Merge pull request #9573 from Security-Onion-Solutions/2.4/firewall

2.4/firewall

salt/docker/defaults.yaml

@@ -6,94 +6,103 @@ docker:
   containers:
     'so-dockerregistry':
       final_octet: 20
-      ports:
+      port_bindings:
-        5000: tcp
+        - 0.0.0.0:5000:5000
     'so-elastic-fleet':
       final_octet: 21
-      ports:
+      port_bindings:
-        8220: tcp
+        - 0.0.0.0:8220:8220/tcp
     'so-elasticsearch':
       final_octet: 22
-      ports:
+      port_bindings:
-        9200: tcp
+        - 0.0.0.0:9200:9200/tcp
-        9300: tcp
+        - 0.0.0.0:9300:9300/tcp
     'so-filebeat':
       final_octet: 23
-      ports:
+      port_bindings:
-        514: udp
+        - 0.0.0.0:514:514/udp
-        5066: tcp
+        - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:5066:5066/tcp
     'so-grafana':
       final_octet: 24
-      ports:
+      port_bindings:
-        3000: tcp
+        - 0.0.0.0:3000:3000
     'so-idstools':
       final_octet: 25
     'so-influxdb':
       final_octet: 26
-      ports:
+      port_bindings:
-        8086: tcp
+        - 0.0.0.0:8086:8086
     'so-kibana':
       final_octet: 27
-      ports:
+      port_bindings:
-        5601: tcp
+        - 0.0.0.0:5601:5601
     'so-kratos':
       final_octet: 28
-      ports:
+      port_bindings:
-        4433: tcp
+        - 0.0.0.0:4433:4433
-        4434: tcp
+        - 0.0.0.0:4434:4434
     'so-logstash':
       final_octet: 29
-      ports:
+      port_bindings:
-        3765: tcp
+        - 0.0.0.0:3765:3765
-        5044: tcp
+        - 0.0.0.0:5044:5044
-        5055: tcp
+        - 0.0.0.0:5055:5055
-        5644: tcp
+        - 0.0.0.0:5644:5644
-        6050: tcp
+        - 0.0.0.0:6050:6050
-        6051: tcp
+        - 0.0.0.0:6051:6051
-        6052: tcp
+        - 0.0.0.0:6052:6052
-        6053: tcp
+        - 0.0.0.0:6053:6053
-        9600: tcp
+        - 0.0.0.0:9600:9600
     'so-mysql':
       final_octet: 30
-      ports:
+      port_bindings:
-        3306: tcp
+        - 0.0.0.0:3306:3306
     'so-nginx':
       final_octet: 31
-      ports:
+      port_bindings:
-        80: tcp
+        - 80:80
-        443: tcp
+        - 443:443
     'so-playbook':
       final_octet: 32
+      port_bindings:
+        - 0.0.0.0:3200:3000
     'so-redis':
       final_octet: 33
-      ports:
+      port_bindings:
-        6379: tcp
+        - 0.0.0.0:6379:6379
-        9696: tcp
+        - 0.0.0.0:9696:9696
     'so-soc':
       final_octet: 34
-      ports:
+      port_bindings:
-        9822: tcp
+        - 0.0.0.0:9822:9822
     'so-soctopus':
       final_octet: 35
-      ports:
+      port_bindings:
-        7000: tcp
+        - 0.0.0.0:7000:7000
     'so-strelka-backend':
       final_octet: 36
     'so-strelka-filestream':
       final_octet: 37
     'so-strelka-frontend':
       final_octet: 38
+      port_bindings:
+        - 0.0.0.0:57314:57314
     'so-strelka-manager':
       final_octet: 39
     'so-strelka-gatekeeper':
       final_octet: 40
+      port_bindings:
+        - 0.0.0.0:6381:6379
     'so-strelka-coordinator':
       final_octet: 41
+      port_bindings:
+        - 0.0.0.0:6380:6379
     'so-elastalert':
       final_octet: 42
     'so-curator':
       final_octet: 43
     'so-elastic-fleet-package-registry':
       final_octet: 44
-      ports:
+      port_bindings:
-        8080: tcp
+        - 0.0.0.0:8080:8080/tcp

