tam7t / droplan Goto Github PK

rules applied by droplan seem to be pre-empted by docker iptable rules (at least on coreos)

digitalocean now supports tagged droplets. It would be nice for droplan to support using these tags to control access.

One thought would be for droplan to accept (one or more?) tags for droplets that have access to the box.

Hi @tam7t

I had a quick look ad the code, and it seems to me that you only append rules to the chain.
Droplets are ephemeral, so we will end up with a lot of allowed droplets, even after we have destroyed them and they already belong to Eve.

Regards, B.

In conjunction with #20, it would be cool if we could also allow access to users coming from a certain IP address. You could even do something like:

ALLOWED_ACCESS=EXTERNAL_IP:HOST_PORT,EXTERNAL_IP:HOST_PORT

add a coreos cloud-config example

Re: the TODO on pruning peers without causing downtime, what about the functional equivalent of:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

I don't know that this entirely solves the problem, but it feels like it might mitigate somewhat. I'm also working with a pretty cursory actual knowledge of iptables here, so feel free to dismiss this notion out of hand. :)

Use just standard table tests instead of the goblin package to make this more idiomatic go.

In conjunction with #20, it would be cool if we could still allow access to certain ports even when we block traffic overall. For instance, users that want to setup a jumpbox could whitelist port 22 and otherwise have the same config as every other server.

I think it would be nicer to run droplan as a daemon process that continuously ran so that it could better splay out requests to the digitalocean api and more gracefully handle throttling.

Hey @tam7t! I'm very excited about this, I've wanted something with this functionality for a while!

I'm curious what your thoughts would be on being able to configure droplan to statically maintain certain ports (say, 80/443 or 22) to be open to everyone. This would allow you to run this on the public and private interfaces and maintain SSH access, run a web server, etc.

I don't think this would be super hard to add, but it might make configuration a little more complex than it is now. Thoughts?

Also, happy to do a proof of concept sometime this week if this passes muster.

Love droplan.
Is it possible to include DO Load Balancers to the list of allowed IPs? That'd really help!

Thanks,
Adam

Very minor thing, but many systems don't come with unzip preinstalled. Detailed instructions could skip one step if there was a release .tar.gz / .gz / .bz2. (I s'pose there's not much point in tarring it up since it's literally a single file...)

Following a reboot it may take up to 5 minutes (if using the cron method) for iptable rules to be applied, leaving the droplet unprotected.

This may not be obvious to users of droplan and it would be nice if (as part of running droplan as a service) that risk could be reduced.

I have a use case where I need to have services listening on an external interface so that I can properly reference them across each server. In AWS, you could simply have the interface be 0.0.0.0 and block all traffic that is not within the security group attached to an instance.

In the ideal case, we could block all traffic that isn't coming from any of our instances IPs and then just use a jumpbox when attempting to access those servers. Perhaps a second chain like droplan-external-peers could be used in this case?