# /etc/init.d/docker-hardening
+#
+# Firewall init script, to be used with /etc/firewall.bash by Jeff Geerling.
+#
+# @author Jeff Geerling
+
+### BEGIN INIT INFO
+# Provides:          docker-hardening
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start docker-hardening at boot time.
+# Description:       Enable the docker-hardening.
+### END INIT INFO
+
+# Carry out specific functions when asked to by the system
+case "$1" in
+  start)
+    echo "Starting firewall."
+    /etc/docker-hardening.bash
+    ;;
+  stop)
+    echo "Stopping firewall."
+    iptables -F
+    if [ -x "$(which ip6tables 2>/dev/null)" ]; then
+        ip6tables -F
+    fi
+    ;;
+  restart)
+    echo "Restarting firewall."
+    /etc/docker-hardening.bash
+    ;;
+  status)
+    echo -e "`iptables -L -n`"
+    EXIT=4 # program or service status is unknown
+    NUMBER_OF_RULES=$(iptables-save | grep '^\-' | wc -l)
+    if [ 0 -eq $NUMBER_OF_RULES ]; then
+        EXIT=3 # program is not running
+    else
+        EXIT=0 # program is running or service is OK
+    fi
+    exit $EXIT
+    ;;
+  *)
+    echo "Usage: /etc/init.d/firewall {start|stop|status|restart}"
+    exit 1
+    ;;
+esac
+
+exit 0
diff --git a/templates/docker-hardening.unit.j2 b/templates/docker-hardening.unit.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=docker-hardening
+After=syslog.target network.target
+
+[Service]
+Type=oneshot
+ExecStart=/etc/docker-hardening.bash
+ExecStop=/sbin/iptables -F
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/templates/docker_daemon.json.j2 b/templates/docker_daemon.json.j2
