c8a0824143
Add ezstorehost to trusted_admin in both layers — the nft input set and the DOCKER-USER iptables chain (Forgejo is containerised; DNAT means the post-DNAT dport 22 rule applies). Required for static-tenant deploys from ezStorehost-infra to clone repos over ssh://. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
26 lines
1.2 KiB
Bash
26 lines
1.2 KiB
Bash
#!/bin/bash
|
|
# Block external (internet) access to Docker-published container ports.
|
|
# Host nginx reaches containers over loopback (127.0.0.1), so dropping NEW
|
|
# inbound from the public uplink (ens18) into the Docker FORWARD path closes
|
|
# the accidental 0.0.0.0 exposure (postgres 5432, forgejo 3022, listmonk
|
|
# 9100/9101, api 3001/3002, etc.) without breaking nginx->container or
|
|
# container->container/internet traffic.
|
|
set -euo pipefail
|
|
UPLINK=ens18
|
|
|
|
# Trusted admin source IPs allowed to reach the forgejo container (host :3022
|
|
# DNATs to 172.18.0.2:22, so the post-DNAT dport is 22). Keep in sync with the
|
|
# nft 'trusted_admin' set in /etc/pw-firewall/pw-firewall.nft.
|
|
TRUSTED_ADMIN="76.228.206.147 24.162.76.14 207.174.124.51"
|
|
|
|
# Rebuild DOCKER-USER deterministically.
|
|
iptables -F DOCKER-USER 2>/dev/null || true
|
|
iptables -A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j RETURN
|
|
# Allow trusted admins to git/forgejo (post-DNAT dport 22) before the drop.
|
|
for ip in $TRUSTED_ADMIN; do
|
|
iptables -A DOCKER-USER -i "$UPLINK" -s "$ip" -p tcp --dport 22 -j RETURN
|
|
done
|
|
iptables -A DOCKER-USER -i "$UPLINK" -m conntrack --ctstate NEW,INVALID -j DROP
|
|
iptables -A DOCKER-USER -j RETURN
|
|
echo "DOCKER-USER rules:"
|
|
iptables -L DOCKER-USER -n -v --line-numbers
|