GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → tam7t → droplan

tam7t / droplan

Licence: MIT license
Manage iptable rules for the private interface on DigitalOcean droplets

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
shell
77523 projects

Labels

digitaloceaniptables

Projects that are alternatives of or similar to droplan

Shadowsocks Tutorial
🐱给小白的Shadowsocks和V2ray翻墙教程
Stars: ✭ 1,273 (+1744.93%)
Mutual labels:  digitalocean, iptables
docker-nfqueue-scapy
Docker container for intercepting packets with scapy from a netfilter queue (nfqueue)
Stars: ✭ 78 (+13.04%)
Mutual labels:  iptables
dots
digital ocean api typescript/javascript wrapper
Stars: ✭ 65 (-5.8%)
Mutual labels:  digitalocean
backup-suite
Backup database, static files and config to AWS S3 with Cronjob
Stars: ✭ 32 (-53.62%)
Mutual labels:  digitalocean
Hacktoberfest2021-for-everyone
This repository is for everyone who wants to participate in Hacktoberfest 2022. Anyone can contribute/add quality code or projects for your Swags (T- Shirt), must be relevant that can add some value to this repository.
Stars: ✭ 178 (+157.97%)
Mutual labels:  digitalocean
timecobot
Telegram bot provides time-based currency and muteguns
Stars: ✭ 21 (-69.57%)
Mutual labels:  digitalocean
digitalocean
Scala wrapper around Digital Ocean's API, version 2
Stars: ✭ 28 (-59.42%)
Mutual labels:  digitalocean
Linux-System-Management-Scripts-Tricks
Linux Security & Linux Hardening & Linux Management & Linux Configuration
Stars: ✭ 70 (+1.45%)
Mutual labels:  iptables
lita-digitalocean
A Lita handler for managing DigitalOcean services.
Stars: ✭ 25 (-63.77%)
Mutual labels:  digitalocean
ddos-mitigation
Tips to mitigate and secure your large-scale server against DDoS attacks.
Stars: ✭ 58 (-15.94%)
Mutual labels:  iptables
community.digitalocean
This Ansible collection contains modules for assisting in the automation of the DigitalOcean cloud.
Stars: ✭ 115 (+66.67%)
Mutual labels:  digitalocean
go-ipset
🔥 Go bindings for the IPtables ipset http://ipset.netfilter.org userspace utility
Stars: ✭ 110 (+59.42%)
Mutual labels:  iptables
hev-socks5-tproxy
A simple, lightweight socks5 transparent proxy for Linux. (IPv4/IPv6/TCP/UDP over TCP)
Stars: ✭ 209 (+202.9%)
Mutual labels:  iptables
hacktoberfest2021-Excluded
You can submit any PR and have SWAGS. Happy Hacktoberfest !
Stars: ✭ 63 (-8.7%)
Mutual labels:  digitalocean
nDPI
Open Source Deep Packet Inspection Software Toolkit
Stars: ✭ 92 (+33.33%)
Mutual labels:  iptables
ansible-role-do-agent
Cross-distro installation of the DigitalOcean monitoring agent
Stars: ✭ 22 (-68.12%)
Mutual labels:  digitalocean
cloud-detect
Module that determines a host's cloud provider.
Stars: ✭ 28 (-59.42%)
Mutual labels:  digitalocean
blackip
IP Blocklist for Ipset / Squid-Cache
Stars: ✭ 81 (+17.39%)
Mutual labels:  iptables
hacktoberfest2021-easy
Add a code in any language
Stars: ✭ 24 (-65.22%)
Mutual labels:  digitalocean
terransible-wirehole
Wirehole (Wireguard, Pi-hole, Upbound) deployment on Free Tier Oracle Cloud or other providers leveraging Docker Containers and deployed using Terraform and Ansible.
Stars: ✭ 33 (-52.17%)
Mutual labels:  digitalocean
View All Similar Projects ➔

droplan Build Status Gitter

DigitalOcean Firewalls!

Exciting news! DigitalOcean now has a native firewall option that integrates well with tagging. Please consider using that instead of droplan!

https://blog.digitalocean.com/cloud-firewalls-secure-droplets-by-default/

About

This utility helps secure the network interfaces on DigitalOcean droplets by adding iptable rules that only allow traffic from your other droplets. droplan queries the DigitalOcean API and automatically updates iptable rules.

Installation

The latest release is available on the github release page.

You can setup a cron job to run every 5 minutes in /etc/cron.d

*/5 * * * * root PATH=/sbin DO_KEY=READONLY_KEY /usr/local/bin/droplan >/var/log/droplan.log 2>&1

Usage

DO_KEY=<read_only_api_token> /path/to/droplan

The iptables rules added by droplan are equivalent to:

-N droplan-peers # create a new chain
-A INPUT -i eth1 -j droplan-peers # add chain to private interface
-A INPUT -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth1 -j DROP # add default DROP rule to private interface
-A droplan-peers -s <PEER>/32 -j ACCEPT # allow traffic from PEER ip address

Tags

Access can be limited to a subset of droplets using tags. The DO_TAG environment variable tells droplan to only allow access to droplets with the specified tag.

Public Interface

Add the PUBLIC=true environment variable and droplan will maintain an iptables chain of droplan-peers-public with the public ip addresses of peers and add a default drop rule to the eth0 interface.

NOTE: This will prevent you from being able to directly ssh into your droplet.

Development

Dependencies

Dependencies are vendored with govendor.

Build

A Makefile is included:

  • test - runs unit tests
  • build - builds droplan on the current platform
  • release - builds releasable artifacts

Docker image:

We provide a prebuilt docker image

Example usage:

docker run -d --restart=always --net=host --cap-add=NET_ADMIN -e DO_KEY=$your_digitalocean_api_key -e DO_INTERVAL=300 tam7t/droplan
  • -d --restart=always starts the container in the background and restarts it on error (and on reboot)
  • --net=host is required because we want to affect the host's firewall rules, not the container's
  • --cap-add=NET_ADMIN to allow changing the host's firewall rules
  • specify -e DO_INTERVAL=300 to change the delay (in seconds) between droplan invocations (default: execute once and exit)
  • you have to specify your DigitalOcean API key (using -e DO_KEY)
  • you can add -e PUBLIC=true or -e DO_TAG=tagname as described above
  • To manually start droplan (i.e. skip the 5 minute delay between invocations), simply use docker restart $container-name
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].