diff --git a/salt/docker/init.sls b/salt/docker/init.sls index 96dd0ee95..f65e8eff8 100644 --- a/salt/docker/init.sls +++ b/salt/docker/init.sls @@ -65,11 +65,11 @@ dockerreserveports: sos_docker_net: docker_network.present: - - name: sosnet + - name: sosbridge - subnet: {{ DOCKER.sosrange }} - gateway: {{ DOCKER.sosbip }} - options: com.docker.network.bridge.name: 'sosbridge' com.docker.network.driver.mtu: '1500' com.docker.network.bridge.enable_ip_masquerade: 'true' - - unless: 'docker network ls | grep sosnet' + - unless: 'docker network ls | grep sosbridge' diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 45d15ad58..36df7af35 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -49,7 +49,7 @@ so-elastic-fleet: - detach: True - user: 947 - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-elastic-fleet'].ip }} - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} @@ -81,4 +81,4 @@ append_so-elastic-fleet_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index fc26991a3..900cddd45 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -291,7 +291,7 @@ so-elasticsearch: - name: so-elasticsearch - user: elasticsearch - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-elasticsearch'].ip }} - extra_hosts: {{ REDIS_NODES }} - environment: diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index 908deba14..dfef2d720 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -99,7 +99,7 @@ so-filebeat: - hostname: so-filebeat - user: root - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-filebeat'].ip }} - extra_hosts: {{ FILEBEAT_EXTRA_HOSTS }} - binds: diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index 68f3f4ea7..f02d51e32 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -38,7 +38,7 @@ -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT -j OUTPUT_direct -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A POSTROUTING -s {{DOCKER.range}} ! -o sosnet -j MASQUERADE +-A POSTROUTING -s {{DOCKER.range}} ! -o sosbridge -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES @@ -48,14 +48,14 @@ -A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE {%- endfor %} {%- endfor %} --A DOCKER -i sosnet -j RETURN +-A DOCKER -i sosbridge -j RETURN {%- for container in NODE_CONTAINERS %} {%- for port, proto in DOCKER.containers[container].ports.items() %} --A DOCKER ! -i sosnet -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} +-A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} {%- endfor %} {%- endfor %} --A POSTROUTING_ZONES -o sosnet -g POST_docker +-A POSTROUTING_ZONES -o sosbridge -g POST_docker -A POSTROUTING_ZONES -o bond0 -g POST_public -A POSTROUTING_ZONES -o eth1 -g POST_public -A POSTROUTING_ZONES -o eth0 -g POST_public @@ -66,7 +66,7 @@ -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow --A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i sosbridge -g PRE_docker -A PREROUTING_ZONES -i bond0 -g PRE_public -A PREROUTING_ZONES -i eth1 -g PRE_public -A PREROUTING_ZONES -i eth0 -g PRE_public @@ -107,7 +107,7 @@ COMMIT -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct --A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i sosbridge -g PRE_docker -A PREROUTING_ZONES -i bond0 -g PRE_public -A PREROUTING_ZONES -i eth1 -g PRE_public -A PREROUTING_ZONES -i eth0 -g PRE_public @@ -151,7 +151,7 @@ COMMIT -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct --A PREROUTING_ZONES -i sosnet -g PRE_docker +-A PREROUTING_ZONES -i sosbridge -g PRE_docker -A PREROUTING_ZONES -i bond0 -g PRE_public -A PREROUTING_ZONES -i eth1 -g PRE_public -A PREROUTING_ZONES -i eth0 -g PRE_public @@ -239,10 +239,10 @@ COMMIT -A INPUT -j LOGGING -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION-STAGE-1 --A FORWARD -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A FORWARD -o sosnet -j DOCKER --A FORWARD -i sosnet ! -o sosnet -j ACCEPT --A FORWARD -i sosnet -o sosnet -j ACCEPT +-A FORWARD -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A FORWARD -o sosbridge -j DOCKER +-A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT +-A FORWARD -i sosbridge -o sosbridge -j ACCEPT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct @@ -255,19 +255,19 @@ COMMIT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j OUTPUT_direct -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP --A DOCKER-ISOLATION-STAGE-1 -i sosnet ! -o sosnet -j DOCKER-ISOLATION-STAGE-2 +-A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -j RETURN --A DOCKER-ISOLATION-STAGE-2 -o sosnet -j DROP +-A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP -A DOCKER-ISOLATION-STAGE-2 -j RETURN --A DOCKER-USER ! -i sosnet -o sosnet -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-USER ! -i sosnet -o sosnet -j LOGGING +-A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING -A DOCKER-USER -j RETURN --A FORWARD_IN_ZONES -i sosnet -g FWDI_docker +-A FORWARD_IN_ZONES -i sosbridge -g FWDI_docker -A FORWARD_IN_ZONES -i bond0 -g FWDI_public -A FORWARD_IN_ZONES -i eth1 -g FWDI_public -A FORWARD_IN_ZONES -i eth0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public --A FORWARD_OUT_ZONES -o sosnet -g FWDO_docker +-A FORWARD_OUT_ZONES -o sosbridge -g FWDO_docker -A FORWARD_OUT_ZONES -o bond0 -g FWDO_public -A FORWARD_OUT_ZONES -o eth1 -g FWDO_public -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public @@ -287,7 +287,7 @@ COMMIT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow --A INPUT_ZONES -i sosnet -g IN_docker +-A INPUT_ZONES -i sosbridge -g IN_docker -A INPUT_ZONES -i bond0 -g IN_public -A INPUT_ZONES -i eth1 -g IN_public -A INPUT_ZONES -i eth0 -g IN_public diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 901a8b6f7..f51ab7ebd 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -126,7 +126,7 @@ so-grafana: - hostname: grafana - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-grafana'].ip }} - binds: - /nsm/grafana:/var/lib/grafana:rw diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 418ecec28..490cea3f7 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -33,7 +33,7 @@ so-idstools: - hostname: so-idstools - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-idstools'].ip }} {% if proxy %} - environment: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 0dfa452f5..b2ab49625 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -49,7 +49,7 @@ so-influxdb: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-influxdb:{{ GLOBALS.so_version }} - hostname: influxdb - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-influxdb'].ip }} - environment: - INFLUXDB_HTTP_LOG_ENABLED=false diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index 9f45e2376..f7c4e81a3 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -83,7 +83,7 @@ so-kibana: - hostname: kibana - user: kibana - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-kibana'].ip }} - environment: - ELASTICSEARCH_HOST={{ GLOBALS.manager }} diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index f22db4069..ab7692951 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -69,7 +69,7 @@ so-kratos: - hostname: kratos - name: so-kratos - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-kratos'].ip }} - binds: - /opt/so/conf/kratos/schema.json:/kratos-conf/schema.json:ro diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 481f727e4..2224f57d4 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -140,7 +140,7 @@ so-logstash: - hostname: so-logstash - name: so-logstash - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-logstash'].ip }} - user: logstash - extra_hosts: {{ REDIS_NODES }} diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index e9766ea83..2ab88f7fe 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -85,7 +85,7 @@ so-mysql: - hostname: so-mysql - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: - 0.0.0.0:3306:3306 diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 69fc541fa..dd8f1b829 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -85,7 +85,7 @@ so-nginx: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-nginx:{{ GLOBALS.so_version }} - hostname: so-nginx - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-nginx'].ip }} - binds: - /opt/so/conf/nginx/nginx.conf:/etc/nginx/nginx.conf:ro diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 6784422c3..1a8ae7f67 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -81,7 +81,7 @@ so-playbook: - hostname: playbook - name: so-playbook - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-playbook'].ip }} - binds: - /opt/so/log/playbook:/playbook/log:rw diff --git a/salt/redis/init.sls b/salt/redis/init.sls index d8ef991fa..95598cbbd 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -47,7 +47,7 @@ so-redis: - hostname: so-redis - user: socore - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: - 0.0.0.0:6379:6379 diff --git a/salt/registry/init.sls b/salt/registry/init.sls index b716ed2bb..ab85f4af3 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -39,7 +39,7 @@ so-dockerregistry: - image: ghcr.io/security-onion-solutions/registry:latest - hostname: so-registry - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} - restart_policy: always - port_bindings: diff --git a/salt/soc/init.sls b/salt/soc/init.sls index e8ab21b4a..35a58d8ec 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -97,7 +97,7 @@ so-soc: - hostname: soc - name: so-soc - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-soc'].ip }} - binds: - /nsm/soc/jobs:/opt/sensoroni/jobs:rw diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 13559c626..792353a27 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -64,7 +64,7 @@ so-soctopus: - hostname: soctopus - name: so-soctopus - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-soctopus'].ip }} - binds: - /opt/so/conf/soctopus/SOCtopus.conf:/SOCtopus/SOCtopus.conf:ro diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 122c30fd6..c67ad5d7f 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -169,7 +169,7 @@ strelka_coordinator: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-coordinator - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: @@ -185,7 +185,7 @@ strelka_gatekeeper: - image: {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-redis:{{ GLOBALS.so_version }} - name: so-strelka-gatekeeper - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: @@ -205,7 +205,7 @@ strelka_frontend: - privileged: True - name: so-strelka-frontend - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: @@ -224,7 +224,7 @@ strelka_backend: - /opt/so/conf/strelka/rules/:/etc/yara/:ro - name: so-strelka-backend - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-backend'].ip }} - command: strelka-backend - restart_policy: on-failure @@ -241,7 +241,7 @@ strelka_manager: - /opt/so/conf/strelka/manager/:/etc/strelka/:ro - name: so-strelka-manager - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-manager'].ip }} - command: strelka-manager @@ -258,7 +258,7 @@ strelka_filestream: - /nsm/strelka:/nsm/strelka - name: so-strelka-filestream - networks: - - sosnet: + - sosbridge: - ipv4_address: {{ DOCKER.containers['so-strelka-filestream'].ip }} - command: strelka-filestream