From 808685f2f115561f4a2707e04b03de9d0b1cfb88 Mon Sep 17 00:00:00 2001
From: Julien Kassar <github@kassisol.com>
Date: Tue, 21 Jul 2015 23:53:29 -0400
Subject: [PATCH] Initial commit

---
 README.md  |  1 +
 csfpost.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 45 insertions(+)
 create mode 100644 README.md
 create mode 100644 csfpost.sh

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..7f99c71
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+# ConfigServer Security & Firewall (CSF) - Docker
diff --git a/csfpost.sh b/csfpost.sh
new file mode 100644
index 0000000..839be05
--- /dev/null
+++ b/csfpost.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+
+DOCKER_INT="docker0"
+DOCKER_NETWORK="172.17.0.0/16"
+
+iptables -N DOCKER
+iptables -t nat -N DOCKER
+
+iptables -A FORWARD -o ${DOCKER_INT} -j DOCKER
+iptables -A FORWARD -o ${DOCKER_INT} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+iptables -A FORWARD -i ${DOCKER_INT} ! -o ${DOCKER_INT} -j ACCEPT
+iptables -A FORWARD -i ${DOCKER_INT} -o ${DOCKER_INT} -j ACCEPT
+
+iptables -t nat -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+iptables -t nat -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+iptables -t nat -A POSTROUTING -s ${DOCKER_NETWORK} ! -o ${DOCKER_INT} -j MASQUERADE
+
+containers=`docker ps -q`
+
+if [ `echo ${containers} | wc -c` -gt "1" ] ; then
+        for container in ${containers} ; do
+                rules=`docker port ${container} | sed 's/ //g'`
+
+                if [ `echo ${rules} | wc -c` -gt "1" ] ; then
+                        ipaddr=`docker inspect -f "{{.NetworkSettings.IPAddress}}" ${container}`
+
+                        for rule in ${rules} ; do
+                                src=`echo ${rule} | awk -F'->' '{ print $2 }'`
+                                dst=`echo ${rule} | awk -F'->' '{ print $1 }'`
+
+                                src_ip=`echo ${src} | awk -F':' '{ print $1 }'`
+                                src_port=`echo ${src} | awk -F':' '{ print $2 }'`
+
+                                dst_port=`echo ${dst} | awk -F'/' '{ print $1 }'`
+                                dst_proto=`echo ${dst} | awk -F'/' '{ print $2 }'`
+
+                                iptables -A DOCKER -d ${ipaddr}/32 ! -i ${DOCKER_INT} -o ${DOCKER_INT} -p ${dst_proto} -m ${dst_proto} --dport ${dst_port} -j ACCEPT
+
+                                iptables -t nat -A POSTROUTING -s ${ipaddr}/32 -d ${ipaddr}/32 -p ${dst_proto} -m ${dst_proto} --dport ${dst_port} -j MASQUERADE
+                                iptables -t nat -A DOCKER ! -i ${DOCKER_INT} -p ${dst_proto} -m ${dst_proto} --dport ${src_port} -j DNAT --to-destination ${ipaddr}:${dst_port}
+                        done
+                fi
+        done
+fi