squashing some bugs

do not forward tcp connections to or from 127.0.0.1 to NFQ (fixes strange netdata behaviour) run netdata on network mode host again (update compose files) including host metrics
2025-07-01 12:32:12 +00:00 · 2017-05-30 19:07:43 +00:00 · 2017-05-30 19:07:43 +00:00 · aea18d5f92
commit aea18d5f92
parent 5d8ad0a623
4 changed files with 15 additions and 19 deletions
--- a/installer/etc/tpot/compose/all.yml
+++ b/installer/etc/tpot/compose/all.yml
@ -200,13 +200,11 @@ services:
 # Netdata service
  netdata:
    container_name: netdata
-    hostname: ${HOSTNAME}
    restart: always
+    network_mode: "host"
    depends_on:
     elasticsearch:
       condition: service_healthy
-    ports:
-     - "127.0.0.1:64301:19999"
    cap_add:
     - SYS_PTRACE
    security_opt:
--- a/installer/etc/tpot/compose/industrial.yml
+++ b/installer/etc/tpot/compose/industrial.yml
@ -114,13 +114,11 @@ services:
 # Netdata service
  netdata:
    container_name: netdata
-    hostname: ${HOSTNAME}
    restart: always
+    network_mode: "host"
    depends_on:
     elasticsearch:
       condition: service_healthy
-    ports:
-     - "127.0.0.1:64301:19999"
    cap_add:
     - SYS_PTRACE
    security_opt:
--- a/installer/etc/tpot/compose/tpot.yml
+++ b/installer/etc/tpot/compose/tpot.yml
@ -169,13 +169,11 @@ services:
 # Netdata service
  netdata:
    container_name: netdata
-    hostname: ${HOSTNAME}
    restart: always
+    network_mode: "host"
    depends_on:
     elasticsearch:
       condition: service_healthy
-    ports:
-     - "127.0.0.1:64301:19999"    
    cap_add:
     - SYS_PTRACE
    security_opt:
--- a/installer/etc/tpot/systemd/tpot.service
+++ b/installer/etc/tpot/systemd/tpot.service
@ -6,7 +6,6 @@ After=docker.service
 [Service]
 Restart=always
 RestartSec=5
-Environment=HOSTNAME=%H

 # Get and set internal, external IP infos, but ignore errors
 ExecStartPre=-/usr/share/tpot/bin/updateip.sh
@ -30,12 +29,13 @@ ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip address | grep "^2: " |
 ExecStartPre=-/bin/chmod 666 /var/run/docker.sock

 # Set iptables accept rules to avoid forwarding to honeytrap / NFQUEUE
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-
 # Forward all other connections to honeytrap / NFQUEUE
+ExecStartPre=/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303,7634,8125 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
 ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE

 # Compose T-Pot up
@ -45,10 +45,12 @@ ExecStart=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml up
 ExecStop=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v

 # Remove only previously set iptables rules
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634,8125 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
 ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE

 [Install]