// Activate firewall only when all other commands succeeded func activateFirewall() error { // create INPUT chain jump rule rule := []string{ "-i", iface, "-j", "redwall-main"} if !iptables.Exists("filter", "INPUT", rule...) { if _, err := iptables.Raw("-A", "INPUT", "-i", iface, "-j", "redwall-main"); err != nil { return err } } // create FORWARD chain jump rule if we should filter the docker network if filterDocker { rule := []string{ "-i", iface, "-o", "docker0", "-j", "redwall-main"} if !iptables.Exists("filter", "FORWARD", rule...) { if _, err := iptables.Raw("-I", "FORWARD", "1", "-i", iface, "-o", "docker0", "-j", "redwall-main"); err != nil { return err } } } return nil }
func tearDownFirewall() error { log.Info("flushing iptables rules") //flushChain("INPUT") // delete jump rule from input rule := []string{ "-i", iface, "-j", "redwall-main"} if iptables.Exists("filter", "INPUT", rule...) { if _, err := iptables.Raw("-D", "INPUT", "-i", iface, "-j", "redwall-main"); err != nil { log.Warningf("failed to remove input jump rule: %v", err) } } // delete jump rule from forward if filterDocker { rule := []string{ "-i", iface, "-o", "docker0", "-j", "redwall-main"} if iptables.Exists("filter", "FORWARD", rule...) { if _, err := iptables.Raw("-D", "FORWARD", "-i", iface, "-o", "docker0", "-j", "redwall-main"); err != nil { log.Warningf("failed to remove docker jump rule: %v", err) } } log.Debugf("removed jump rule from FORWARD chain") } // flush user-defined chains flushChain("redwall-main") flushChain("redwall-services") flushChain("redwall-whitelist") flushChain("redwall-sshscan") // delete user-defined chains deleteChain("redwall-main") deleteChain("redwall-services") deleteChain("redwall-whitelist") deleteChain("redwall-sshscan") return nil }