From aea18d5f924eb01cda8acd0b1de56fa8c3b7c2d5 Mon Sep 17 00:00:00 2001
From: Marco Ochse <t3chn0m4g3@gmail.com>
Date: Tue, 30 May 2017 19:07:43 +0000
Subject: [PATCH] squashing some bugs

do not forward tcp connections to or from 127.0.0.1 to NFQ (fixes strange netdata behaviour)
run netdata on network mode host again (update compose files) including host metrics
---
 installer/etc/tpot/compose/all.yml        |  4 +---
 installer/etc/tpot/compose/industrial.yml |  4 +---
 installer/etc/tpot/compose/tpot.yml       |  4 +---
 installer/etc/tpot/systemd/tpot.service   | 22 ++++++++++++----------
 4 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/installer/etc/tpot/compose/all.yml b/installer/etc/tpot/compose/all.yml
index aaf92ada..713373eb 100644
--- a/installer/etc/tpot/compose/all.yml
+++ b/installer/etc/tpot/compose/all.yml
@@ -200,13 +200,11 @@ services:
 # Netdata service
   netdata:
     container_name: netdata
-    hostname: ${HOSTNAME}
     restart: always
+    network_mode: "host"
     depends_on:
      elasticsearch:
        condition: service_healthy
-    ports:
-     - "127.0.0.1:64301:19999"
     cap_add:
      - SYS_PTRACE
     security_opt:
diff --git a/installer/etc/tpot/compose/industrial.yml b/installer/etc/tpot/compose/industrial.yml
index ec6bb573..a92fadb4 100644
--- a/installer/etc/tpot/compose/industrial.yml
+++ b/installer/etc/tpot/compose/industrial.yml
@@ -114,13 +114,11 @@ services:
 # Netdata service
   netdata:
     container_name: netdata
-    hostname: ${HOSTNAME}
     restart: always
+    network_mode: "host"
     depends_on:
      elasticsearch:
        condition: service_healthy
-    ports:
-     - "127.0.0.1:64301:19999"
     cap_add:
      - SYS_PTRACE
     security_opt:
diff --git a/installer/etc/tpot/compose/tpot.yml b/installer/etc/tpot/compose/tpot.yml
index a748ca92..70a912ee 100644
--- a/installer/etc/tpot/compose/tpot.yml
+++ b/installer/etc/tpot/compose/tpot.yml
@@ -169,13 +169,11 @@ services:
 # Netdata service
   netdata:
     container_name: netdata
-    hostname: ${HOSTNAME}
     restart: always
+    network_mode: "host"
     depends_on:
      elasticsearch:
        condition: service_healthy
-    ports:
-     - "127.0.0.1:64301:19999"    
     cap_add:
      - SYS_PTRACE
     security_opt:
diff --git a/installer/etc/tpot/systemd/tpot.service b/installer/etc/tpot/systemd/tpot.service
index 19411b2f..a8caff02 100644
--- a/installer/etc/tpot/systemd/tpot.service
+++ b/installer/etc/tpot/systemd/tpot.service
@@ -6,7 +6,6 @@ After=docker.service
 [Service]
 Restart=always
 RestartSec=5
-Environment=HOSTNAME=%H
 
 # Get and set internal, external IP infos, but ignore errors
 ExecStartPre=-/usr/share/tpot/bin/updateip.sh
@@ -30,12 +29,13 @@ ExecStartPre=/bin/bash -c '/sbin/ip link set $(/sbin/ip address | grep "^2: " |
 ExecStartPre=-/bin/chmod 666 /var/run/docker.sock
 
 # Set iptables accept rules to avoid forwarding to honeytrap / NFQUEUE
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
-ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
-
 # Forward all other connections to honeytrap / NFQUEUE
+ExecStartPre=/sbin/iptables -w -A INPUT -s 127.0.0.1 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -d 127.0.0.1 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 64295:64303,7634,8125 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
+ExecStartPre=/sbin/iptables -w -A INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
 ExecStartPre=/sbin/iptables -w -A INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 # Compose T-Pot up
@@ -45,10 +45,12 @@ ExecStart=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml up
 ExecStop=/usr/local/bin/docker-compose -f /etc/tpot/tpot.yml down -v
 
 # Remove only previously set iptables rules
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 64295:64303,7634 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
-ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW,ESTABLISHED -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -s 127.0.0.1 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -d 127.0.0.1 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 64295:64303,7634,8125 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 21,22,23,42,69,80,135,443,445,1433,1723,1883,1900 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 3306,5060,5061,5601,11211 -j ACCEPT
+ExecStopPost=/sbin/iptables -w -D INPUT -p tcp -m multiport --dports 1025,50100,8080,8081,9200 -j ACCEPT
 ExecStopPost=/sbin/iptables -w -D INPUT -p tcp --syn -m state --state NEW -j NFQUEUE
 
 [Install]