salt/elastic-fleet-package-registry/init.sls

@@ -34,7 +34,9 @@ so-elastic-fleet-package-registry:
     - extra_hosts:
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
     - port_bindings:
-      - 0.0.0.0:8080:8080
+      {% for BINDING in DOCKER.containers['so-elastic-fleet-package-registry'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
 
 append_so-elastic-fleet-package-registry_so-status.conf:
   file.append:

salt/elastic-fleet/init.sls

@@ -54,7 +54,9 @@ so-elastic-fleet:
     - extra_hosts:
         - {{ GLOBALS.hostname }}:{{ GLOBALS.node_ip }}
     - port_bindings:
-      - 0.0.0.0:8220:8220
+      {% for BINDING in DOCKER.containers['so-elastic-fleet'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - binds:
       - /opt/so/conf/elastic-fleet/certs:/etc/pki:ro
       - /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw

salt/elasticsearch/init.sls

@@ -304,8 +304,9 @@ so-elasticsearch:
       - nofile=65536:65536
       - nproc=4096
     - port_bindings:
-      - 0.0.0.0:9200:9200
+      {% for BINDING in DOCKER.containers['so-elasticsearch'].port_bindings %}
-      - 0.0.0.0:9300:9300
+      - {{ BINDING }}
+      {% endfor %}
     - binds:
       - /opt/so/conf/elasticsearch/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
       - /opt/so/conf/elasticsearch/log4j2.properties:/usr/share/elasticsearch/config/log4j2.properties:ro

salt/filebeat/init.sls

@@ -116,9 +116,9 @@ so-filebeat:
       - /etc/ssl/certs/intca.crt:/usr/share/filebeat/intraca.crt:ro
       - /opt/so/log:/logs:ro
     - port_bindings:
-        - 0.0.0.0:514:514/udp
+      {% for BINDING in DOCKER.containers['so-filebeat'].port_bindings %}
-        - 0.0.0.0:514:514/tcp
+      - {{ BINDING }}
-        - 0.0.0.0:5066:5066/tcp
+      {% endfor %}
 {% for module in MODULESMERGED.modules.keys() %}
   {% for submodule in MODULESMERGED.modules[module] %}
     {% if MODULESMERGED.modules[module][submodule].enabled and MODULESMERGED.modules[module][submodule]["var.syslog_port"] is defined %}

salt/firewall/containers.map.jinja

@@ -14,5 +14,11 @@
      'so-nginx',
      'so-redis',
      'so-soc',
-     'so-soctopus'
+     'so-soctopus',
+     'so-strelka-coordinator',
+     'so-strelka-gatekeeper',
+     'so-strelka-frontend',
+     'so-strelka-backend',
+     'so-strelka-manager',
+     'so-strelka-filestream'
 ] %}

salt/firewall/iptables.jinja

@@ -2,6 +2,46 @@
 {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
 {% from 'firewall/map.jinja' import hostgroups with context -%}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
+{%- set PR = [] %}
+{%- set D1 = [] %}
+{%- set D2 = [] %}
+{%- for container in NODE_CONTAINERS %}
+{%-   set IP = DOCKER.containers[container].ip %}
+{%-   if DOCKER.containers[container].port_bindings is defined %}
+{%-     for binding in DOCKER.containers[container].port_bindings %}
+{#-       cant split int so we convert to string #}
+{%-       set binding = binding|string %}
+{#-          split the port binding by /. if proto not specified, default is tcp #}
+{%-         set binding_split = binding.split('/') %}
+{%-         if binding_split | length > 1 %}
+{%-           set proto = binding_split[1] %}
+{%-         else %}
+{%-           set proto = 'tcp' %}
+{%-         endif %}
+{%-         set bsa = binding_split[0].split(':') %}
+{%-         set bindip = '' %}
+{%-         set hostPort = '' %}
+{%-         set containerPort = '' %}
+{%-         if bsa | length == 3 %}
+{%-           set bindip = bsa[0] %}
+{%-           set hostPort = bsa[1] %}
+{%-           set containerPort = bsa[2] %}
+{%-         endif %}
+{%-         if bsa | length == 2 %}
+{%-           set hostPort = bsa[0] %}
+{%-           set containerPort = bsa[1] %}
+{%-         endif %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         if bindip | length and bindip != '0.0.0.0' %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-         else %}
+{%-           do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-         endif %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-     endfor %}
+{%-   endif %}
+{%- endfor %}
+
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
@@ -11,20 +51,12 @@
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
-{%- for container in NODE_CONTAINERS %}
+{%- for rule in PR %}
-{%-   if DOCKER.containers[container].ports is defined %}
+{{ rule }}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
--A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE
-{%-     endfor %}
-{%-   endif %}
 {%- endfor %}
 -A DOCKER -i sosbridge -j RETURN
-{%- for container in NODE_CONTAINERS %}
+{%- for rule in D1 %}
-{%-   if DOCKER.containers[container].ports is defined %}
+{{ rule }}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
--A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}}
-{%-     endfor %}
-{%-   endif %}
 {%- endfor %}
 
