Skip to content
Snippets Groups Projects
Unverified Commit 57a582be authored by Max Adamo's avatar Max Adamo
Browse files

1st attempt to migrate code to fw_builder

parent 8ed01527
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
lib/facter/fw_builder_is_docker.rb 0 → 100644
+ 9
0
View file @ 57a582be
Facter.add(:fw_builder_is_docker) do
setcode do
if Facter::Util::Resolution.which('docker')
true
else
false
end
end
end
manifests/chains.pp 0 → 100644
+ 112
0
View file @ 57a582be
# == Class: fw_builder::chains
#
# Pre IPtables allows several icmp type, loopback connection
# either on IPv6 and IPv4
#
# This class opens the firewall to Geant specific servers
#
# === Parameters
#
# === Requires
#
# === Examples
#
class fw_builder::chains (
$ipv4_enable,
$ipv6_enable
) {
assert_private()
if ($ipv4_enable) {
['udp', 'tcp', 'trust', 'public'].each | $chain | {
firewallchain { "INPUT_${chain}:filter:IPv4":
ensure => present;
}
}
firewall {
default:
chain => 'INPUT',
action => accept,
provider => 'iptables';
'010 accept all icmp for provider iptables':
proto => 'icmp';
'003 accept inbound related established rules for provider iptables':
proto => all,
state => ['RELATED', 'ESTABLISHED'];
}
firewall {
default:
chain => 'INPUT',
jump => 'INPUT_public',
state => ['NEW'],
provider => 'ip6tables';
'090 IPv4 UDP INPUT_public for all public services':
proto => 'udp';
'090 IPv4 TCP INPUT_public for all public services':
proto => 'tcp';
}
firewall { '095 IPv4 INPUT_trust this is for all ip ranges (mostly internal)':
chain => 'INPUT',
proto => all,
state => ['NEW'],
jump => 'INPUT_trust',
ipset => 'trusted_networks_v4 src',
provider => 'iptables';
}
firewall { '001 IPv4 accept all inbound to localhost':
chain => 'INPUT',
proto => all,
iniface => 'lo',
action => accept,
provider => 'iptables';
}
}
if ($ipv6_enable) {
['udp', 'tcp', 'trust', 'public'].each | $chain | {
firewallchain { "INPUT_${chain}:filter:IPv6":
ensure => present,
}
}
firewall {
default:
chain => 'INPUT',
action => accept,
provider => 'ip6tables';
'010 accept all icmp for provider ip6tables':
proto => 'ipv6-icmp';
'003 accept inbound related established rules for provider ip6tables':
proto => all,
state => ['RELATED', 'ESTABLISHED'];
}
firewall {
default:
chain => 'INPUT',
jump => 'INPUT_public',
state => ['NEW'],
provider => 'ip6tables';
'090 IPv6 UDP INPUT_public for all public services':
proto => 'udp';
'090 IPv6 TCP INPUT_public for all public services':
proto => 'tcp';
}
firewall { '095 IPv6 INPUT_trust this is for all ip ranges (mostly internal)':
chain => 'INPUT',
proto => all,
state => ['NEW'],
jump => 'INPUT_trust',
ipset => 'trusted_networks_v6 src',
provider => 'ip6tables';
}
firewall { '001 IPv6 accept all inbound to localhost6':
chain => 'INPUT',
proto => all,
iniface => 'lo',
action => accept,
provider => 'ip6tables';
}
}
}
# vim:ts=2:sw=2
manifests/docker.pp 0 → 100644
+ 64
0
View file @ 57a582be
# == Class: fw_builder::docker
#
# Pre IPtables allows several icmp type, loopback connection
# either on IPv6 and IPv4
#
# This class opens the firewall to Geant specific servers
#
# === Parameters
#
# === Requires
#
# === Examples
#
class fw_builder::docker (
$manage_docker,
$ipv4_enable,
$ipv6_enable
) {
assert_private()
# IPv6 IS STILL MISSING
firewallchain { ['INPUT:filter:IPv4', 'OUTPUT:filter:IPv4']:
purge => true,
ignore => ['docker', 'br-', 'cali-', 'KUBE'],
}
firewallchain { 'FORWARD:filter:IPv4':
purge => true,
ignore => ['docker', 'br-', 'cali-', 'KUBE'],
}
firewallchain { ['DOCKER:nat:IPv4', 'DOCKER:filter:IPv4']:
purge => false,
}
firewallchain { 'POSTROUTING:nat:IPv4':
purge => false,
}
firewallchain { [
'INPUT:nat:IPv4', 'PREROUTING:nat:IPv4',
'OUTPUT:nat:IPv4', 'PREROUTING:mangle:IPv4',
'POSTROUTING:mangle:IPv4', 'INPUT:mangle:IPv4',
'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4',
'OUTPUT:raw:IPv4', 'PREROUTING:raw:IPv4'
]:
purge => true,
ignore => ['DOCKER', 'cali-', 'KUBE'],
}
# this is is for kube / cali
firewallchain { [
'cali-PREROUTING:mangle:IPv4', 'cali-failsafe-in:mangle:IPv4',
'cali-from-host-endpoint:mangle:IPv4', 'cali-failsafe-in:raw:IPv4',
'cali-failsafe-out:raw:IPv4', 'cali-from-host-endpoint:raw:IPv4',
'cali-to-host-endpoint:raw:IPv4', 'KUBE-SERVICES:filter:IPv4'
]:
purge => false,
}
}
# vim:ts=2:sw=2
manifests/init.pp
+ 80
2
View file @ 57a582be
......@@ -5,6 +5,84 @@
# Pete Pedersen<pete.pedersen@geant.org>
# Massimiliano Adamo<massimiliano.adamo@geant.org>
#
class fw_builder {
