diff options
Diffstat (limited to '')
-rw-r--r-- | files/firewall/rules.v4 | 15 | ||||
-rw-r--r-- | manifests/firewall.pp | 77 |
2 files changed, 69 insertions, 23 deletions
diff --git a/files/firewall/rules.v4 b/files/firewall/rules.v4 deleted file mode 100644 index bdc63cc..0000000 --- a/files/firewall/rules.v4 +++ /dev/null @@ -1,15 +0,0 @@ -# Generated by iptables-save v1.8.4 on Thu Jun 3 20:27:52 2021 -*filter -:INPUT DROP [120:97784] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [526:114637] --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p udp -m udp --dport 67:68 -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --A INPUT -p tcp -m tcp --dport 443 -j ACCEPT --A INPUT -p tcp -m tcp --dport 22 -j ACCEPT --A INPUT -p tcp -m tcp --dport 53 -j ACCEPT --A INPUT -p udp -m udp --dport 53 -j ACCEPT -COMMIT -# Completed on Thu Jun 3 20:27:52 2021 diff --git a/manifests/firewall.pp b/manifests/firewall.pp index 6c9d7e6..7acd422 100644 --- a/manifests/firewall.pp +++ b/manifests/firewall.pp @@ -1,15 +1,76 @@ -class profiles::firewall { +class profiles::firewall ( + Enum['accept','drop','queue','return'] $policy = 'drop', +) { ensure_packages ([ - 'iptables-persistent', 'fail2ban', ], { ensure => installed }) - file { '/etc/iptables/rules.v4': - source => 'puppet:///modules/profiles/firewall/rules.v4', - } ~> exec { 'reload firewall': - command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart', - refreshonly => true, - } + firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']: + purge => true, + policy => $policy, + ignore => [ + 'f2b-ssh', + ] + } + + firewallchain { [ + 'f2b-sshd:filter:IPv4', + 'f2b-sshd:filter:IPv6', + 'f2b-sshlongterm:filter:IPv4', + 'f2b-sshlongterm:filter:IPv6', + ]: + purge => false, + } + + firewall { '000 accept all icmp': + proto => icmp, + action => accept, + } + + firewall { '001 accept all loopback': + proto => all, + iniface => 'lo', + action => accept, + } + + firewall { '002 accept related and established': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + } + + firewall { '000 accept all icmp IPv6': + proto => icmp, + action => accept, + provider => 'ip6tables', + } + + firewall { '001 accept all loopback IPv6': + proto => all, + iniface => 'lo', + action => accept, + provider => 'ip6tables', + } + + firewall { '002 accept related and established IPv6': + proto => all, + state => ['RELATED', 'ESTABLISHED',], + action => accept, + provider => 'ip6tables' + } + + filewall { '922 allow ssh': + proto => tcp, + dport => 'ssh', + action => accept, + } + + filewall { '922 allow ssh IPv6': + proto => tcp, + dport => 'ssh', + action => accept, + provider => 'ip6tables', + } service { 'fail2ban': ensure => running, |