From e2388c7df431c086cd49199f0e12ff1c5744a6c3 Mon Sep 17 00:00:00 2001 From: unchama <11990197+unchama@users.noreply.github.com> Date: Sat, 16 Dec 2023 15:39:50 +0900 Subject: [PATCH 1/2] =?UTF-8?q?feat:=20bungeecord=E7=94=A8=E3=81=AEcilium-?= =?UTF-8?q?network-policy=E3=82=92=E9=8C=AC=E6=88=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../cilium-networking/README.md | 11 + ...--from-tcpshield--to-bungeecord-debug.yaml | 235 ++++++++++++++++++ ...w--from-tcpshield--to-bungeecord-prod.yaml | 235 ++++++++++++++++++ .../tcpshield-config-generator.sh | 27 ++ 4 files changed, 508 insertions(+) create mode 100644 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md create mode 100644 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml create mode 100644 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml create mode 100755 seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md new file mode 100644 index 000000000..52f12ae3d --- /dev/null +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/README.md @@ -0,0 +1,11 @@ +# tcpshield-condig-generator.sh について + +Minecarftの通信ポート(seichi_infraの場合はBungeeCord)はOrigin IP上で公開されており、悪意を持った第三者がポートスキャンなどで発見した場合、Origin IPへのDoS Attackの懸念がある。 + +これらポートはDDoS対策基盤であるTCPShield以外からの通信に応答する必要はないため、TCPShield以外からの通信に応答しない様にBungeeCordのEndpointに対してCiliumNetworkingPolicyを書いている。 + +TCPShieldが通信に使用するIPアドレスは以下URLにて公開されている。 + + + +もし何らかの理由でTCPShield側が使用するIPアドレスが変更となった場合は `tcpshield-condig-generator.sh` を使用して最新のIPListをもとにCiliumNetworkingPolicyを生成し、それを参考に各環境の既存のCiliumNetworkingPolicyを編集すること。 diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml new file mode 100644 index 000000000..cd95c6fc7 --- /dev/null +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-debug.yaml @@ -0,0 +1,235 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow--from-tcpshield--to-bungeecord-debug + namespace: seichi-debug-gateway +spec: + endpointSelector: + matchLabels: + app: bungeecord + ingress: + - fromCIDRSet: + - cidr: 198.178.119.0/24 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 104.234.6.0/24 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.19.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.99.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.99.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.99.64/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.38.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.93.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.93.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.92.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 135.148.217.96/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 135.148.217.192/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.178.221.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 217.182.27.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.77.31.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 178.33.198.192/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 149.202.13.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.81.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.81.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.195.87.96/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.195.87.128/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.195.52.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 141.95.23.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 141.95.62.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 146.59.66.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 146.59.66.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 146.59.65.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.81.4.128/29 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.55.28/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 149.56.152.184/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 158.69.58.208/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.79.61.228/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.178.244.40/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.178.108.172/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 178.32.145.164/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 5.196.219.36/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.127.36/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.50.132/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 54.36.236.48/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 54.38.216.200/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.75.85.108/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.38.153.44/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.83.245.80/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 135.125.217.68/32 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 143.244.56.249/32 + toPorts: + - ports: + - port: "25565" diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml new file mode 100644 index 000000000..55b92b2a3 --- /dev/null +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/allow--from-tcpshield--to-bungeecord-prod.yaml @@ -0,0 +1,235 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow--from-tcpshield--to-bungeecord-prod + namespace: seichi-gateway +spec: + endpointSelector: + matchLabels: + app: bungeecord + ingress: + - fromCIDRSet: + - cidr: 198.178.119.0/24 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 104.234.6.0/24 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.19.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.99.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.99.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.99.64/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.161.38.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.93.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.93.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.92.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 135.148.217.96/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 135.148.217.192/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.178.221.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 217.182.27.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.77.31.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 178.33.198.192/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 149.202.13.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.81.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.81.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.195.87.96/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.195.87.128/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.195.52.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 141.95.23.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 141.95.62.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 146.59.66.0/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 146.59.66.32/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 146.59.65.224/27 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.81.4.128/29 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.222.55.28/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 149.56.152.184/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 158.69.58.208/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.79.61.228/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.178.244.40/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.178.108.172/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 178.32.145.164/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 5.196.219.36/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.127.36/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.89.50.132/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 54.36.236.48/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 54.38.216.200/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.75.85.108/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.38.153.44/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 51.83.245.80/30 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 135.125.217.68/32 + toPorts: + - ports: + - port: "25565" + - fromCIDRSet: + - cidr: 143.244.56.249/32 + toPorts: + - ports: + - port: "25565" diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh new file mode 100755 index 000000000..422576181 --- /dev/null +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh @@ -0,0 +1,27 @@ +#!/bin/bash + +TCPSHIELD_IP_LIST=$(curl -Ss https://tcpshield.com/v4/) + +cat < _generated-config.yaml +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow--from-tcpshield--to-bungeecord-hogehoge + namespace: hogehoge-namespace +spec: + endpointSelector: + matchLabels: + app: bungeecord +EOF + +for cidr in "$TCPSHIELD_IP_LIST" +do + cat <> _generated-config.yaml + - fromCIDRSet: + - cidr: "$cidr" + toPorts: + - ports: + - port: "25565" +EOF + +done From ffb275f0dd4d921ea79d14111d84674e42899ba6 Mon Sep 17 00:00:00 2001 From: unchama <11990197+unchama@users.noreply.github.com> Date: Sat, 16 Dec 2023 15:51:20 +0900 Subject: [PATCH 2/2] fix: shellcheck --- .../cilium-networking/tcpshield-config-generator.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh index 422576181..c6e4f96cd 100755 --- a/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh +++ b/seichi-onp-k8s/manifests/seichi-kubernetes/apps/cluster-wide-apps/cilium-networking/tcpshield-config-generator.sh @@ -14,7 +14,7 @@ spec: app: bungeecord EOF -for cidr in "$TCPSHIELD_IP_LIST" +for cidr in $TCPSHIELD_IP_LIST do cat <> _generated-config.yaml - fromCIDRSet: