From baf66654fa1c38d8d09433a62c08233c6d014fd2 Mon Sep 17 00:00:00 2001 From: Doc Date: Mon, 6 Oct 2025 18:04:08 -0400 Subject: [PATCH] revisions of isolation-check --- .gitea/workflows/isolate-the-network.sh | 63 +++++++++++++++++++++++++ .gitea/workflows/isolation-check.yaml | 5 +- 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 .gitea/workflows/isolate-the-network.sh diff --git a/.gitea/workflows/isolate-the-network.sh b/.gitea/workflows/isolate-the-network.sh new file mode 100644 index 0000000..25b4d19 --- /dev/null +++ b/.gitea/workflows/isolate-the-network.sh @@ -0,0 +1,63 @@ +#!/bin/env bash + + +# docker network create \ +# --driver bridge \ +# --subnet 172.25.0.0/16 \ +# --gateway 172.25.0.1 \ +# --ipv6=false \ +# isolated-net +# +# # --ipv6 \ +# # --subnet fd00:25::/64 +# # --gateway fd00:25::1 + + +ISOLATEDPREFIX=172.25.0 +ISOLATEDSUFFIX=.0 +ISOLATEDSEGMENT=16 + +ISOLATEDNETv6=fd00:25::/64 + +DOCKERZONE=docker +HOMEZONE=home + +FWCMD=$(which firewall-cmd) + +# Decide if rules should persist after reboot/reload. "--permanent" or "" +MKPERMANENT= + +LANSUBNETS="10.0.0.0/8 192.168.1.0/24" + +# IPv4 + +# Allow traffic to own subnet by default +RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" accept" +$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE" + +# Deny all other traffic to docker zone +RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" drop" +$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE" + +# Deny isolated segment to lan +for addr in $LANSUBNETS ; do + RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop" + $FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule="$RULE" +done + +# IPv6 + +# Dont bother allowing intra-subnet traffic for IPv6 + +# Deny IPv6 traffic to docker zone +RULE="rule family=\"ipv6\" source address=\"${ISOLATEDNETv6}\" drop" +$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE" + +# Deny isolated ipv6 segment to LAN ipv6 +for addr in $LAN6SUBNETS ; do + RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop" + $FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule="$RULE" +done + + +$FWCMD --reload diff --git a/.gitea/workflows/isolation-check.yaml b/.gitea/workflows/isolation-check.yaml index 6b62e0e..790105d 100644 --- a/.gitea/workflows/isolation-check.yaml +++ b/.gitea/workflows/isolation-check.yaml @@ -65,8 +65,9 @@ jobs: - name: Check external IP run: | echo "--- Checking external IP (https://ifconfig.me)" - for addr in https://ifconfig.me ; do - curl $addr + for ignore in errors ; do + curl -4 icanhazip.com + curl -6 icanhazip.com done - name: Outbound reachability sanity check