# resources
class fw_builder (
Array $trusted_networks,
Boolean $manage_docker = false,
Boolean $ipv4_enable = true,
Boolean $ipv6_enable = true,
Boolean $logging = true,
Boolean $purge_rules = true,
Integer $log_rotation_days = '7',
$ipset_package_ensure = 'present',
$limit = '1000/sec'
) {
if ! ($purge_rules) and ($manage_docker) {
fail('cannot set purge_rules to false and manage_docker to true')
}
if ! ($ipv4_enable) and ! ($ipv6_enable) {
fail('you cannot disable ipv4 and ipv6 at the same time')
}
if ($ipv4_enable) and ($ipv6_enable) {
$ip_proto_array = ['ip6tables', 'iptables']
} elsif ($ipv4_enable) and ! ($ipv6_enable) {
$ip_proto_array = ['iptables']
} elsif ! ($ipv4_enable) and ($ipv6_enable) {
$ip_proto_array = ['iptables']
}
class {
'fw_builder::ipset':
ipset_package_ensure => $ipset_package_ensure,
trusted_networks => $trusted_networks,
ipv4_enable => $ipv4_enable,
ipv6_enable => $ipv6_enable,
before => Class['fw_builder::chains', 'fw_builder::docker'];
'fw_builder::chains':
ipv4_enable => $ipv4_enable,
ipv6_enable => $ipv6_enable;
'fw_builder::post':
ipv4_enable => $ipv4_enable,
ipv6_enable => $ipv6_enable,
limit => $limit;
'fw_builder::logrotate':
logging => $logging,
log_rotation_days => $log_rotation_days,
}
if ($purge_rules) {
if ($facts['fw_builder_is_docker']) and ($manage_docker) {
echo { 'Docker detected':
message => 'not purging iptables rules set by docker';
}
resources { 'firewallchain':
purge => false;
}
class { 'fw_builder::docker':
ipv4_enable => $ipv4_enable,
ipv6_enable => $ipv6_enable;
}
} else {
if ($ipv4_enable) {
firewallchain { 'FORWARD:filter:IPv4':
ensure => present,
policy => drop,
purge => true;
}
}
if ($ipv6_enable) {
firewallchain { 'FORWARD:filter:IPv6':
ensure => present,
policy => drop,
purge => true;
}
}
resources { 'firewall':
purge => true;
}
}
}
}
manifests/ipset.pp 0 → 100644
+ 49
0
View file @ 57a582be
# Class: fw_builder::ipset
#
#
class fw_builder::ipset (
$trusted_networks,
$ipset_package_ensure,
$ipv4_enable,
$ipv6_enable
) {
assert_private()
$firewall_service = $facts['os']['family'] ? {
'Debian' => 'netfilter-persistent.service',
default => undef
}
$packages = "${facts['os']['family']}_${facts['os']['release']['major']}" ? {
'RedHat_6' => ['ipset'],
default => undef
}
class { 'ipset':
packages => $packages,
package_ensure => $ipset_package_ensure,
firewall_service => $firewall_service
}
if ($ipv4_enable) {
$trusted_networks_v4 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V4 }
ipset::set { 'trusted_networks_v4':
ensure => 'present',
type => 'hash:net',
set => $trusted_networks_v4;
}
}
if ($ipv6_enable) {
$trusted_networks_v6 = $trusted_networks.filter |$ip_range| { $ip_range =~ Stdlib::IP::Address::V6 }
ipset::set { 'trusted_networks_v6':
ensure => 'present',
type => 'hash:net',
set => $trusted_networks_v6,
options => {'family' => 'inet6'}
}
}
}
# vim:ts=2:sw=2
manifests/logrotate.pp 0 → 100644
+ 29
0
View file @ 57a582be
# == Class: fw_builder
#
# == Authors:
#
# Pete Pedersen<pete.pedersen@geant.org>
# Massimiliano Adamo<massimiliano.adamo@geant.org>
#
class fw_builder::logrotate (
$logging,
$log_rotation_days,
) {
assert_private()
file { ['/var/log/iptables.log', '/var/log/ip6tables.log']: ensure => file; }
if ($logging) {
logrotate::rule { 'iptables':
rotate => $log_rotation_days,
dateext => true,
copytruncate => true,
missingok => true,
compress => true,
ifempty => false,
path => '/var/log/ip*tables.log';
}
}
}
manifests/post.pp 0 → 100644
+ 46
0
View file @ 57a582be
# == Class: fw_builder::post
#
class fw_builder::post (
$ipv4_enable,
$ipv6_enable,
$logging,
$limit
) {
assert_private()
if ($logging) {
$fw_builder::ip_proto_array.each | String $provider | {
firewall {
default:
chain => 'INPUT',
provider => $provider,
jump => 'LOG',
limit => $limit,
log_level => '4';
"889 log RST dropped inbound chain for provider ${provider}":
log_prefix => "[${provider.upcase()} RST RST] dropped";
"900 log dropped inbound chain for provider ${provider}":
proto => all,
log_prefix => "[${provider.upcase()} INPUT] dropped ",
}
}
}
$fw_builder::ip_proto_array.each | String $provider | {
firewall {
default:
chain => 'INPUT',
provider => $provider;
"910 deny all other inbound requests for provider ${provider}":
before => undef,
proto => all,
action => 'drop';
"890 drop RST RST connections for provider ${provider}":
tcp_flags => 'RST RST',
action => 'drop';
}
}
}
# vim:ts=2:sw=2
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment