Exemplo n.º 1
0
// Activate firewall only when all other commands succeeded
func activateFirewall() error {
	// create INPUT chain jump rule
	rule := []string{
		"-i", iface,
		"-j", "redwall-main"}
	if !iptables.Exists("filter", "INPUT", rule...) {
		if _, err := iptables.Raw("-A", "INPUT", "-i", iface, "-j", "redwall-main"); err != nil {
			return err
		}
	}
	// create FORWARD chain jump rule if we should filter the docker network
	if filterDocker {
		rule := []string{
			"-i", iface,
			"-o", "docker0",
			"-j", "redwall-main"}
		if !iptables.Exists("filter", "FORWARD", rule...) {
			if _, err := iptables.Raw("-I", "FORWARD", "1", "-i", iface, "-o", "docker0", "-j", "redwall-main"); err != nil {
				return err
			}
		}
	}

	return nil
}
Exemplo n.º 2
0
func tearDownFirewall() error {
	log.Info("flushing iptables rules")
	//flushChain("INPUT")
	// delete jump rule from input
	rule := []string{
		"-i", iface,
		"-j", "redwall-main"}
	if iptables.Exists("filter", "INPUT", rule...) {
		if _, err := iptables.Raw("-D", "INPUT", "-i", iface, "-j", "redwall-main"); err != nil {
			log.Warningf("failed to remove input jump rule: %v", err)
		}
	}

	// delete jump rule from forward
	if filterDocker {
		rule := []string{
			"-i", iface,
			"-o", "docker0",
			"-j", "redwall-main"}
		if iptables.Exists("filter", "FORWARD", rule...) {
			if _, err := iptables.Raw("-D", "FORWARD", "-i", iface, "-o", "docker0", "-j", "redwall-main"); err != nil {
				log.Warningf("failed to remove docker jump rule: %v", err)
			}
		}

		log.Debugf("removed jump rule from FORWARD chain")
	}

	// flush user-defined chains
	flushChain("redwall-main")
	flushChain("redwall-services")
	flushChain("redwall-whitelist")
	flushChain("redwall-sshscan")
	// delete user-defined chains
	deleteChain("redwall-main")
	deleteChain("redwall-services")
	deleteChain("redwall-whitelist")
	deleteChain("redwall-sshscan")

	return nil
}