diff --git a/firewall/firewall-add b/firewall/firewall-add index 2d4a241..43c7b7b 100755 --- a/firewall/firewall-add +++ b/firewall/firewall-add @@ -16,8 +16,8 @@ POSTROUTING=$POSTROUTING # Mandatory task variables CHAIN=$CHAIN NAME=$NAME -COMMENT=$COMMENT -NAME=$NAME-$COMMENT +COMMENT="-$COMMENT" +NAME=$NAME$COMMENT PROTOCOL=$TYPE EXTRA_OPTIONS="$2 $3 $4" @@ -27,6 +27,37 @@ EXTRA_OPTIONS="$2 $3 $4" DEBUG=1 fi; +# finding IPv4 addresses from application names. +name_resolver() { + + local DNS_IP + local DNS=$1 + APP_IP="" + + echo "DNS: "$DNS; + + for D in $(echo $DNS); + do + + UP=$(docker ps --format '{{.Names}}\t{{.Status}}' | grep Up | awk '{print $1}' | grep $D"-") ; + # filtering for ROLES variables if exists. + if [[ "$ROLES" != "null" && ! -z "$ROLES" ]]; then + UP=$(grep $ROLES $(docker $UP -f '{{.Config.Labels.roles}}')); + fi + + if [ ! -z "$UP" ] ; then + for D_IP in `echo $UP` ; + do + DNS_IP=$(docker inspect $D_IP -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}'); + APP_IP="$APP_IP $DNS_IP"; + echo "APP_IP: "$APP_IP; + done + else + debug "no matching running process found" + fi + + done; +} if [[ -z "$TYPE" ]]; then TYPE="tcp" @@ -37,19 +68,50 @@ if [[ -z "$SOURCE_IP" ]]; then elif [[ "$(echo $SOURCE_IP | cut -d . -f4)" == "0" ]] ; then SOURCE_IP="$SOURCE_IP/24"; - debug "source ip is $SOURCE_IP" + debug "source ip is $SOURCE_IP"; +fi +if [[ "$SOURCE_APP" != *"."* ]]; then + name_resolver $SOURCE_APP; + debug "source ip is $APP_IP"; + IDX=0 + for IP in $(echo $APP_IP); do + IDX=$(expr 1 + $IDX) + if [ $IDX = 1 ]; then + SOURCE_IP=$IP + else + eval SOURCE_IP_$IDX=$IP; + fi; + done; + # Modifying source or target IP addresses if POSTROUTING rules needed to applied fi; + if [[ -z "$TARGET_IP" ]]; then TARGET_IP="0.0.0.0/0"; elif [[ "$(echo $TARGET_IP | cut -d . -f4)" == "0" ]] ; then TARGET_IP="$TARGET_IP/24"; - debug "target ip is $TARGET_IP" + debug "target ip is $TARGET_IP"; +fi + +if [[ "$TARGET_APP" != *"."* ]]; then + name_resolver $TARGET_APP; + debug "target ip is $APP_IP"; + IDX=0 + for IP in $(echo $APP_IP); do + IDX=$(expr 1 + $IDX) + if [ $IDX = 1 ]; then + TARGET_IP=$IP; + else + eval TARGET_IP_$IDX=$IP; + fi; + done; fi; +set | grep SOURCE +set | grep TARGET prerouting() { LINES=$($IPTABLES -L --line-number -n | grep DNAT | grep $SOURCE_PORT |grep $TARGET_IP |grep $TARGET_PORT |grep $COMMENT | awk '{print $1}'| tac) @@ -132,7 +194,6 @@ ip_route() { if [[ "$ROUTE" == "true" ]] ; then IP_ROUTE="nsenter -t $(docker inspect --format {{.State.Pid}} $NAME) -n -- ip route"; - debug "ip_route: "$IP_ROUTE; ip_route; exit; fi