2 files changed, 34 insertions, 0 deletions

diff --git a/modules/profiles/files/firewall/rules.v4 b/modules/profiles/files/firewall/rules.v4
new file mode 100644
index 0000000..bdc63cc
--- /dev/null
+++ b/modules/profiles/files/firewall/rules.v4
@@ -0,0 +1,15 @@
+# Generated by iptables-save v1.8.4 on Thu Jun  3 20:27:52 2021
+*filter
+:INPUT DROP [120:97784]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [526:114637]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
+-A INPUT -p udp -m udp --dport 53 -j ACCEPT
+COMMIT
+# Completed on Thu Jun  3 20:27:52 2021
diff --git a/modules/profiles/manifests/firewall.pp b/modules/profiles/manifests/firewall.pp
new file mode 100644
index 0000000..6c9d7e6
--- /dev/null
+++ b/modules/profiles/manifests/firewall.pp
@@ -0,0 +1,19 @@
+class profiles::firewall {
+	ensure_packages ([
+		'iptables-persistent',
+		'fail2ban',
+	], { ensure => installed })
+
+	file { '/etc/iptables/rules.v4':
+		source => 'puppet:///modules/profiles/firewall/rules.v4',
+	} ~> exec { 'reload firewall':
+		command => '/usr/share/netfilter-persistent/plugins.d/15-ip4tables restart',
+		refreshonly => true,
+	}
+
+	service { 'fail2ban':
+		ensure => running,
+		enable => true,
+	}
+
+}