From bd482151cf0fe46bc7d526e014bab1b9ab94a085 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Sun, 6 Feb 2022 14:22:14 +0100
Subject: Rewrote how firewall is handled.

---
 files/firewall/rules.v4 | 15 ----------
 manifests/firewall.pp   | 77 ++++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 69 insertions(+), 23 deletions(-)
 delete mode 100644 files/firewall/rules.v4

diff --git a/files/firewall/rules.v4 b/files/firewall/rules.v4
deleted file mode 100644
index bdc63cc..0000000
--- a/files/firewall/rules.v4
+++ /dev/null
@@ -1,15 +0,0 @@
-# Generated by iptables-save v1.8.4 on Thu Jun  3 20:27:52 2021
-*filter
-:INPUT DROP [120:97784]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [526:114637]
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
--A INPUT -p udp -m udp --dport 53 -j ACCEPT
-COMMIT
-# Completed on Thu Jun  3 20:27:52 2021
diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index 6c9d7e6..7acd422 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -1,15 +1,76 @@
-class profiles::firewall {
+class profiles::firewall (
+  Enum['accept','drop','queue','return'] $policy = 'drop',
+) {
 	ensure_packages ([
-		'iptables-persistent',
 		'fail2ban',
 	], { ensure => installed })
 
-	file { '/etc/iptables/rules.v4':
-		source => 'puppet:///modules/profiles/firewall/rules.v4',
-	} ~> exec { 'reload firewall':
-		command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart',
-		refreshonly => true,
-	}
+    firewallchain { ['INPUT:filter:IPv4', 'INPUT:filter:IPv6']:
+      purge  => true,
+      policy => $policy,
+      ignore => [
+        'f2b-ssh',
+      ]
+    }
+
+    firewallchain { [
+      'f2b-sshd:filter:IPv4',
+      'f2b-sshd:filter:IPv6',
+      'f2b-sshlongterm:filter:IPv4',
+      'f2b-sshlongterm:filter:IPv6',
+    ]:
+      purge => false,
+    }
+
+    firewall { '000 accept all icmp':
+      proto  => icmp,
+      action => accept,
+    }
+
+    firewall { '001 accept all loopback':
+      proto   => all,
+      iniface => 'lo',
+      action  => accept,
+    }
+
+    firewall { '002 accept related and established':
+      proto  => all,
+      state  => ['RELATED', 'ESTABLISHED',],
+      action => accept,
+    }
+
+    firewall { '000 accept all icmp IPv6':
+      proto    => icmp,
+      action   => accept,
+      provider => 'ip6tables',
+    }
+
+    firewall { '001 accept all loopback IPv6':
+      proto    => all,
+      iniface  => 'lo',
+      action   => accept,
+      provider => 'ip6tables',
+    }
+
+    firewall { '002 accept related and established IPv6':
+      proto    => all,
+      state    => ['RELATED', 'ESTABLISHED',],
+      action   => accept,
+      provider => 'ip6tables'
+    }
+
+    filewall { '922 allow ssh':
+      proto  => tcp,
+      dport  => 'ssh',
+      action => accept,
+    }
+
+    filewall { '922 allow ssh IPv6':
+      proto    => tcp,
+      dport    => 'ssh',
+      action   => accept,
+      provider => 'ip6tables',
+    }
 
 	service { 'fail2ban':
 		ensure => running,
-- 
cgit v1.2.3