 COMMIT
@@ -71,12 +103,8 @@ COMMIT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 
-{%- for container in NODE_CONTAINERS %}
+{%- for rule in D2 %}
-{%-   if DOCKER.containers[container].ports is defined %}
+{{ rule }}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
--A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
-{%-     endfor %}
-{%-   endif %}
 {%- endfor %}
 
 -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2

salt/grafana/init.sls

@@ -138,7 +138,9 @@ so-grafana:
     - environment:
       - GF_SECURITY_ADMIN_PASSWORD={{ ADMINPASS }}
     - port_bindings:
-      - 0.0.0.0:3000:3000
+      {% for BINDING in DOCKER.containers['so-grafana'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - watch:
       - file: /opt/so/conf/grafana/*
     - require:

salt/influxdb/init.sls

@@ -60,7 +60,9 @@ so-influxdb:
       - /etc/pki/influxdb.crt:/etc/ssl/influxdb.crt:ro
       - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
     - port_bindings:
-      - 0.0.0.0:8086:8086
+      {% for BINDING in DOCKER.containers['so-influxdb'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - watch:
       - file: influxdbconf
     - require:

salt/kibana/init.sls

@@ -95,7 +95,9 @@ so-kibana:
       - /opt/so/conf/kibana/customdashboards:/usr/share/kibana/custdashboards:ro
       - /sys/fs/cgroup:/sys/fs/cgroup:ro
     - port_bindings:
-      - 0.0.0.0:5601:5601
+      {% for BINDING in DOCKER.containers['so-kibana'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - watch:
       - file: kibanaconfig
 

salt/kratos/init.sls

@@ -77,8 +77,9 @@ so-kratos:
       - /opt/so/log/kratos/:/kratos-log:rw
       - /nsm/kratos/db:/kratos-data:rw
     - port_bindings:
-      - 0.0.0.0:4433:4433
+      {% for BINDING in DOCKER.containers['so-kratos'].port_bindings %}
-      - 0.0.0.0:4434:4434
+      - {{ BINDING }}
+      {% endfor %}
     - restart_policy: unless-stopped
     - watch:
       - file: kratosschema

salt/logstash/init.sls

@@ -147,9 +147,9 @@ so-logstash:
     - environment:
       - LS_JAVA_OPTS=-Xms{{ lsheap }} -Xmx{{ lsheap }}
     - port_bindings:
-  {% for BINDING in DOCKER_OPTIONS.port_bindings %}
+      {% for BINDING in DOCKER.containers['so-logstash'].port_bindings %}
       - {{ BINDING }}
-  {% endfor %}
+      {% endfor %}
     - binds:
       - /opt/so/conf/elasticsearch/templates/:/templates/:ro
       - /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro

salt/mysql/init.sls

@@ -88,7 +88,9 @@ so-mysql:
       - sosbridge:
         - ipv4_address: {{ DOCKER.containers['so-mysql'].ip }}
     - port_bindings:
-      - 0.0.0.0:3306:3306
+      {% for BINDING in DOCKER.containers['so-mysql'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - environment:
       - MYSQL_ROOT_HOST={{ GLOBALS.manager_ip }}
       - MYSQL_ROOT_PASSWORD=/etc/mypass

