From a3a621acd5c2f5abd1dd810369dc7b254bd9d722 Mon Sep 17 00:00:00 2001 From: marcorealacci Date: Tue, 28 Jan 2025 17:58:51 +0100 Subject: [PATCH 1/7] Improve title --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 78fcfc7..a20d100 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Docker Magic Firewall Service: README.md +# Docker Magic Firewall Service ## Project Overview From 733c53899ddf131406a679253136367758620daa Mon Sep 17 00:00:00 2001 From: marcorealacci Date: Tue, 28 Jan 2025 23:09:27 +0100 Subject: [PATCH 2/7] Update title --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a20d100..62b106a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Docker Magic Firewall Service +# Docker Magic Firewall ## Project Overview From 021c4ca4de444a0cdda276cd1dc0873a702cae10 Mon Sep 17 00:00:00 2001 From: Marco Realacci Date: Sat, 15 Mar 2025 03:23:49 +0100 Subject: [PATCH 3/7] Update project structure # Conflicts: # README.md --- .forgejo/workflows/build.yml | 73 ++++++++++++++++++++++++++++++++++++ README.md | 7 +++- main.py => src/magicfw.py | 1 + systemd/magicfw.service | 2 +- 4 files changed, 81 insertions(+), 2 deletions(-) create mode 100644 .forgejo/workflows/build.yml rename main.py => src/magicfw.py (99%) diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml new file mode 100644 index 0000000..8dacf58 --- /dev/null +++ b/.forgejo/workflows/build.yml @@ -0,0 +1,73 @@ +name: Build and Publish Debian Package + +#on: [push] + +on: + push: + tags: + - "v*" + +env: + DISTRIBUTION: bookworm + COMPONENT: main + +jobs: + build: + runs-on: docker + container: + image: catthehacker/ubuntu:act-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + # - name: Debug file structure + # run: ls -R + + # - name: Debug pwd + # run: pwd + + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: '3.13' + + - name: Install FPM dependencies + run: | + sudo apt-get update + sudo apt-get install -y ruby ruby-dev build-essential + sudo gem install --no-document fpm + + - name: Prepare package structure + run: | + # Create temporary packaging directory + mkdir -p package/usr/local/bin + mkdir -p package/etc/systemd/system + # Copy magicfw.py as the executable and rename if needed + cp src/magicfw.py package/usr/local/bin/magicfw + chmod +x package/usr/local/bin/magicfw + # Copy the systemd service file + cp systemd/magicfw.service package/etc/systemd/system/ + + - name: Generate version number + run: | + VERSION=$(git describe --tags --abbrev=0 2>/dev/null | sed 's/^v//') + echo "VERSION=$VERSION" >> $GITHUB_ENV + + - name: Build Debian package with FPM + run: | + # The -s dir option tells FPM the source is a directory. + # The -t deb option builds a deb package. + # -n is the package name and -v the version. + fpm -s dir -t deb -n magicfw-docker -v $VERSION -C package \ + -d "python3" \ + -d "python3-docker" + + - name: Upload to Forgejo Debian Registry + env: + FORGEJO_TOKEN: ${{ secrets.FORGEJO_TOKEN }} + run: | + PACKAGE_NAME="magicfw-docker_${VERSION}_amd64.deb" # Update version accordingly + + curl --user "your_username:$FORGEJO_TOKEN" \ + --upload-file ./${PACKAGE_NAME} \ + "https://git.marcorealacci.me/api/packages/${{ github.repository_owner }}/debian/pool/${{env.DISTRIBUTION}}/${{env.COMPONENT}}/upload" \ No newline at end of file diff --git a/README.md b/README.md index 62b106a..b70179a 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Docker Magic Firewall +# Docker Magic Firewall Service: README.md ## Project Overview @@ -28,6 +28,11 @@ You can define rules per container using specific Docker labels: - **Automatic Rule Cleanup:** When a container is restarted, stopped, or removed, the corresponding firewall rules are automatically cleaned. - **Support for Published Ports:** Rules are auto-generated for any published ports, restricting incoming traffic to only the ports explicitly exposed via Docker. +## Install +To make the installation easy, I provide a package for Debian-based distros, follow the instructions here: [https://git.marcorealacci.me/marcorealacci/-/packages/debian/magicfw-docker](https://git.marcorealacci.me/marcorealacci/-/packages/debian/magicfw-docker) + +To install the script manually, the required dependencies are `python3` and the `docker` library available from PyPI (`pip3 install docker`). + ## Configuration ### Environment Variables diff --git a/main.py b/src/magicfw.py similarity index 99% rename from main.py rename to src/magicfw.py index 619a415..cefe783 100644 --- a/main.py +++ b/src/magicfw.