diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-02-06 14:22:14 +0100 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-02-09 18:06:59 +0100 |
| commit | bd482151cf0fe46bc7d526e014bab1b9ab94a085 (patch) | |
| tree | 94ab7f95f894f7d9b2764dfc71989012406b72b0 | |
| parent | profile documentation (diff) | |
| download | profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.gz profiles-bd482151cf0fe46bc7d526e014bab1b9ab94a085.tar.xz | |
Rewrote how firewall is handled.
| -rw-r--r-- | files/firewall/rules.v4 | 15 | ||||
| -rw-r--r-- | manifests/firewall.pp | 77 |
2 files changed, 69 insertions, 23 deletions
diff --git a/files/firewall/rules.v4 b/files/firewall/rules.v4 deleted file mode 100644 index bdc63cc..0000000 --- a/files/firewall/rules.v4 +++ /dev/null @@ -1,15 +0,0 @@ -# Generated by iptables-save v1.8.4 on Thu Jun 3 20:27:52 2021 -*filter -:INPUT DROP [120:97784] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [526:114637] --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p udp -m udp --dport 67:68 -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --A INPUT -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m tcp --dport 22 -j ACCEPT --A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --A INPUT -p udp -m udp --dport 53 -j ACCEPT -COMMIT -# Completed on Thu Jun 3 20:27:52 2021 diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 6c9d7e6..7acd422 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -1,15 +1,76 @@ -class profiles::firewall { +class profiles::firewall ( + Enum['accept','drop','queue','return'] $policy = 'drop', +) { ensure_packages ([ - 'iptables-persistent', 'fail2ban', ], { ensure => installed }) - file { '/etc/iptables/rules.v4': - source => 'puppet:///modules/profiles/firewall/rules.v4', - } ~> exec { 'reload firewall': - command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', - refreshonly => true, - } + firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']: + purge => true, + policy => $policy, + ignore => [ + 'f2b-ssh', + ] + } + + firewallchain { [ + 'f2b-sshd:filter:IPv4', + 'f2b-sshd:filter:IPv6', + 'f2b-sshlongterm:filter:IPv4', + 'f2b-sshlongterm:filter:IPv6', + ]: + purge => false, + } + + firewall { '000 accept all icmp': + proto => icmp, + action => accept, + } + + firewall { '001 accept all loopback': + proto => all, + iniface => 'lo', + action => accept, + } + + firewall { '002 accept related and established': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + } + + firewall { '000 accept all icmp IPv6': + proto => icmp, + action => accept, + provider => 'ip6tables', + } + + firewall { '001 accept all loopback IPv6': + proto => all, + iniface => 'lo', + action => accept, + provider => 'ip6tables', + } + + firewall { '002 accept related and established IPv6': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + provider => 'ip6tables' + } + + filewall { '922 allow ssh': + proto => tcp, + dport => 'ssh', + action => accept, + } + + filewall { '922 allow ssh IPv6': + proto => tcp, + dport => 'ssh', + action => accept, + provider => 'ip6tables', + } service { 'fail2ban': ensure => running, |