Small python script and docker container which gets all running docker containers form the rancher - api and creates custom firewall rules if necessary.
The docker container can be fully configured via environment variables
- AUTOFW_MIKROTIK_ADDRESS = ip or hostname of the mikrotik router
- AUTOFW_MIKROTIK_USER = username for the mikrotik connection (must have
writeaccess) - AUTOFW_MIKROTIK_PASS = the ssh password for the mikrotik user
- AUTOFW_RANCHER_API_URL = the url to the rancher api service
- AUTOFW_RANCHER_API_KEY = the api key for the rancher api service
- AUTOFW_RANCHER_API_SECRET = the api secret for the rancher api service
if the following three env variables are specified the container will try to lookup the mikrotik credentials and the rancher api credentials in hashicorp vault. (if found the vault values will overwrite the env variables) *AUTOFW_VAULT_SERVER = http url to the vault server *AUTOFW_VAULT_ROLE_ID = role id *AUTOFW_VAULT_SECRET_ID = secret id
- AUTOFW_DOCKER_CHECK_RUNNING = only check and create fw rules for running containers (defaults to 'true')
- AUTOFW_DOCKER_LABEL_ENABLE = container label which defines if fw rules will be created for the container (defaults to 'cloud.hutter.autofw.enable')
- AUTOFW_DOCKER_LABEL_NAT = container label which holds the dstnat rule defintions (defaults to: 'cloud.hutter.autofw.ip.firewall.dstnat')
- AUTOFW_DOCKER_LABEL_NAT_COMMENT = container label which holds an additional comment for the mikrotik fw rule (defaults to: 'cloud.hutter.autofw.ip.firewall.dstnat.comment')
- AUTOFW_MIKROTIK_COMMENT = the default comment which is added to all generated fw rules (defaults to 'generated by autofw')
- AUTOFW_DOCKER_LABEL_DNS = container label which holds the dns entries (defaults to: 'cloud.hutter.autofw.ip.dns.static')
- AUTOFW_DOCKER_LABEL_DNS_COMMENT = container label which holds an additional comment for the mikrotik dns entry (defaults to: 'cloud.hutter.autofw.ip.dns.static.comment')
- AUTOFW_LOGLEVEL = the loglevel - can be debug or info (defaults to 'info')
- AUTOFW_SCHEDULE = amount of seconds between script executions (defaults to '10')
The container runs the update script every few seconds. It will automatically create and remove dst-nat entries and static dns entries
To enable dst-nat entries for a container set the content of the label AUTOFW_DOCKER_LABEL_ENABLE to 'true'.
You can specify dstnat rules by specifying the label AUTOFW_DOCKER_LABEL_NAT. To add a specific comment add the label AUTOFW_DOCKER_LABEL_NAT_COMMENT.
#example entry for my local vault instance
cloud.hutter.autofw.ip.firewall.dstnat.comment=vault
cloud.hutter.autofw.ip.firewall.dstnat=protocol=tcp,dstport=8200,ininterface=sfp1
cloud.hutter.autofw.enable=true
You can specify multiple dstnat rules by separating them with a :
#example for openvpn server port forward
cloud.hutter.autofw.ip.firewall.dstnat=protocol=tcp,dstport=443,ininterface=sfp1:protocol=tcp,dstport=943,ininterface=sfp1:protocol=tcp,dstport=1194,ininterface=sfp1:protocol=udp,dstport=1194,ininterface=sfp1
In addition to dstnat firewall rules the script can also set static dns entries.
You can specify dns entries (A-records) with the label AUTOFW_DOCKER_LABEL_DNS. Additional comments to the dns entries can e set via the label AUTOFW_DOCKER_LABEL_DNS_COMMENT.
#example entry for reverse proxy services
cloud.hutter.autofw.ip.firewall.dstnat.comment=reverse proxy services
cloud.hutter.autofw.ip.dns.static=name=calibre.hutter.cloud:name=proxy.hutter.cloud
if you specify the address= parameter you can change the ip which should be assigned. by default it sets the ip address of the host