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python3 import os import json import logging diff --git a/systemd/magicfw.service b/systemd/magicfw.service index bede43d..a769714 100644 --- a/systemd/magicfw.service +++ b/systemd/magicfw.service @@ -10,7 +10,7 @@ StartLimitBurst=10 Type=exec Restart=on-failure RestartSec=5s -ExecStart=/usr/bin/python3 /opt/docker_magicfw.py +ExecStart=/usr/local/bin/magicfw # Environment variables (customize as needed) Environment=LOG_LEVEL=INFO From 29aebce7aeb7132f62ef35728137e7e5ab7b895d Mon Sep 17 00:00:00 2001 From: marcorealacci Date: Sat, 15 Mar 2025 12:38:01 +0100 Subject: [PATCH 4/7] Aggiorna README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b70179a..910d929 100644 --- a/README.md +++ b/README.md @@ -20,11 +20,11 @@ You can define rules per container using specific Docker labels: | **Label Key** | **Description** | **Default** | |----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|-------------| | `magicfw.firewall.allow_icc` | Enables communication between the container and other containers on different Docker networks (not normally possible in Docker environments). | `false` | -| `magicfw.firewall.allow_external` | Enables access to external networks (e.g., the internet) for the container. | `false` | +| `magicfw.firewall.allow_external` | Enables access from external networks (e.g., the internet) for the container. | `false` | ### Behavior and Functionalities - **Allow ICC (Inter-Container Communication):** When `magicfw.firewall.allow_icc` is `true`, the container can communicate with other containers across **different Docker networks** (useful for applications like reverse proxies such as Traefik). If `false`, the container is isolated from other Docker networks (default Docker behavior). -- **External Traffic:** When `magicfw.firewall.allow_external` is `true`, the container's network rules allow communication with external IPs. +- **External Traffic:** When `magicfw.firewall.allow_external` is `true`, the container's network rules allow communication from external networks (useful when NAT is disabled). - **Automatic Rule Cleanup:** When a container is restarted, stopped, or removed, the corresponding firewall rules are automatically cleaned. - **Support for Published Ports:** Rules are auto-generated for any published ports, restricting incoming traffic to only the ports explicitly exposed via Docker. From 4c377a124b746e7a8712dee3817c3a3ffc6e0617 Mon Sep 17 00:00:00 2001 From: marcorealacci Date: Sat, 15 Mar 2025 12:43:54 +0100 Subject: [PATCH 5/7] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 910d929..dcf02d4 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Docker Magic Firewall Service: README.md +# Docker Magic Firewall Service ## Project Overview From b1d05cf84cf140bd8a98a29e0f8572f29789f423 Mon Sep 17 00:00:00 2001 From: marcorealacci Date: Sun, 16 Mar 2025 16:02:33 +0100 Subject: [PATCH 6/7] Update examples --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index dcf02d4..97ffbef 100644 --- a/README.md +++ b/README.md @@ -61,8 +61,6 @@ services: labels: magicfw.firewall.allow_icc: "true" magicfw.firewall.allow_external: "true" - ports: - - 8080:80 ``` In the above example: From c37a1d23bf44d7ba52d3affd3f5348f3d69729f8 Mon Sep 17 00:00:00 2001 From: marcorealacci Date: Sun, 16 Mar 2025 16:05:56 +0100 Subject: [PATCH 7/7] Improve examples --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 97ffbef..70a6fbf 100644 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ services: In the above example: - The `web` container can communicate with other containers on different Docker networks (`magicfw.firewall.allow_icc: true`). -- The container can be accessed by external hosts using the container's IP (`magicfw.firewall.allow_external: true`). +- The container can be accessed by external hosts using the container's IP (**not host IP!**) (`magicfw.firewall.allow_external: true`). This requires a route on other hosts or the router. #### Example 2 ```yaml @@ -95,7 +95,7 @@ services: In the above example: - The `web` container can communicate with other containers on different Docker networks (`magicfw.firewall.allow_icc: true`). -- External hosts can access the container via both :80 and :8080 (port mapping still works even with DISABLE_NAT) +- External hosts can access the container via both :80 and :8080 (port mapping still works even with `DISABLE_NAT` set to `true`, as only Source NAT will be disabled) - External hosts will not be able to access the container on ports other than 80 ---