allow for binding ip and ports to different port number

2025-12-09 18:52:52 +01:00 · 2023-01-12 16:42:45 -05:00
parent 80f65fcd62
commit d163d834d4
2 changed files with 98 additions and 61 deletions
--- a/salt/docker/defaults.yaml
+++ b/salt/docker/defaults.yaml
@@ -6,94 +6,103 @@ docker:
  containers:
    'so-dockerregistry':
      final_octet: 20
-      ports:
-        5000: tcp
+      port_bindings:
+        - 0.0.0.0:5000:5000
    'so-elastic-fleet':
      final_octet: 21
-      ports:
-        8220: tcp
+      port_bindings:
+        - 0.0.0.0:8220:8220/tcp
    'so-elasticsearch':
      final_octet: 22
-      ports:
-        9200: tcp
-        9300: tcp
+      port_bindings:
+        - 0.0.0.0:9200:9200/tcp
+        - 0.0.0.0:9300:9300/tcp
    'so-filebeat':
      final_octet: 23
-      ports:
-        514: udp
-        5066: tcp
+      port_bindings:
+        - 0.0.0.0:514:514/udp
+        - 0.0.0.0:514:514/tcp
+        - 0.0.0.0:5066:5066/tcp
    'so-grafana':
      final_octet: 24
-      ports:
-        3000: tcp
+      port_bindings:
+        - 0.0.0.0:3000:3000
    'so-idstools':
      final_octet: 25
    'so-influxdb':
      final_octet: 26
-      ports:
-        8086: tcp
+      port_bindings:
+        - 0.0.0.0:8086:8086
    'so-kibana':
      final_octet: 27
-      ports:
-        5601: tcp
+      port_bindings:
+        - 0.0.0.0:5601:5601
    'so-kratos':
      final_octet: 28
-      ports:
-        4433: tcp
-        4434: tcp
+      port_bindings:
+        - 0.0.0.0:4433:4433
+        - 0.0.0.0:4434:4434
    'so-logstash':
      final_octet: 29
-      ports:
-        3765: tcp
-        5044: tcp
-        5055: tcp
-        5644: tcp
-        6050: tcp
-        6051: tcp
-        6052: tcp
-        6053: tcp
-        9600: tcp
+      port_bindings:
+        - 0.0.0.0:3765:3765
+        - 0.0.0.0:5044:5044
+        - 0.0.0.0:5055:5055
+        - 0.0.0.0:5644:5644
+        - 0.0.0.0:6050:6050
+        - 0.0.0.0:6051:6051
+        - 0.0.0.0:6052:6052
+        - 0.0.0.0:6053:6053
+        - 0.0.0.0:9600:9600
    'so-mysql':
      final_octet: 30
-      ports:
-        3306: tcp
+      port_bindings:
+        - 0.0.0.0:3306:3306
    'so-nginx':
      final_octet: 31
-      ports:
-        80: tcp
-        443: tcp
+      port_bindings:
+        - 80:80
+        - 443:443
    'so-playbook':
      final_octet: 32
+      port_bindings:
+        - 0.0.0.0:3200:3000
    'so-redis':
      final_octet: 33
-      ports:
-        6379: tcp
-        9696: tcp
+      port_bindings:
+        - 0.0.0.0:6379:6379
+        - 0.0.0.0:9696:9696
    'so-soc':
      final_octet: 34
-      ports:
-        9822: tcp
+      port_bindings:
+        - 0.0.0.0:9822:9822
    'so-soctopus':
      final_octet: 35
-      ports:
-        7000: tcp
+      port_bindings:
+        - 0.0.0.0:7000:7000
    'so-strelka-backend':
      final_octet: 36
    'so-strelka-filestream':
      final_octet: 37
    'so-strelka-frontend':
      final_octet: 38
+      port_bindings:
+        - 0.0.0.0:57314:57314
    'so-strelka-manager':
      final_octet: 39
    'so-strelka-gatekeeper':
      final_octet: 40
+      port_bindings:
+        - 0.0.0.0:6381:6379
    'so-strelka-coordinator':
      final_octet: 41
+      port_bindings:
+        - 0.0.0.0:6380:6379
    'so-elastalert':
      final_octet: 42
    'so-curator':
      final_octet: 43
    'so-elastic-fleet-package-registry':
      final_octet: 44
-      ports:
-        8080: tcp
+      port_bindings:
+        - 0.0.0.0:8080:8080/tcp
