37 lines
1.7 KiB
Bash
37 lines
1.7 KiB
Bash
#!/usr/bin/env bash
|
|
# DictIA — iptables rules for cloud VPS
|
|
#
|
|
# Allows Docker internal traffic to reach the ASR proxy on port 9090.
|
|
# Blocks direct external access to Docker container IPs.
|
|
# Tailscale + UFW handle the main firewall — this script adds Docker-specific rules.
|
|
#
|
|
# Usage: sudo bash iptables-rules.sh
|
|
set -euo pipefail
|
|
|
|
echo "=== DictIA iptables rules ==="
|
|
|
|
# Allow Docker containers (172.16.0.0/12) to reach ASR proxy on port 9090
|
|
# This rule goes BEFORE the default DROP policy so containers can talk to the proxy
|
|
iptables -C INPUT -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT 2>/dev/null \
|
|
|| iptables -I INPUT 1 -s 172.16.0.0/12 -p tcp --dport 9090 -j ACCEPT
|
|
|
|
# Block direct external access to Docker container IPs (raw table, before conntrack)
|
|
# Protects containers on non-default bridge networks (e.g., dictia-network)
|
|
for NETWORK_ID in $(docker network ls --filter driver=bridge --format '{{.ID}}' 2>/dev/null); do
|
|
BRIDGE=$(docker network inspect "$NETWORK_ID" --format '{{.Options.com.docker.network.bridge.name}}' 2>/dev/null || echo "")
|
|
[ -z "$BRIDGE" ] && continue
|
|
[ "$BRIDGE" = "docker0" ] && continue
|
|
|
|
for CONTAINER_IP in $(docker network inspect "$NETWORK_ID" \
|
|
--format '{{range .Containers}}{{.IPv4Address}} {{end}}' 2>/dev/null); do
|
|
IP="${CONTAINER_IP%/*}"
|
|
[ -z "$IP" ] && continue
|
|
iptables -t raw -C PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP 2>/dev/null \
|
|
|| iptables -t raw -A PREROUTING -d "$IP" ! -i "$BRIDGE" -j DROP
|
|
echo " Protected $IP on $BRIDGE"
|
|
done
|
|
done
|
|
|
|
echo "Rules applied. Tailscale + Docker internal traffic allowed."
|
|
echo "Verify with: sudo iptables -L -n -t raw"
|