Mitigate http(s) requests to docker containers

mitigate-http-requests.txt

Replaces firewalld by iptables:

    # yum install iptables-services
    # yum install ebtables
    # yum install ipset-service
    # systemctl mask --now firewalld.service // disable firewalld
    # systemctl status iptables.service  // should be inactive
    # systemctl enable --now iptables.service
    # systemctl enable --now ip6tables.service
    # systemctl enable --now etables.service
    # systemctl enable --now ipset.service
    # systemctl status iptables.service  // Check that the iptables service status is active
   
Create daemon.json file in /etc/docker
Add these lines (the "debug" key is optional and should not be set in production): 

{   
    "debug": true, //remove this for production
    "iptables": false // Prevent dockerd from overriding iptables rules set manually
}
Restart docker:
	# systemctl restart docker

Here's the command to see docker logs (debug mode only):
	# journalctl -u docker.service

In /etc/modprobe.d folder, create the file xt.conf and add this line: 
	options xt_recent ip_pkt_list_tot=30 // Increase the maximum possible value for the hitcount parameter

reload xt_recent module:
	# modprobe -r xt_recent && modprobe xt_recent

Edit iptables and ip6tables configuration files to mitigate http(s) requests per minute(in our case):
	# vi /etc/sysconfig/iptables

Here's the iptables configuration file (ipv4):

	# sample configuration for iptables service
	# you can edit this manually or use system-config-firewall
	# please do not ask us to add additional ports/services to this default configuration
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp --dport <https App forward port> -m conntrack --ctstate NEW -m recent --set
	-A INPUT -p tcp --dport <https App forward port> -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 30 -j DROP
	-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --set
	-A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 30 -j DROP ###### Limits http requests to 30 per minute
	-A INPUT -p tcp --dport <http App forward port> -m conntrack --ctstate NEW -m recent --set
	-A INPUT -p tcp --dport <http App forward port> -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 30 -j DROP
	-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --set
	-A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 30 -j DROP ###### limites https requests to 30 per minute
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
	-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT #### remove if you don't want to access you db from Internet
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -p tcp -m tcp --dport 3306 -s 0.0.0.0/0 -d <DB Container IP> -j ACCEPT ## Specific for docker containers change
	-A FORWARD -p tcp -m tcp --dport <Https app forward port> -s 0.0.0.0/0 -d <App Container IP> -j ACCEPT
	-A FORWARD -p tcp -m tcp --dport <http app forward port> -s 0.0.0.0/0 -d <App Container IP> -j ACCEPT
	-A FORWARD -i docker0 -o ens160 -j ACCEPT 					###### forwards docker's bridge interface (docker0) packets to network interface 'ens160' (replace 'ens160' with your interface)
	-A FORWARD -i ens160 -o docker0 -j ACCEPT					  ######  forwards packets from Internet to the docker's bridge interface (docker0)
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT

Save then reload iptables:
  # systemctl reload iptables

ip6tables (ipv6)
	Should be almost the same as ipv4 configuration. Just translate ipv4 addresses to ipv6