Re-apply the firewall instantly on restarts, for README simulations

nolar · Sep 20, 2020 · 18545da · 18545da
1 parent af4ece2
commit 18545da
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 13 deletions.
diff --git a/apply-firewall.sh b/apply-firewall.sh
@@ -9,14 +9,27 @@
 : ${IPTABLES_FILE_V4:="/tmp/iptables.txt"}
 : ${IPTABLES_FILE_V6:="/tmp/ip6tables.txt"}
 
+# New with every new container (e.g. on restarts).
+timestamp_v4=/tmp/timestamp-v4
+timestamp_v6=/tmp/timestamp-v6
+
+# For the first start, always apply the rules.
+if [[ ${1:-} == initial ]]; then
+  rm -f "${timestamp_v4}" "${timestamp_v6}"
+fi
+
 if [[ -e "${IPTABLES_FILE_V4}" ]]; then
-  iptables-restore <"${IPTABLES_FILE_V4}"
-  rm -f "${IPTABLES_FILE_V4}"
-  echo "The firewall is applied (v4)."
+  if [[ ! -e "${timestamp_v4}" || "${IPTABLES_FILE_V4}" -nt "${timestamp_v4}" ]]; then
+    iptables-restore <"${IPTABLES_FILE_V4}"
+    touch "${timestamp_v4}"
+    echo "The firewall is applied (v4)."
+  fi
 fi
 
 if [[ -e "${IPTABLES_FILE_V6}" ]]; then
-  ip6tables-restore <"${IPTABLES_FILE_V6}"
-  rm -f "${IPTABLES_FILE_V6}"
-  echo "The firewall is applied (v6)."
+  if [[ ! -e "${timestamp_v6}" || "${IPTABLES_FILE_V6}" -nt "${timestamp_v6}" ]]; then
+    ip6tables-restore <"${IPTABLES_FILE_V6}"
+    touch "${timestamp_v6}"
+    echo "The firewall is applied (v6)."
+  fi
 fi
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -104,6 +104,7 @@ services:
       - bash
       - -c
       - |
+        /apply-firewall.sh initial
         while true; do
           /apply-firewall.sh
           sleep 1s
@@ -113,7 +114,7 @@ services:
       IPTABLES_FILE_V6: /iptables/iptables-v6.txt
     volumes:
       - ./apply-firewall.sh:/apply-firewall.sh:ro
-      - iptables:/iptables
+      - iptables:/iptables:ro
     cap_add: [NET_ADMIN]
     restart: unless-stopped
     stop_signal: SIGKILL
@@ -130,11 +131,7 @@ services:
       - bash
       - -c
       - |
-        IPTABLES_FILE_V4=/tmp/null4 \
-        IPTABLES_FILE_V6=/tmp/null6 \
-        ALLOWED_IPS_FILE= ALLOWED_IPS_DIR= \
-          /generate-firewall.sh  # silent insta-block!
-
+        /generate-firewall.sh initial  # silent insta-block!
         while true; do
           /update-airvpn-ips.sh
           /generate-firewall.sh
@@ -152,7 +149,7 @@ services:
       - ./cache:/cache
       - ./update-airvpn-ips.sh:/update-airvpn-ips.sh:ro
       - ./generate-firewall.sh:/generate-firewall.sh:ro
-      - iptables:/iptables
+      - iptables:/iptables:rw
     dns: [8.8.4.4, 8.8.8.8]
     cap_add: [NET_ADMIN]
     restart: unless-stopped

diff --git a/generate-firewall.sh b/generate-firewall.sh
@@ -72,6 +72,15 @@ fi
 : ${IPTABLES_FILE_V4:="/tmp/iptables.txt"}
 : ${IPTABLES_FILE_V6:="/tmp/ip6tables.txt"}
 
+# For the first run (insta-block), block ourselves without initial state/cache,
+# and do not produce no side-effects in the real firewall/network containers.
+if [[ ${1:-} == initial ]]; then
+  IPTABLES_FILE_V4=/tmp/null4
+  IPTABLES_FILE_V6=/tmp/null6
+  ALLOWED_IPS_FILE=
+  ALLOWED_IPS_DIR=
+fi
+
 echo "Generating the firewall rules..."
 
 # Block anything by default, even if there is no single rule.