generate iptables rules dynamically from docker-compose.yml

bin/rules.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+
+### Vars, Ports for Standard services
+myHOSTPORTS="64295"
+myDOCKERCOMPOSEYML="$1"
+myRULESFUNCTION="$2"
+
+function fuCHECKFORARGS {
+### Check if args are present, if not throw error
+
+if [ "$myDOCKERCOMPOSEYML" != "" ] && ([ "$myRULESFUNCTION" == "set" ] || [ "$myRULESFUNCTION" == "unset" ]);
+  then
+    echo "All arguments met. Continuing."
+  else
+    echo "Usage: rules.sh <docker-compose.yml> <[set, unset]>"
+    exit
+fi
+}
+
+function fuNFQCHECK {
+### Check if honeytrap is actively enabled in docker-compose.yml
+	
+myNFQCHECK=$(grep -e '^\s*honeytrap:' $myDOCKERCOMPOSEYML | tr -d ': ' | wc -l)
+
+if [ "$myNFQCHECK" == "0" ];
+  then
+    echo "No NFQ related honeypot detected, no firewall rules needed. Exiting."
+    exit
+  else
+    echo "Detected at least one NFQ based honeypot, firewall rules needed. Continuing."
+fi
+}
+
+function fuGETPORTS {
+### Get ports from docker-compose.yml
+	
+myDOCKERCOMPOSEPORTS=$(cat $myDOCKERCOMPOSEYML | yq -r '.services[].ports' | grep ':' | sed -e s/127.0.0.1// | tr -d '", ' | sed -e s/^:// | cut -f1 -d ':' )
+myDOCKERCOMPOSEPORTS+=" $myHOSTPORTS"
+myRULESPORTS=$(for i in $myDOCKERCOMPOSEPORTS; do echo $i; done | sort -gu)
+}
+
+function fuSETRULES {
+### Setting up iptables rules
+
+/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
+
+for myPORT in $myRULESPORTS; do
+  /sbin/iptables -w -A INPUT -p tcp --dport $myPORT -j ACCEPT
+done
+  
+/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+}
+
+function fuUNSETRULES {
+### Removing iptables rules
+
+/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+
+for myPORT in $myRULESPORTS; do
+  /sbin/iptables -w -D INPUT -p tcp --dport $myPORT -j ACCEPT
+done
+
+/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
+}
+
+# Main
+fuCHECKFORARGS
+fuNFQCHECK
+fuGETPORTS
+
+if [ "$myRULESFUNCTION" == "set" ];
+  then
+    fuSETRULES
+  else
+    fuUNSETRULES
+fi

etc/compose/tpot.yml

@@ -206,6 +206,8 @@ services:
      - SYS_PTRACE
     security_opt:
      - apparmor=unconfined
+    ports:
+     - "64301:64301"
     image: "dtagdevsec/netdata:1710"
     volumes:
      - /proc:/host/proc:ro
@@ -303,4 +305,6 @@ services:
     network_mode: "host"
     env_file:
      - /opt/tpot/etc/compose/wetty_environment
+    ports:
+     - "64300:64300"
     image: "dtagdevsec/wetty:1710"

host/etc/systemd/tpot.service

@@ -31,13 +31,7 @@ ExecStartPre=-/bin/chmod 666 /var/run/docker.sock
 
 # Set iptables accept rules to avoid forwarding to honeytrap / NFQUEUE
 # Forward all other connections to honeytrap / NFQUEUE
-ExecStartPre=/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+ExecStartPre=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml set
-ExecStartPre=/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 # Compose T-Pot up
 ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
@@ -46,13 +40,7 @@ ExecStart=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml up --no-color
 ExecStop=/usr/bin/docker-compose -f /opt/tpot/etc/tpot.yml down -v
 
 # Remove only previously set iptables rules
-ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+ExecStopPost=/opt/tpot/bin/rules.sh /opt/tpot/etc/tpot.yml unset
-ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 20:23,25,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,3389,5060,5061,5601,5900,27017 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 [Install]
 WantedBy=multi-user.target

iso/installer/install.sh

@@ -325,6 +325,7 @@ apt-get autoremove -y 2>&1 | dialog --title "[ Pulling updates ]" $myPROGRESSBOX
 # Installing ctop, elasticdump, tpot
 pip install --upgrade pip 2>&1 | dialog --title "[ Installing pip ]" $myPROGRESSBOXCONF
 pip install elasticsearch-curator==5.4.1 2>&1 | dialog --title "[ Installing elasticsearch-curator ]" $myPROGRESSBOXCONF
+pip install yq==2.4.1 2>&1 | dialog --title "[ Installing yq ]" $myPROGRESSBOXCONF
 npm install https://github.com/taskrabbit/elasticsearch-dump#ac9f62a -g 2>&1 | dialog --title "[ Installing elasticsearch-dump ]" $myPROGRESSBOXCONF
 wget https://github.com/bcicen/ctop/releases/download/v0.7/ctop-0.7-linux-amd64 -O ctop 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF
 mv ctop /usr/bin/ 2>&1 | dialog --title "[ Installing ctop ]" $myPROGRESSBOXCONF