What is an Uranus?

Uranus is a Linux firewalld central controller. In Greek mythology, Uranus king of gods. The firewall gateway is the Uranus for iptables.

Prerequisites

Hardware requirements

We recommend these hardware requirements for production systems or for development systems that are designed to demonstrate production use cases:

ItemDescriptionMinimum requirementsRecommended
Per instanceYou can install on one node but many features require at least one node.1 instance> 1 instances
RAM per instanceDefining your RAM size must be part of the capacity planning for your Uranus usage.512 Mb>= 1GB
Persistent StorageThe amount of storage space for each node.1 GB>= 10GB

Software requirements

ItemDescriptionRecommended
OS / PlatformLinux, KubernetesDebian 11
Centos 7
Firewalld0.6.3
0.9.2
Centos 7 default version
Debian 11 default version

Build and run Uranus

Setup an Uranus with Binary mode

Build and run Uranus backend

bash
1
git clone https://github.com/cylonchau/firewalld-gateway.git

Compile

bash
1
cd firewalld-gateway && make build

Frist time you need migrate database

bash
1
2
# currently sql-driver support sqlite or mysql
./_output/firewalld-gateway --migration --sql-driver=sqlite  --config firewalld-gateway.toml -v 10

Inital API Doc

bash
1
swag init -g cmd/main.go --output ./docs/  --packageName docs

Run Uranus

bash
1
./_output/firewalld-gateway --sql-driver=sqlite  --config firewalld-gateway.toml -v 5

Setup Uranus frontend

Install Nginx

bash
1
2
3
yum install nginx -y
# or
apt install nginx -y

Configure nginx

bash
1
2
3
4
5
cd /etc/nginx/ && \
mv nginx.conf nginx.conf.default
grep -Ev '^$|#' nginx.conf.default > nginx.conf && \
sed -i '/include/i \    include /etc/nginx/conf.d/*.conf;' nginx.conf && \
cd conf.d

Create fw.conf in conf.d directory

bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
cat <<EOF > fw.conf
server {
     listen 80;
     root /var/run/dist;

     location / {
       try_files \$uri \$uri/ @router;
       index index.html;
     }
     location ~ /fw/(?<section>.*) {
        proxy_pass http://10.0.0.1:2952/fw/\$section\$is_args\$args;
        proxy_set_header X-Forwarded-Host \$server_name;
        proxy_set_header X-Forwarded-Port \$server_port;
        proxy_set_header X-Forwarded-Server \$host;
        proxy_set_header X-Forwarded-Scheme \$scheme;
        proxy_set_header X-Forwarded-URI \$request_uri;
        proxy_set_header X-Real-IP       \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
    location ~ /security/(?<section>.*) {
        proxy_pass http://10.0.0.1:2952/security/\$section\$is_args\$args;
        proxy_set_header X-Forwarded-Host \$server_name;
        proxy_set_header X-Forwarded-Port \$server_port;
        proxy_set_header X-Forwarded-Server \$host;
        proxy_set_header X-Forwarded-Scheme \$scheme;
        proxy_set_header X-Forwarded-URI \$request_uri;
        proxy_set_header X-Real-IP       \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
    
    location ~ /sso/(?<section>.*) {
        proxy_pass http://10.0.0.1:2952/sso/\$section\$is_args\$args;
        proxy_set_header X-Forwarded-Host \$server_name;
        proxy_set_header X-Forwarded-Port \$server_port;
        proxy_set_header X-Forwarded-Server \$host;
        proxy_set_header X-Forwarded-Scheme \$scheme;
        proxy_set_header X-Forwarded-URI \$request_uri;
        proxy_set_header X-Real-IP       \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
    
    location /ping {
       proxy_pass http://10.0.0.1:2952/ping;
       proxy_set_header X-Forwarded-Port \$server_port;
       proxy_set_header X-Forwarded-Server \$host;
       proxy_set_header X-Forwarded-Scheme \$scheme;
       proxy_set_header X-Forwarded-URI \$request_uri;
       proxy_set_header X-Real-IP       \$remote_addr;
       proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
}
EOF

Copy dist directory to /var/run/

bash
1
mv dist /var/run/

Start nginx

bash
1
systemctl start nginx

Setup an Uranus with Docker

build docker image

bash
1
git clone https://github.com/cylonchau/firewalld-gateway.git

Build image

bash
1
docker build -t cylonchau/uranus:v0.0.5 .

Run

bash
1
docker run -d --rm --name uranus -p 2953:2953 cylonchau/uranus:v0.0.5

Notes: this mode default using sqlite, so if you want use external database, please change config file, then build image

image-20240824133756059

Setup firewalld

Download

Default, we provide 2 version firewalld variant version

  • Centos 7 or Centos 6
  • Debian 11

You can download and install those firewalld vesion in you Linux

https://github.com/cylonchau/firewalld/releases

image-20240824135429530

Install

Centos 7

bash
1
2
rpm -e python-firewall-0.6.3-11 --nodeps &&
rpm -ivh  python-firewall-0.6.3-4.el7.noarch.rpm

Debian 11

bash
1
2
dpkg -r python3-firewall && \
dpkg -i python3-firewall_0.9.3-2_amd64.deb

Configure

Enable dbug remote mode

Centos

Edit /etc/dbus-1/system.conf

xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<!--
This configuration file is no longer required and may be removed.

In older versions of dbus, this file defined the behaviour of the well-known
system bus. That behaviour is now determined by
/usr/share/dbus-1/system.conf, which should not be edited.

For local configuration changes, create a file
system-local.conf or files matching system.d/*.conf in the same directory
as this one, with a <busconfig> element containing configuration directives.
These directives can override D-Bus or OS defaults.

For upstream or distribution-wide defaults that can be overridden
by a local sysadmin, create files matching
/usr/share/dbus-1/system.d/*.conf instead.
-->
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>tcp:host=10.0.0.3,bind=*,port=55556,family=ipv4</listen>
<listen>unix:tmpdir=/tmp</listen>

<!-- Add this part -->
<policy context="default">
    <allow user="root" />
    <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
    <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
    <allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>
  <auth>ANONYMOUS</auth>
  <allow_anonymous/>
</busconfig>

Enable dbus tcp port

Edit /usr/lib/systemd/system/dbus.socket

conf
[Unit]
Description=D-Bus System Message Bus Socket

[Socket]
ListenStream=/var/run/dbus/system_bus_socket
ListenStream=55556 # <- Add this

Reload service

bash
1
systemctl reload firewalld
Debian

Edit /etc/dbus-1/system.conf

xml
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<listen>tcp:host=10.0.0.3,bind=*,port=55556,family=ipv4</listen>
<listen>unix:tmpdir=/tmp</listen>

<!-- Add this part -->
<policy context="default">
    <allow user="root" />
    <allow own="com.github.cylonchau.Uranus" /> <!-- allow uranus resiger to dbus-daemon -->
    <!-- if requseter is com.github.cylonchau.Uranus and request path is /org/fedoraproject/FirewallD1, then allow  -->
    <allow receive_sender="com.github.cylonchau.Uranus" receive_path="/org/fedoraproject/FirewallD1" />
</policy>

  <auth>ANONYMOUS</auth>
  <allow_anonymous/>
</busconfig>

Edit /usr/lib/systemd/system/dbus.socket

conf
[Unit]
Description=D-Bus System Message Bus Socket

# Add this part
[Socket]
ListenStream=/var/run/dbus/system_bus_socket
ListenStream=55556

Add managed firewalld Linux host to Uranus

Add host

image-20240824135127317

image-20240824135141503