revisions of isolation-check
Some checks failed
Runner Isolation Check / isolation-test (push) Failing after 1m44s
Some checks failed
Runner Isolation Check / isolation-test (push) Failing after 1m44s
This commit is contained in:
Doc
63
.gitea/workflows/isolate-the-network.sh
Normal file
63
.gitea/workflows/isolate-the-network.sh
Normal file
@@ -0,0 +1,63 @@
|
|||||||
|
#!/bin/env bash
|
||||||
|
|
||||||
|
|
||||||
|
# docker network create \
|
||||||
|
# --driver bridge \
|
||||||
|
# --subnet 172.25.0.0/16 \
|
||||||
|
# --gateway 172.25.0.1 \
|
||||||
|
# --ipv6=false \
|
||||||
|
# isolated-net
|
||||||
|
#
|
||||||
|
# # --ipv6 \
|
||||||
|
# # --subnet fd00:25::/64
|
||||||
|
# # --gateway fd00:25::1
|
||||||
|
|
||||||
|
|
||||||
|
ISOLATEDPREFIX=172.25.0
|
||||||
|
ISOLATEDSUFFIX=.0
|
||||||
|
ISOLATEDSEGMENT=16
|
||||||
|
|
||||||
|
ISOLATEDNETv6=fd00:25::/64
|
||||||
|
|
||||||
|
DOCKERZONE=docker
|
||||||
|
HOMEZONE=home
|
||||||
|
|
||||||
|
FWCMD=$(which firewall-cmd)
|
||||||
|
|
||||||
|
# Decide if rules should persist after reboot/reload. "--permanent" or ""
|
||||||
|
MKPERMANENT=
|
||||||
|
|
||||||
|
LANSUBNETS="10.0.0.0/8 192.168.1.0/24"
|
||||||
|
|
||||||
|
# IPv4
|
||||||
|
|
||||||
|
# Allow traffic to own subnet by default
|
||||||
|
RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" accept"
|
||||||
|
$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE"
|
||||||
|
|
||||||
|
# Deny all other traffic to docker zone
|
||||||
|
RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" drop"
|
||||||
|
$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE"
|
||||||
|
|
||||||
|
# Deny isolated segment to lan
|
||||||
|
for addr in $LANSUBNETS ; do
|
||||||
|
RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop"
|
||||||
|
$FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule="$RULE"
|
||||||
|
done
|
||||||
|
|
||||||
|
# IPv6
|
||||||
|
|
||||||
|
# Dont bother allowing intra-subnet traffic for IPv6
|
||||||
|
|
||||||
|
# Deny IPv6 traffic to docker zone
|
||||||
|
RULE="rule family=\"ipv6\" source address=\"${ISOLATEDNETv6}\" drop"
|
||||||
|
$FWCMD $MKPERMANENT --zone=$DOCKERZONE --add-rich-rule="$RULE"
|
||||||
|
|
||||||
|
# Deny isolated ipv6 segment to LAN ipv6
|
||||||
|
for addr in $LAN6SUBNETS ; do
|
||||||
|
RULE="rule family=\"ipv4\" source address=\"${ISOLATEDPREFIX}${ISOLATEDSUFFIX}/${ISOLATEDSEGMENT}\" destination address=\"$addr\" drop"
|
||||||
|
$FWCMD $MKPERMANENT --zone=$HOMEZONE --add-rich-rule="$RULE"
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
$FWCMD --reload
|
||||||
@@ -65,8 +65,9 @@ jobs:
|
|||||||
- name: Check external IP
|
- name: Check external IP
|
||||||
run: |
|
run: |
|
||||||
echo "--- Checking external IP (https://ifconfig.me)"
|
echo "--- Checking external IP (https://ifconfig.me)"
|
||||||
for addr in https://ifconfig.me ; do
|
for ignore in errors ; do
|
||||||
curl $addr
|
curl -4 icanhazip.com
|
||||||
|
curl -6 icanhazip.com
|
||||||
done
|
done
|
||||||
|
|
||||||
- name: Outbound reachability sanity check
|
- name: Outbound reachability sanity check
|
||||||
|
|||||||
Reference in New Issue
Block a user