fickit: Allow remote-sync IP in firewall

2024-03-24 21:22:35 +01:00 · 2024-03-24 21:22:35 +01:00 · b4ec736948
parent 3f0e0536b9
commit b4ec736948
2 changed files with 8 additions and 3 deletions
--- a/configs/gen_metadata.sh
+++ b/configs/gen_metadata.sh
@ -9,7 +9,8 @@ export IP_FIC_SRS_FR=$(host ${DOMAIN_NAME} | grep -o '\([0-9]\{1,3\}.\)\+')
 export IPS_BACKEND="192.168.3.92/24\\n192.168.4.92/24\\n"
 export IP_BACKEND_ROUTER="192.168.3.1"

-export AIRBUS_BASEURL="https://..."
+export AIRBUS_DESTINATION="..."
+export AIRBUS_BASEURL="https://${AIRBUS_DESTINATION}/api"
 export AIRBUS_TOKEN="abcdef0123456789abcdef0123456789"
 export AIRBUS_SESSION_NAME="Forensique"

@ -145,6 +146,10 @@ TEMPLATE='
        "perm": "0444",
        "content": "${AIRBUS_BASEURL}"
      },
+      "destination": {
+        "perm": "0444",
+        "content": "${AIRBUS_DESTINATION}"
+      },
      "token": {
        "perm": "0444",
        "content": "${AIRBUS_TOKEN}"
--- a/fickit-frontend.yml
+++ b/fickit-frontend.yml
@ -121,10 +121,11 @@ onboot:

  - name: firewall-frontal
    image: linuxkit/ip:v1.0.0
-    command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-frontal.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6" ]
+    command: ["/bin/bash", "-c", "/sbin/iptables-restore < /etc/iptables/rules-frontal.v4; /sbin/ip6tables-restore < /etc/iptables/rules.v6; [ -f /run/config/remote_sync/destination ] && /sbin/iptables -I OUTPUT 7 -o bond-frontal -d $(cat /run/config/remote_sync/destination | tr -d '\n') -p tcp -m tcp --dport https -J ACCEPT;" ]
    binds:
      - /etc/iptables/rules-frontal.v4:/etc/iptables/rules-frontal.v4:ro
      - /etc/iptables/rules.v6:/etc/iptables/rules.v6:ro
+      - /run/config/remote_sync/:/run/config/remote_sync/:ro
    net: /run/netns/nginx
  - name: firewall-sshd
    image: linuxkit/ip:v1.0.0
@ -468,7 +469,6 @@ files:
      [0:0] -A OUTPUT -o bond-frontal -p udp -m udp --sport domain -j ACCEPT
      [0:0] -A OUTPUT -o bond-frontal -d 9.9.9.9 -p udp -m udp --dport domain -j ACCEPT
      [0:0] -A OUTPUT -o bond-frontal -d 9.9.9.9 -p tcp -m tcp --dport domain -j ACCEPT
-      [0:0] -A OUTPUT -o bond-frontal -d 94.23.5.143 -p tcp -m tcp --dport https -j ACCEPT
      [0:0] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.3 -p tcp -m conntrack --ctstate NEW -m tcp --dport 8080 -j ACCEPT
      [0:0] -A OUTPUT -o vethin-nginx -d 172.17.1.4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 5556 -j ACCEPT