Skip to content

Instantly share code, notes, and snippets.

@ggtools
Last active December 14, 2016 14:56
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save ggtools/da80f320bfa960dfc647f4313434789e to your computer and use it in GitHub Desktop.
Shell hack to protect Docker published services from being accessible through a public interfaces
[Service]
EnvironmentFile=-/etc/sysconfig/docker-pfw
ExecStartPost=-/usr/local/bin/docker-pfw.sh start
ExecStopPost=-/usr/local/bin/docker-pfw.sh stop
#!/usr/bin/env bash
DPFW_FILE=/etc/docker/iptables-pfw.save
DPFW_CHAIN=DOCKER-PUB
DPFW_INTERFACE=em0
case $1 in
start )
if [ -f ${DPFW_FILE} ]
then
iptables-restore --noflush --table filter ${DPFW_FILE}
else
iptables -N ${DPFW_CHAIN}
iptables -A ${DPFW_CHAIN} -j REJECT
iptables -I FORWARD -i ${DPFW_INTERFACE} -j ${DPFW_CHAIN}
fi
;;
stop )
{
echo "*filter"
iptables-save -c -t filter | grep ${DPFW_CHAIN} | sed 's/ -A \(FORWARD -i '${DPFW_INTERF
ACE}'\)/ -I \1/'
echo "COMMIT"
} >${DPFW_FILE}
set +e
iptables -D FORWARD -i ${DPFW_INTERFACE} -j ${DPFW_CHAIN}
iptables -F ${DPFW_CHAIN}
iptables -X ${DPFW_CHAIN}
set -e
;;
esac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment