update Alpine to 3.16.2, bump version to 0.3.0, add Dual Stack IPv4/I…

…Pv6, add ip6tables
300481 · Aug 12, 2022 · 792d745 · 792d745
1 parent 5265b05
commit 792d745
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 42 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,15 @@
-FROM alpine:3.13.5
+FROM alpine:3.16.2
 
 RUN apk --no-cache add \
     bash \
     tini \
-    iptables
+    iptables \
+    ip6tables
 
 COPY configure-firewall.sh /bin
 
 ENV PUBLIC "FALSE"
 
 ENTRYPOINT ["/sbin/tini", "--"]
 
-CMD ["/bin/configure-firewall.sh"]
+CMD ["/bin/configure-firewall.sh"]
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ This container makes the underlying host "magically" disappear during network at
 ### Docker
 
 ```bash
-docker run -d --rm --network="host" --privileged --name shield [ -e "SSH_PORT=65000" -e "PORTSCAN=21,22,23,135,389,636,1433,3306,5432,8086,10000,25565" -e "INTERFACE=eth0" ] 300481/shield:0.2.1
+docker run -d --rm --network="host" --privileged --name shield [ -e "SSH_PORT=65000" -e "PORTSCAN=21,22,23,135,389,636,1433,3306,5432,8086,10000,25565" -e "INTERFACE=eth0" ] 300481/shield:0.3.0
 ```
 
 ### Kubernetes Helm Chart

diff --git a/charts/shield/Chart.yaml b/charts/shield/Chart.yaml
@@ -2,12 +2,13 @@ apiVersion: v2
 name: shield
 description: Helm Chart for shield
 type: application
-version: 0.2.1
-appVersion: 0.2.1
+version: 0.3.0
+appVersion: 0.3.0
 home: https://github.com/300481/shield
 description: shield makes the underlying host "magically" disappear during network attacks.
 keywords:
   - iptables
+  - ip6tables
   - firewall
   - container
   - security
@@ -16,11 +17,11 @@ sources:
 maintainers:
   - name: "300481"
 engine: gotpl
-kubeVersion: ">=1.16.0-0"
+kubeVersion: ">=1.23.0-0"
 annotations:
   artifacthub.io/images: |
     - name: shield
-      image: 300481/shield:0.2.1
+      image: 300481/shield:0.3.0
   artifacthub.io/maintainers: |
     - name: 300481
       email: [email protected]
diff --git a/charts/shield/README.md b/charts/shield/README.md
@@ -4,7 +4,7 @@
 
 ## Prerequisites
 
-- Kubernetes v1.16+
+- Kubernetes v1.23+
 
 ## Get Repo Info
 

diff --git a/configure-firewall.sh b/configure-firewall.sh
@@ -1,14 +1,14 @@
 #!/bin/bash
 
 # https://github.com/vitobotta/docker-firewall
-# https://www.lammertbies.nl/comm/info/iptables.html
-# https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45
+# https://www.lammertbies.nl/comm/info/ipt.html
+# https://medium.com/@ebuschini/ipt-and-docker-95e2496f0b45
 # https://www.rackaid.com/blog/how-to-block-ssh-brute-force-attacks/
 # https://www.linux-magazin.de/ausgaben/2007/04/hausverbot/
-# https://www.thegeekstuff.com/2011/06/iptables-rules-examples/
-# http://go2linux.garron.me/linux/2010/04/stop-brute-force-attacks-these-iptables-examples-732/
+# https://www.thegeekstuff.com/2011/06/ipt-rules-examples/
+# http://go2linux.garron.me/linux/2010/04/stop-brute-force-attacks-these-ipt-examples-732/
 # https://netfilter.org/documentation/HOWTO/de/packet-filtering-HOWTO-7.html
-# https://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
+# https://www.cyberciti.biz/tips/linux-ipt-10-how-to-block-common-attack.html
 
 : ${PORTSCAN:=21,22,23,135,389,636,1433,3306,5432,8086,10000,25565}
 : ${SSH_PORT:=65000}
@@ -19,10 +19,10 @@ cleanup() {
     echo -n "Remove chains..."
     for CHAIN in LIMITS PORTSCAN BOGUS LOGDROP ; do
         for MAIN_CHAIN in INPUT FORWARD ; do
-            [[ ${CHAIN} != "LOGDROP" ]] && iptables -D ${MAIN_CHAIN} -j ${CHAIN}
+            [[ ${CHAIN} != "LOGDROP" ]] && ipt -D ${MAIN_CHAIN} -j ${CHAIN}
         done
-        iptables -F ${CHAIN}
-        iptables -X ${CHAIN}
+        ipt -F ${CHAIN}
+        ipt -X ${CHAIN}
     done
     echo "OK"
     exit 0
@@ -44,47 +44,52 @@ public() {
     return 0
 }
 
+ipt() {
+    iptables $@
+    ip6tables $@
+}
+
 create_chains() {
     echo -n "Create chains..."
     for CHAIN in LIMITS PORTSCAN BOGUS LOGDROP ; do
         # create them for the filter table
-        iptables -N ${CHAIN}
+        ipt -N ${CHAIN}
         for MAIN_CHAIN in INPUT FORWARD ; do
-            [[ ${CHAIN} != "LOGDROP" ]] && iptables -I ${MAIN_CHAIN} -j ${CHAIN}
+            [[ ${CHAIN} != "LOGDROP" ]] && ipt -I ${MAIN_CHAIN} -j ${CHAIN}
         done
     done
     echo "OK"
 }
 
 configure_LOGDROP() {
-    iptables -A LOGDROP -i ${INTERFACE} -m limit --limit 12/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
-    iptables -A LOGDROP -i ${INTERFACE} -j DROP
+    ipt -A LOGDROP -i ${INTERFACE} -m limit --limit 12/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
+    ipt -A LOGDROP -i ${INTERFACE} -j DROP
 }
 
 configure_BOGUS() {
     # drop bogus packets
-    iptables -A BOGUS -i ${INTERFACE} -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j LOGDROP
-    iptables -A BOGUS -i ${INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP
-    iptables -A BOGUS -i ${INTERFACE} -p tcp ! --syn -m state --state NEW -j LOGDROP
+    ipt -A BOGUS -i ${INTERFACE} -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j LOGDROP
+    ipt -A BOGUS -i ${INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOGDROP
+    ipt -A BOGUS -i ${INTERFACE} -p tcp ! --syn -m state --state NEW -j LOGDROP
     # drop XMAS
-    iptables -A BOGUS -i ${INTERFACE} -p tcp --tcp-flags ALL ALL -j LOGDROP
-    iptables -A BOGUS -i ${INTERFACE} -p tcp --tcp-flags ALL NONE -j LOGDROP
+    ipt -A BOGUS -i ${INTERFACE} -p tcp --tcp-flags ALL ALL -j LOGDROP
+    ipt -A BOGUS -i ${INTERFACE} -p tcp --tcp-flags ALL NONE -j LOGDROP
     # drop fragments
-    iptables -A BOGUS -f -j LOGDROP
+    ipt -A BOGUS -f -j LOGDROP
     # drop private source IPs on public interface
 #    if public ; then
-#        iptables -A BOGUS -s 169.254.0.0/16 -j LOGDROP
-#        iptables -A BOGUS -s 172.16.0.0/12 -j LOGDROP
-#        iptables -A BOGUS -s 192.0.2.0/24 -j LOGDROP
-#        iptables -A BOGUS -s 192.168.0.0/16 -j LOGDROP
-#        iptables -A BOGUS -s 10.0.0.0/8 -j LOGDROP
-#        iptables -A BOGUS -s 127.0.0.0/8 ! -i lo -j LOGDROP
+#        ipt -A BOGUS -s 169.254.0.0/16 -j LOGDROP
+#        ipt -A BOGUS -s 172.16.0.0/12 -j LOGDROP
+#        ipt -A BOGUS -s 192.0.2.0/24 -j LOGDROP
+#        ipt -A BOGUS -s 192.168.0.0/16 -j LOGDROP
+#        ipt -A BOGUS -s 10.0.0.0/8 -j LOGDROP
+#        ipt -A BOGUS -s 127.0.0.0/8 ! -i lo -j LOGDROP
 #    fi
 }
 
 configure_PORTSCAN() {
     # block port scanners
-    iptables -A PORTSCAN -i ${INTERFACE} -m recent --name psc --update --seconds 300 -j LOGDROP
+    ipt -A PORTSCAN -i ${INTERFACE} -m recent --name psc --update --seconds 300 -j LOGDROP
 
     # copy ports to ALL_PORTS
     ALL_PORTS=${PORTSCAN}
@@ -93,27 +98,27 @@ configure_PORTSCAN() {
     IFS=',' read -r -a PORTCOUNT <<< $ALL_PORTS
     PORTCOUNT=${#PORTCOUNT[@]}
 
-    # get number of port slices (iptables support only 15 for multiport)
+    # get number of port slices (ipt support only 15 for multiport)
     PORTCOUNT=$((PORTCOUNT + 14))
     PORTSLICES=$((PORTCOUNT / 15))
 
     # iterate over the port slices and add iptable rules
     for i in $(seq 1 ${PORTSLICES}) ; do
         APPLY_PORTS=$(cut -d, -f1-15 <<< $ALL_PORTS)
-        iptables -A PORTSCAN -i ${INTERFACE} -m tcp -p tcp -m multiport --dports ${APPLY_PORTS} -m recent --name psc --set -j LOGDROP
+        ipt -A PORTSCAN -i ${INTERFACE} -m tcp -p tcp -m multiport --dports ${APPLY_PORTS} -m recent --name psc --set -j LOGDROP
         ALL_PORTS=${ALL_PORTS#$APPLY_PORTS,}
     done
 }
 
 configure_LIMITS() {
     # limit ping packets
-    iptables -A LIMITS -i ${INTERFACE} -p icmp --icmp-type any -m limit --limit 2/second -j RETURN
-    iptables -A LIMITS -i ${INTERFACE} -p icmp --icmp-type any -j LOGDROP
+    ipt -A LIMITS -i ${INTERFACE} -p icmp --icmp-type any -m limit --limit 2/second -j RETURN
+    ipt -A LIMITS -i ${INTERFACE} -p icmp --icmp-type any -j LOGDROP
     # limit new SSH connections
-    iptables -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j LOGDROP
-    iptables -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --set
-    iptables -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -m limit --limit 5/minute -j RETURN
-    iptables -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -j LOGDROP
+    ipt -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --update --seconds 600 --hitcount 10 -j LOGDROP
+    ipt -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -m recent --set
+    ipt -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -m limit --limit 5/minute -j RETURN
+    ipt -A LIMITS -i ${INTERFACE} -p tcp --dport ${SSH_PORT} -m state --state NEW -j LOGDROP
 }
 
 keep_running() {