- ๐ถ Art is my passion
- ๐ฌ Ask me about
secret management
,google cloud
tam7t / droplan Goto Github PK
View Code? Open in Web Editor NEWManage iptable rules for the private interface on DigitalOcean droplets
License: MIT License
Manage iptable rules for the private interface on DigitalOcean droplets
License: MIT License
secret management
, google cloud
rules applied by droplan seem to be pre-empted by docker iptable rules (at least on coreos)
digitalocean now supports tagged droplets. It would be nice for droplan
to support using these tags to control access.
One thought would be for droplan
to accept (one or more?) tag
s for droplets that have access to the box.
Hi @tam7t
I had a quick look ad the code, and it seems to me that you only append rules to the chain.
Droplets are ephemeral, so we will end up with a lot of allowed droplets, even after we have destroyed them and they already belong to Eve.
Regards, B.
In conjunction with #20, it would be cool if we could also allow access to users coming from a certain IP address. You could even do something like:
ALLOWED_ACCESS=EXTERNAL_IP:HOST_PORT,EXTERNAL_IP:HOST_PORT
add a coreos cloud-config
example
Re: the TODO on pruning peers without causing downtime, what about the functional equivalent of:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
I don't know that this entirely solves the problem, but it feels like it might mitigate somewhat. I'm also working with a pretty cursory actual knowledge of iptables here, so feel free to dismiss this notion out of hand. :)
Use just standard table tests instead of the goblin
package to make this more idiomatic go.
In conjunction with #20, it would be cool if we could still allow access to certain ports even when we block traffic overall. For instance, users that want to setup a jumpbox could whitelist port 22 and otherwise have the same config as every other server.
I think it would be nicer to run droplan
as a daemon process that continuously ran so that it could better splay out requests to the digitalocean api and more gracefully handle throttling.
Hey @tam7t! I'm very excited about this, I've wanted something with this functionality for a while!
I'm curious what your thoughts would be on being able to configure droplan
to statically maintain certain ports (say, 80/443 or 22) to be open to everyone. This would allow you to run this on the public and private interfaces and maintain SSH access, run a web server, etc.
I don't think this would be super hard to add, but it might make configuration a little more complex than it is now. Thoughts?
Also, happy to do a proof of concept sometime this week if this passes muster.
Love droplan.
Is it possible to include DO Load Balancers to the list of allowed IPs? That'd really help!
Thanks,
Adam
Very minor thing, but many systems don't come with unzip
preinstalled. Detailed instructions could skip one step if there was a release .tar.gz
/ .gz
/ .bz2
. (I s'pose there's not much point in tarring it up since it's literally a single file...)
Following a reboot it may take up to 5 minutes (if using the cron method) for iptable rules to be applied, leaving the droplet unprotected.
This may not be obvious to users of droplan
and it would be nice if (as part of running droplan as a service) that risk could be reduced.
I have a use case where I need to have services listening on an external interface so that I can properly reference them across each server. In AWS, you could simply have the interface be 0.0.0.0
and block all traffic that is not within the security group attached to an instance.
In the ideal case, we could block all traffic that isn't coming from any of our instances IPs and then just use a jumpbox when attempting to access those servers. Perhaps a second chain like droplan-external-peers
could be used in this case?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.