From d163d834d427d306d17963b7a0cdd38c9e9f67f5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 12 Jan 2023 16:42:45 -0500 Subject: [PATCH 1/4] allow for binding ip and ports to different port number --- salt/docker/defaults.yaml | 95 ++++++++++++++++++++---------------- salt/firewall/iptables.jinja | 64 +++++++++++++++++------- 2 files changed, 98 insertions(+), 61 deletions(-) diff --git a/salt/docker/defaults.yaml b/salt/docker/defaults.yaml index e24dcc21a..e2ec07d32 100644 --- a/salt/docker/defaults.yaml +++ b/salt/docker/defaults.yaml @@ -6,94 +6,103 @@ docker: containers: 'so-dockerregistry': final_octet: 20 - ports: - 5000: tcp + port_bindings: + - 0.0.0.0:5000:5000 'so-elastic-fleet': final_octet: 21 - ports: - 8220: tcp + port_bindings: + - 0.0.0.0:8220:8220/tcp 'so-elasticsearch': final_octet: 22 - ports: - 9200: tcp - 9300: tcp + port_bindings: + - 0.0.0.0:9200:9200/tcp + - 0.0.0.0:9300:9300/tcp 'so-filebeat': final_octet: 23 - ports: - 514: udp - 5066: tcp + port_bindings: + - 0.0.0.0:514:514/udp + - 0.0.0.0:514:514/tcp + - 0.0.0.0:5066:5066/tcp 'so-grafana': final_octet: 24 - ports: - 3000: tcp + port_bindings: + - 0.0.0.0:3000:3000 'so-idstools': final_octet: 25 'so-influxdb': final_octet: 26 - ports: - 8086: tcp + port_bindings: + - 0.0.0.0:8086:8086 'so-kibana': final_octet: 27 - ports: - 5601: tcp + port_bindings: + - 0.0.0.0:5601:5601 'so-kratos': final_octet: 28 - ports: - 4433: tcp - 4434: tcp + port_bindings: + - 0.0.0.0:4433:4433 + - 0.0.0.0:4434:4434 'so-logstash': final_octet: 29 - ports: - 3765: tcp - 5044: tcp - 5055: tcp - 5644: tcp - 6050: tcp - 6051: tcp - 6052: tcp - 6053: tcp - 9600: tcp + port_bindings: + - 0.0.0.0:3765:3765 + - 0.0.0.0:5044:5044 + - 0.0.0.0:5055:5055 + - 0.0.0.0:5644:5644 + - 0.0.0.0:6050:6050 + - 0.0.0.0:6051:6051 + - 0.0.0.0:6052:6052 + - 0.0.0.0:6053:6053 + - 0.0.0.0:9600:9600 'so-mysql': final_octet: 30 - ports: - 3306: tcp + port_bindings: + - 0.0.0.0:3306:3306 'so-nginx': final_octet: 31 - ports: - 80: tcp - 443: tcp + port_bindings: + - 80:80 + - 443:443 'so-playbook': final_octet: 32 + port_bindings: + - 0.0.0.0:3200:3000 'so-redis': final_octet: 33 - ports: - 6379: tcp - 9696: tcp + port_bindings: + - 0.0.0.0:6379:6379 + - 0.0.0.0:9696:9696 'so-soc': final_octet: 34 - ports: - 9822: tcp + port_bindings: + - 0.0.0.0:9822:9822 'so-soctopus': final_octet: 35 - ports: - 7000: tcp + port_bindings: + - 0.0.0.0:7000:7000 'so-strelka-backend': final_octet: 36 'so-strelka-filestream': final_octet: 37 'so-strelka-frontend': final_octet: 38 + port_bindings: + - 0.0.0.0:57314:57314 'so-strelka-manager': final_octet: 39 'so-strelka-gatekeeper': final_octet: 40 + port_bindings: + - 0.0.0.0:6381:6379 'so-strelka-coordinator': final_octet: 41 + port_bindings: + - 0.0.0.0:6380:6379 'so-elastalert': final_octet: 42 'so-curator': final_octet: 43 'so-elastic-fleet-package-registry': final_octet: 44 - ports: - 8080: tcp + port_bindings: + - 0.0.0.0:8080:8080/tcp diff --git a/salt/firewall/iptables.jinja b/salt/firewall/iptables.jinja index b1d884cd1..b9773d448 100644 --- a/salt/firewall/iptables.jinja +++ b/salt/firewall/iptables.jinja @@ -2,6 +2,46 @@ {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%} {% from 'firewall/map.jinja' import hostgroups with context -%} {% from 'firewall/map.jinja' import assigned_hostgroups with context -%} +{%- set PR = [] %} +{%- set D1 = [] %} +{%- set D2 = [] %} +{%- for container in NODE_CONTAINERS %} +{%- set IP = DOCKER.containers[container].ip %} +{%- if DOCKER.containers[container].port_bindings is defined %} +{%- for binding in DOCKER.containers[container].port_bindings %} +{#- cant split int so we convert to string #} +{%- set binding = binding|string %} +{#- split the port binding by /. if proto not specified, default is tcp #} +{%- set binding_split = binding.split('/') %} +{%- if binding_split | length > 1 %} +{%- set proto = binding_split[1] %} +{%- else %} +{%- set proto = 'tcp' %} +{%- endif %} +{%- set bsa = binding_split[0].split(':') %} +{%- set bindip = '' %} +{%- set hostPort = '' %} +{%- set containerPort = '' %} +{%- if bsa | length == 3 %} +{%- set bindip = bsa[0] %} +{%- set hostPort = bsa[1] %} +{%- set containerPort = bsa[2] %} +{%- endif %} +{%- if bsa | length == 2 %} +{%- set hostPort = bsa[0] %} +{%- set containerPort = bsa[1] %} +{%- endif %} +{%- do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %} +{%- if bindip | length and bindip != '0.0.0.0' %} +{%- do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- else %} +{%- do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %} +{%- endif %} +{%- do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %} +{%- endfor %} +{%- endif %} +{%- endfor %} + *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -11,20 +51,12 @@ -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE -{%- for container in NODE_CONTAINERS %} -{%- if DOCKER.containers[container].ports is defined %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} --A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE -{%- endfor %} -{%- endif %} +{%- for rule in PR %} +{{ rule }} {%- endfor %} -A DOCKER -i sosbridge -j RETURN -{%- for container in NODE_CONTAINERS %} -{%- if DOCKER.containers[container].ports is defined %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} --A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} -{%- endfor %} -{%- endif %} +{%- for rule in D1 %} +{{ rule }} {%- endfor %} COMMIT @@ -71,12 +103,8 @@ COMMIT -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP -{%- for container in NODE_CONTAINERS %} -{%- if DOCKER.containers[container].ports is defined %} -{%- for port, proto in DOCKER.containers[container].ports.items() %} --A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT -{%- endfor %} -{%- endif %} +{%- for rule in D2 %} +{{ rule }} {%- endfor %} -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 From a69b0951d3add138ad17b2f5a22b20dea46a4d88 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 12 Jan 2023 16:47:34 -0500 Subject: [PATCH 2/4] add strelka containers --- salt/firewall/containers.map.jinja | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/firewall/containers.map.jinja b/salt/firewall/containers.map.jinja index ab37ade78..2ca294abc 100644 --- a/salt/firewall/containers.map.jinja +++ b/salt/firewall/containers.map.jinja @@ -14,5 +14,11 @@ 'so-nginx', 'so-redis', 'so-soc', - 'so-soctopus' + 'so-soctopus', + 'so-strelka-coordinator', + 'so-strelka-gatekeeper', + 'so-strelka-frontend', + 'so-strelka-backend', + 'so-strelka-manager', + 'so-strelka-filestream' ] %} From 6033e9a0de361b1a75fc42620cae49454ed2aae0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Jan 2023 10:15:10 -0500 Subject: [PATCH 3/4] use port_bindings from docker defaults in docker states --- salt/elastic-fleet-package-registry/init.sls | 4 +++- salt/elastic-fleet/init.sls | 4 +++- salt/elasticsearch/init.sls | 5 +++-- salt/filebeat/init.sls | 6 +++--- salt/grafana/init.sls | 4 +++- salt/influxdb/init.sls | 4 +++- salt/kibana/init.sls | 4 +++- salt/kratos/init.sls | 5 +++-- salt/logstash/init.sls | 4 ++-- salt/mysql/init.sls | 4 +++- salt/nginx/init.sls | 5 +++-- salt/playbook/init.sls | 4 +++- salt/redis/init.sls | 5 +++-- salt/registry/init.sls | 4 +++- salt/soc/init.sls | 4 +++- salt/soctopus/init.sls | 4 +++- salt/strelka/init.sls | 12 +++++++++--- 17 files changed, 56 insertions(+), 26 deletions(-) diff --git a/salt/elastic-fleet-package-registry/init.sls b/salt/elastic-fleet-package-registry/init.sls index acb8bfb63..2a72a417d 100644 --- a/salt/elastic-fleet-package-registry/init.sls +++ b/salt/elastic-fleet-package-registry/init.sls @@ -34,7 +34,9 @@ so-elastic-fleet-package-registry: - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: - - 0.0.0.0:8080:8080 + {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %} + - {{ BINDING }} + {% endfor %} append_so-elastic-fleet-package-registry_so-status.conf: file.append: diff --git a/salt/elastic-fleet/init.sls b/salt/elastic-fleet/init.sls index 36df7af35..1460fda38 100644 --- a/salt/elastic-fleet/init.sls +++ b/salt/elastic-fleet/init.sls @@ -54,7 +54,9 @@ so-elastic-fleet: - extra_hosts: - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }} - port_bindings: - - 0.0.0.0:8220:8220 + {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %} + - {{ BINDING }} + {% endfor %} - binds: - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw diff --git a/salt/elasticsearch/init.sls b/salt/elasticsearch/init.sls index 900cddd45..e713e933a 100644 --- a/salt/elasticsearch/init.sls +++ b/salt/elasticsearch/init.sls @@ -304,8 +304,9 @@ so-elasticsearch: - nofile=65536:65536 - nproc=4096 - port_bindings: - - 0.0.0.0:9200:9200 - - 0.0.0.0:9300:9300 + {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %} + - {{ BINDING }} + {% endfor %} - binds: - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls index dfef2d720..0bb1eaf34 100644 --- a/salt/filebeat/init.sls +++ b/salt/filebeat/init.sls @@ -116,9 +116,9 @@ so-filebeat: - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro - /opt/so/log:/logs:ro - port_bindings: - - 0.0.0.0:514:514/udp - - 0.0.0.0:514:514/tcp - - 0.0.0.0:5066:5066/tcp + {% for BINDING in DOCKER.containers['so-filebeat'].port_bindings %} + - {{ BINDING }} + {% endfor %} {% for module in MODULESMERGED.modules.keys() %} {% for submodule in MODULESMERGED.modules[module] %} {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %} diff --git a/salt/grafana/init.sls b/salt/grafana/init.sls index 9f6d2c79f..f0363c754 100644 --- a/salt/grafana/init.sls +++ b/salt/grafana/init.sls @@ -138,7 +138,9 @@ so-grafana: - environment: - GF_SECURITY_ADMIN_PASSWORD={{ ADMINPASS }} - port_bindings: - - 0.0.0.0:3000:3000 + {% for BINDING in DOCKER.containers['so-grafana'].port_bindings %} + - {{ BINDING }} + {% endfor %} - watch: - file: /opt/so/conf/grafana/* - require: diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index 58a394bbe..5a4936843 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -60,7 +60,9 @@ so-influxdb: - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro - port_bindings: - - 0.0.0.0:8086:8086 + {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %} + - {{ BINDING }} + {% endfor %} - watch: - file: influxdbconf - require: diff --git a/salt/kibana/init.sls b/salt/kibana/init.sls index f7c4e81a3..4ac0af025 100644 --- a/salt/kibana/init.sls +++ b/salt/kibana/init.sls @@ -95,7 +95,9 @@ so-kibana: - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro - /sys/fs/cgroup:/sys/fs/cgroup:ro - port_bindings: - - 0.0.0.0:5601:5601 + {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %} + - {{ BINDING }} + {% endfor %} - watch: - file: kibanaconfig diff --git a/salt/kratos/init.sls b/salt/kratos/init.sls index ab7692951..ef77951d9 100644 --- a/salt/kratos/init.sls +++ b/salt/kratos/init.sls @@ -77,8 +77,9 @@ so-kratos: - /opt/so/log/kratos/:/kratos-log:rw - /nsm/kratos/db:/kratos-data:rw - port_bindings: - - 0.0.0.0:4433:4433 - - 0.0.0.0:4434:4434 + {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %} + - {{ BINDING }} + {% endfor %} - restart_policy: unless-stopped - watch: - file: kratosschema diff --git a/salt/logstash/init.sls b/salt/logstash/init.sls index 10b3cb07b..05b184239 100644 --- a/salt/logstash/init.sls +++ b/salt/logstash/init.sls @@ -147,9 +147,9 @@ so-logstash: - environment: - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }} - port_bindings: - {% for BINDING in DOCKER_OPTIONS.port_bindings %} + {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %} - {{ BINDING }} - {% endfor %} + {% endfor %} - binds: - /opt/so/conf/elasticsearch/templates/:/templates/:ro - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro diff --git a/salt/mysql/init.sls b/salt/mysql/init.sls index 2ab88f7fe..ebb9b09e7 100644 --- a/salt/mysql/init.sls +++ b/salt/mysql/init.sls @@ -88,7 +88,9 @@ so-mysql: - sosbridge: - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }} - port_bindings: - - 0.0.0.0:3306:3306 + {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %} + - {{ BINDING }} + {% endfor %} - environment: - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }} - MYSQL_ROOT_PASSWORD=/etc/mypass diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index dd8f1b829..6547732df 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -106,8 +106,9 @@ so-nginx: {% endif %} - cap_add: NET_BIND_SERVICE - port_bindings: - - 80:80 - - 443:443 + {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %} + - {{ BINDING }} + {% endfor %} - watch: - file: nginxconf - file: nginxconfdir diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 88f86d31d..237cc398b 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -91,7 +91,9 @@ so-playbook: - REDMINE_DB_USERNAME=playbookdbuser - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }} - port_bindings: - - 0.0.0.0:3200:3000 + {% for BINDING in DOCKER.containers['so-playbook'].port_bindings %} + - {{ BINDING }} + {% endfor %} append_so-playbook_so-status.conf: file.append: diff --git a/salt/redis/init.sls b/salt/redis/init.sls index 95598cbbd..dce00bd8b 100644 --- a/salt/redis/init.sls +++ b/salt/redis/init.sls @@ -50,8 +50,9 @@ so-redis: - sosbridge: - ipv4_address: {{ DOCKER.containers['so-redis'].ip }} - port_bindings: - - 0.0.0.0:6379:6379 - - 0.0.0.0:9696:9696 + {% for BINDING in DOCKER.containers['so-redis'].port_bindings %} + - {{ BINDING }} + {% endfor %} - binds: - /opt/so/log/redis:/var/log/redis:rw - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro diff --git a/salt/registry/init.sls b/salt/registry/init.sls index ab85f4af3..321b1c3d2 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -43,7 +43,9 @@ so-dockerregistry: - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }} - restart_policy: always - port_bindings: - - 0.0.0.0:5000:5000 + {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %} + - {{ BINDING }} + {% endfor %} - binds: - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro - /opt/so/conf/docker-registry:/var/lib/registry:rw diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 35a58d8ec..40cb4487d 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -117,7 +117,9 @@ so-soc: {%- endfor %} {%- endif %} - port_bindings: - - 0.0.0.0:9822:9822 + {% for BINDING in DOCKER.containers['so-soc'].port_bindings %} + - {{ BINDING }} + {% endfor %} - watch: - file: /opt/so/conf/soc/* - require: diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 792353a27..5097ea112 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -76,7 +76,9 @@ so-soctopus: - /nsm/repo/rules/sigma:/soctopus/sigma {% endif %} - port_bindings: - - 0.0.0.0:7000:7000 + {% for BINDING in DOCKER.containers['so-soctopus'].port_bindings %} + - {{ BINDING }} + {% endfor %} - extra_hosts: - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}} - require: diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index c67ad5d7f..6c4657ac4 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -173,7 +173,9 @@ strelka_coordinator: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: - - 0.0.0.0:6380:6379 + {% for BINDING in DOCKER.containers['so-strelka-cordinator'].port_bindings %} + - {{ BINDING }} + {% endfor %} append_so-strelka-coordinator_so-status.conf: file.append: @@ -189,7 +191,9 @@ strelka_gatekeeper: - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }} - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru - port_bindings: - - 0.0.0.0:6381:6379 + {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %} + - {{ BINDING }} + {% endfor %} append_so-strelka-gatekeeper_so-status.conf: file.append: @@ -209,7 +213,9 @@ strelka_frontend: - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }} - command: strelka-frontend - port_bindings: - - 0.0.0.0:57314:57314 + {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %} + - {{ BINDING }} + {% endfor %} append_so-strelka-frontend_so-status.conf: file.append: From 3653df4d5f0ab343474e63d4b7d259c87004f2c7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 13 Jan 2023 10:18:13 -0500 Subject: [PATCH 4/4] spell it right --- salt/strelka/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index 6c4657ac4..76fdce509 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -173,7 +173,7 @@ strelka_coordinator: - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }} - entrypoint: redis-server --save "" --appendonly no - port_bindings: - {% for BINDING in DOCKER.containers['so-strelka-cordinator'].port_bindings %} + {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %} - {{ BINDING }} {% endfor %}