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -2,6 +2,46 @@
 {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
 {% from 'firewall/map.jinja' import hostgroups with context -%}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
+{%- set PR = [] %}
+{%- set D1 = [] %}
+{%- set D2 = [] %}
+{%- for container in NODE_CONTAINERS %}
+{%-   set IP = DOCKER.containers[container].ip %}
+{%-   if DOCKER.containers[container].port_bindings is defined %}
+{%-     for binding in DOCKER.containers[container].port_bindings %}
+{#-       cant split int so we convert to string #}
+{%-       set binding = binding|string %}
+{#-          split the port binding by /. if proto not specified, default is tcp #}
+{%-         set binding_split = binding.split('/') %}
+{%-         if binding_split | length > 1 %}
+{%-           set proto = binding_split[1] %}
+{%-         else %}
+{%-           set proto = 'tcp' %}
+{%-         endif %}
+{%-         set bsa = binding_split[0].split(':') %}
+{%-         set bindip = '' %}
+{%-         set hostPort = '' %}
+{%-         set containerPort = '' %}
+{%-         if bsa | length == 3 %}
+{%-           set bindip = bsa[0] %}
+{%-           set hostPort = bsa[1] %}
+{%-           set containerPort = bsa[2] %}
+{%-         endif %}
+{%-         if bsa | length == 2 %}
+{%-           set hostPort = bsa[0] %}
+{%-           set containerPort = bsa[1] %}
+{%-         endif %}
+{%-         do PR.append("-A POSTROUTING -s " ~ DOCKER.containers[container].ip ~ "/32 -d " ~ DOCKER.containers[container].ip ~ "/32 -p " ~  proto ~ " -m " ~ proto  ~ " --dport " ~ containerPort ~ " -j MASQUERADE") %}
+{%-         if bindip | length and bindip != '0.0.0.0' %}
+{%-           do D1.append("-A DOCKER -d " ~ bindip ~ "/32 ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-         else %}
+{%-           do D1.append("-A DOCKER ! -i sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ hostPort ~ " -j DNAT --to-destination " ~ DOCKER.containers[container].ip ~ ":" ~ containerPort) %}
+{%-         endif %}
+{%-         do D2.append("-A DOCKER -d " ~ DOCKER.containers[container].ip ~ "/32 ! -i sosbridge -o sosbridge -p " ~ proto ~ " -m " ~ proto ~ " --dport " ~ containerPort ~ " -j ACCEPT") %}
+{%-     endfor %}
+{%-   endif %}
+{%- endfor %}
+
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
@@ -11,20 +51,12 @@
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
-{%- for container in NODE_CONTAINERS %}
-{%-   if DOCKER.containers[container].ports is defined %}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
-A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE
-{%-     endfor %}
-{%-   endif %}
+{%- for rule in PR %}
+{{ rule }}
 {%- endfor %}
 -A DOCKER -i sosbridge -j RETURN
-{%- for container in NODE_CONTAINERS %}
-{%-   if DOCKER.containers[container].ports is defined %}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
-A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}}
-{%-     endfor %}
-{%-   endif %}
+{%- for rule in D1 %}
+{{ rule }}
 {%- endfor %}

 COMMIT
@@ -71,12 +103,8 @@ COMMIT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP

-{%- for container in NODE_CONTAINERS %}
-{%-   if DOCKER.containers[container].ports is defined %}
-{%-     for port, proto in DOCKER.containers[container].ports.items() %}
-A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
-{%-     endfor %}
-{%-   endif %}
+{%- for rule in D2 %}
+{{ rule }}
 {%- endfor %}

 -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2