From e313cc474e4216ae8543293a555b0fd5355f95a1 Mon Sep 17 00:00:00 2001 From: Vincent Vanwaelscappel Date: Wed, 5 Mar 2025 17:42:56 +0100 Subject: [PATCH] wip #7023 @2 --- app/Models/TeamServers.php | 18 ++++++++++++++---- resources/servers/amadeus/firewall | 11 +++++++++-- resources/servers/benhur/firewall | 11 +++++++++-- resources/servers/cloudatlas/firewall | 11 +++++++++-- resources/servers/dobermann/firewall | 11 +++++++++-- resources/servers/elephantman/firewall | 11 +++++++++-- resources/servers/fastandfurious/firewall | 11 +++++++++-- resources/servers/kingkong/firewall | 11 +++++++++-- 8 files changed, 77 insertions(+), 18 deletions(-) diff --git a/app/Models/TeamServers.php b/app/Models/TeamServers.php index c8d4dbaa0..bbe913739 100644 --- a/app/Models/TeamServers.php +++ b/app/Models/TeamServers.php @@ -38,7 +38,7 @@ class TeamServers extends CubistMagicAbstractModel $clients = Text::explodeNewLines($this->clients); $ip = Text::explodeNewLines($this->ip); $forceContainers = Text::explodeNewLines($this->docker); - $excludeContainers = array_merge(['portainer'], Text::explodeNewLines($this->docker_restricted)); + $excludeContainers = array_merge(['portainer', 'monit'], Text::explodeNewLines($this->docker_restricted)); $excludeContainers = array_diff($excludeContainers, $forceContainers); $sshports = [22, 22022, 22822, 22222]; @@ -57,6 +57,8 @@ ufw disable ufw default allow outgoing '; + $dhosts = []; + $locals = ['127.0.0.0/8', '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']; $lhosts = []; foreach ($locals as $k => $local) { @@ -67,6 +69,7 @@ ufw default allow outgoing foreach ($ip as $k => $i) { $lhosts[] = '$i' . $k; + $dhosts[] = '$i' . $k; $fw .= 'i' . $k . '=' . self::digOrIP($i) . "\n"; } $fw .= "\n"; @@ -87,10 +90,12 @@ ufw default allow outgoing continue; } $hosts[] = '$s' . $k; + $dhosts[] = '$s' . $k; $fw .= 's' . $k . '=' . self::digOrIP($s['name'] . '.cubedesigners.com') . "\n"; $others = Text::explodeNewLines($s['others']); foreach ($others as $kk => $o) { $hosts[] = '$s' . $k . '_' . $kk; + $dhosts[] = '$s' . $k . '_' . $kk; $fw .= 's' . $k . '_' . $kk . '=' . self::digOrIP($o) . "\n"; } } @@ -98,6 +103,7 @@ ufw default allow outgoing $fw .= 'auth=(' . implode(' ', $hosts) . ')' . "\n\n"; + $fw .= 'docker_allowed=(' . implode(' ', $dhosts) . ')' . "\n\n"; if ($server['backup']) { $backup = []; @@ -108,7 +114,6 @@ ufw default allow outgoing $fw .= 'backup=(' . implode(' ', $backup) . ')' . "\n"; } - $openPorts = Text::trimExplode(',', $server['ports']); if ($server['dns']) { @@ -171,12 +176,12 @@ done' . "\n\n"; skip_containers=('; foreach ($excludeContainers as $excludeContainer) { - $fw.='"'.$excludeContainer.'" '; + $fw .= '"' . $excludeContainer . '" '; } $fw .= ') -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -195,6 +200,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/amadeus/firewall b/resources/servers/amadeus/firewall index c94e5cf2d..c27ca3773 100644 --- a/resources/servers/amadeus/firewall +++ b/resources/servers/amadeus/firewall @@ -43,6 +43,8 @@ s6=`dig +short fastandfurious.cubedesigners.com | tail -1` auth=($s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s5 $s6) +docker_allowed=($i0 $i1 $i2 $i3 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s5 $s6) + for ip in "${blacklist[@]}" do @@ -72,9 +74,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -93,6 +95,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/benhur/firewall b/resources/servers/benhur/firewall index c97c03fa0..0cec4646c 100644 --- a/resources/servers/benhur/firewall +++ b/resources/servers/benhur/firewall @@ -44,6 +44,8 @@ s6=`dig +short fastandfurious.cubedesigners.com | tail -1` auth=($s0 $s0_0 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s5 $s6) +docker_allowed=($i0 $i1 $i2 $i3 $s0 $s0_0 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s5 $s6) + for ip in "${blacklist[@]}" do @@ -73,9 +75,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -94,6 +96,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/cloudatlas/firewall b/resources/servers/cloudatlas/firewall index f4ebfc97d..e1759db04 100644 --- a/resources/servers/cloudatlas/firewall +++ b/resources/servers/cloudatlas/firewall @@ -36,6 +36,8 @@ s6=`dig +short fastandfurious.cubedesigners.com | tail -1` auth=($s0 $s0_0 $s1 $s3 $s4 $s5 $s6) +docker_allowed=($i0 $i1 $i2 $i3 $s0 $s0_0 $s1 $s3 $s4 $s5 $s6) + for ip in "${blacklist[@]}" do @@ -65,9 +67,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -86,6 +88,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/dobermann/firewall b/resources/servers/dobermann/firewall index 891e8fc9e..185d7be6d 100644 --- a/resources/servers/dobermann/firewall +++ b/resources/servers/dobermann/firewall @@ -44,6 +44,8 @@ s6=`dig +short fastandfurious.cubedesigners.com | tail -1` auth=($s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s4 $s5 $s6) +docker_allowed=($i0 $i1 $i2 $i3 $s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s4 $s5 $s6) + c0=`dig +short www.fondation-sycomore.com | tail -1` backup=($c0) ufw allow 53 @@ -83,9 +85,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -104,6 +106,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/elephantman/firewall b/resources/servers/elephantman/firewall index 14cd439db..ea40f9040 100644 --- a/resources/servers/elephantman/firewall +++ b/resources/servers/elephantman/firewall @@ -44,6 +44,8 @@ s6=`dig +short fastandfurious.cubedesigners.com | tail -1` auth=($s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s6) +docker_allowed=($i0 $i1 $i2 $i3 $s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s6) + for ip in "${blacklist[@]}" do @@ -78,9 +80,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -99,6 +101,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/fastandfurious/firewall b/resources/servers/fastandfurious/firewall index bd363943f..15bb0e76f 100644 --- a/resources/servers/fastandfurious/firewall +++ b/resources/servers/fastandfurious/firewall @@ -44,6 +44,8 @@ s5=`dig +short elephantman.cubedesigners.com | tail -1` auth=($s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s5) +docker_allowed=($i0 $i1 $i2 $i3 $s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s4 $s5) + ufw allow 51820 for ip in "${blacklist[@]}" @@ -79,9 +81,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -100,6 +102,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done diff --git a/resources/servers/kingkong/firewall b/resources/servers/kingkong/firewall index 91715c81e..66dc05b6b 100644 --- a/resources/servers/kingkong/firewall +++ b/resources/servers/kingkong/firewall @@ -44,6 +44,8 @@ s6=`dig +short fastandfurious.cubedesigners.com | tail -1` auth=($s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s5 $s6) +docker_allowed=($i0 $i1 $i2 $i3 $s0 $s0_0 $s1 $s2 $s2_0 $s2_1 $s2_2 $s2_3 $s2_4 $s2_5 $s2_6 $s2_7 $s3 $s5 $s6) + for ip in "${blacklist[@]}" do @@ -78,9 +80,9 @@ ufw deny out 22822 ufw deny out 22222 -skip_containers=("portainer" ) +skip_containers=("portainer" "monit" ) -sudo wget -O /usr/local/bin/ufw-docker https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker +sudo wget -O /usr/local/bin/ufw-docker https://raw.githubusercontent.com/EnhydraV/ufw-docker/refs/heads/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker # Finally enable firewall ufw --force enable @@ -99,6 +101,11 @@ docker ps --filter publish=1-65535 --filter status=running --format "table {{.Na if ! $skip; then ufw-docker allow "$container" + else + for ip in "${docker_allowed[@]}" + do + ufw-docker allow-from "$container" $ip + done fi done -- 2.39.5