salt/nginx/init.sls

@@ -106,8 +106,9 @@ so-nginx:
   {% endif %}
     - cap_add: NET_BIND_SERVICE
     - port_bindings:
-      - 80:80
+      {% for BINDING in DOCKER.containers['so-nginx'].port_bindings %}
-      - 443:443
+      - {{ BINDING }}
+      {% endfor %}
     - watch:
       - file: nginxconf
       - file: nginxconfdir

salt/playbook/init.sls

@@ -91,7 +91,9 @@ so-playbook:
       - REDMINE_DB_USERNAME=playbookdbuser
       - REDMINE_DB_PASSWORD={{ PLAYBOOKPASS }}
     - port_bindings:
-      - 0.0.0.0:3200:3000
+      {% for BINDING in DOCKER.containers['so-playbook'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
 
 append_so-playbook_so-status.conf:
   file.append:

salt/redis/init.sls

@@ -50,8 +50,9 @@ so-redis:
       - sosbridge:
         - ipv4_address: {{ DOCKER.containers['so-redis'].ip }}
     - port_bindings:
-      - 0.0.0.0:6379:6379
+      {% for BINDING in DOCKER.containers['so-redis'].port_bindings %}
-      - 0.0.0.0:9696:9696
+      - {{ BINDING }}
+      {% endfor %}
     - binds:
       - /opt/so/log/redis:/var/log/redis:rw
       - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro

salt/registry/init.sls

@@ -43,7 +43,9 @@ so-dockerregistry:
         - ipv4_address: {{ DOCKER.containers['so-dockerregistry'].ip }}
     - restart_policy: always
     - port_bindings:
-      - 0.0.0.0:5000:5000
+      {% for BINDING in DOCKER.containers['so-dockerregistry'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - binds:
       - /opt/so/conf/docker-registry/etc/config.yml:/etc/docker/registry/config.yml:ro
       - /opt/so/conf/docker-registry:/var/lib/registry:rw

salt/soc/init.sls

@@ -117,7 +117,9 @@ so-soc:
       {%- endfor %}
       {%- endif %}
     - port_bindings:
-      - 0.0.0.0:9822:9822
+      {% for BINDING in DOCKER.containers['so-soc'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - watch:
       - file: /opt/so/conf/soc/*
     - require:

salt/soctopus/init.sls

@@ -76,7 +76,9 @@ so-soctopus:
       - /nsm/repo/rules/sigma:/soctopus/sigma
       {% endif %}
     - port_bindings:
-      - 0.0.0.0:7000:7000
+      {% for BINDING in DOCKER.containers['so-soctopus'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
     - extra_hosts:
       - {{GLOBALS.url_base}}:{{GLOBALS.manager_ip}}
     - require:

salt/strelka/init.sls

@@ -173,7 +173,9 @@ strelka_coordinator:
         - ipv4_address: {{ DOCKER.containers['so-strelka-coordinator'].ip }}
     - entrypoint: redis-server --save "" --appendonly no
     - port_bindings:
-      - 0.0.0.0:6380:6379
+      {% for BINDING in DOCKER.containers['so-strelka-coordinator'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
 
 append_so-strelka-coordinator_so-status.conf:
   file.append:
@@ -189,7 +191,9 @@ strelka_gatekeeper:
         - ipv4_address: {{ DOCKER.containers['so-strelka-gatekeeper'].ip }}
     - entrypoint: redis-server --save "" --appendonly no --maxmemory-policy allkeys-lru
     - port_bindings:
-      - 0.0.0.0:6381:6379
+      {% for BINDING in DOCKER.containers['so-strelka-gatekeeper'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
 
 append_so-strelka-gatekeeper_so-status.conf:
   file.append:
@@ -209,7 +213,9 @@ strelka_frontend:
         - ipv4_address: {{ DOCKER.containers['so-strelka-frontend'].ip }}
     - command: strelka-frontend
     - port_bindings:
-      - 0.0.0.0:57314:57314
+      {% for BINDING in DOCKER.containers['so-strelka-frontend'].port_bindings %}
+      - {{ BINDING }}
+      {% endfor %}
 
 append_so-strelka-frontend_so-status.conf:
   file.append: