From 8e1c67ceadd5f726e541a7ca0bc33f11bc93a0cc Mon Sep 17 00:00:00 2001 From: ppom Date: Wed, 27 Mar 2024 12:00:00 +0100 Subject: [PATCH] iptables: add reaction chain to FORWARD chain for docker https://framagit.org/ppom/reaction/-/issues/84 --- app/example.yml | 9 +++++++++ config/example.jsonnet | 18 ++++++++++++------ config/reaction.debian.service | 2 ++ config/reaction.example.service | 2 ++ 4 files changed, 25 insertions(+), 6 deletions(-) diff --git a/app/example.yml b/app/example.yml index 06e953e..759f597 100644 --- a/app/example.yml +++ b/app/example.yml @@ -1,4 +1,11 @@ --- +# This example configuration file is a good starting point, but you're +# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me +# +# This file is using the well-established YAML configuration language. +# Note that the more powerful JSONnet configuration language is also supported +# and that the documentation uses JSONnet + # definitions are just a place to put chunks of conf you want to reuse in another place # using YAML anchors `&name` and pointers `*name` # definitions are not readed by reaction @@ -31,10 +38,12 @@ patterns: start: - [ 'ip46tables', '-w', '-N', 'reaction' ] - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ] + - [ 'ip46tables', '-w', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction' ] # Those commands will be executed in order at stop, after everything else stop: - [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ] + - [ 'ip46tables', '-w,', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction' ] - [ 'ip46tables', '-w', '-F', 'reaction' ] - [ 'ip46tables', '-w', '-X', 'reaction' ] diff --git a/config/example.jsonnet b/config/example.jsonnet index ed42964..6d84230 100644 --- a/config/example.jsonnet +++ b/config/example.jsonnet @@ -1,11 +1,15 @@ -// This file is using JSONNET, a complete configuration language based on JSON +// This file is using JSONnet, a complete configuration language based on JSON // See https://jsonnet.org -// JSONNET is a superset of JSON, so one can write plain JSON files if wanted. +// JSONnet is a superset of JSON, so one can write plain JSON files if wanted. // Note that YAML is also supported, see ./example.yml -// JSONNET functions +// This example configuration file is a good starting point, but you're +// strongly encouraged to take a look at the full documentation: https://reaction.ppom.me + +// JSONnet functions local iptables(args) = ['ip46tables', '-w'] + args; -// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo. +// ip46tables is a minimal C program (only POSIX dependencies) present in a +// subdirectory of this repo. // it permits to handle both ipv4/iptables and ipv6/ip6tables commands // See meaning and usage of this function around L106 @@ -43,14 +47,16 @@ local banFor(time) = { start: [ // Create an iptables chain for reaction iptables(['-N', 'reaction']), - // Insert this chain as the first item of the INPUT chain (for incoming connections) + // Insert this chain as the first item of the INPUT & FORWARD chains (for incoming connections) iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']), + iptables(['-I', 'FORWARD', '-p', 'all', '-j', 'reaction']), ], // Those commands will be executed in order at stop, after everything else stop: [ - // Remove the chain from the INPUT chain + // Remove the chain from the INPUT & FORWARD chains iptables(['-D', 'INPUT', '-p', 'all', '-j', 'reaction']), + iptables(['-D', 'FORWARD', '-p', 'all', '-j', 'reaction']), // Empty the chain iptables(['-F', 'reaction']), // Delete the chain diff --git a/config/reaction.debian.service b/config/reaction.debian.service index d60119a..2f6e017 100644 --- a/config/reaction.debian.service +++ b/config/reaction.debian.service @@ -1,6 +1,8 @@ [Unit] Description=A daemon that scans program outputs for repeated patterns, and takes action. Documentation=https://framagit.org/ppom/reaction-wiki +# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used +# After=docker.service [Service] ExecStart=/usr/bin/reaction start -c /etc/reaction.jsonnet diff --git a/config/reaction.example.service b/config/reaction.example.service index aa4522d..c753e2e 100644 --- a/config/reaction.example.service +++ b/config/reaction.example.service @@ -1,6 +1,8 @@ # vim: ft=systemd [Install] WantedBy=multi-user.target +# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used +# After=docker.service # See `man systemd.exec` and `man systemd.service` for most options below [Service]