On Friday August 14th. from 9 p.m. to 9:30 p.m., we will upgrade GitLab software and its cloud platform release. Service may not be available during this maintenance window. Please schedule your work accordingly.

Commit 75380d84 authored by Alex Tayts's avatar Alex Tayts

iptables module, initial commit

parents
# iptables
A wrapper module around firewall and firewall_multi modules from Forge. Technically should
be a profile, but since it is used a lot, made it a module.
## Parameters
* `rules_pre` - rules at the top of the stack.
* `rules_pre_ipv6` - the same for IPv6
* `rules_post` - rules at the bottom of the stack
* `rules_post_ipv6` - the same for IPv6
* `rules` - the rest of the rules
* `chains` - additional iptables chains
* `managed` - remove ad-hoc rules not defined in puppet
* `ssh_defence` - turn ssh defence on/off
* `ssh_defence_sec` - ssh defence time interval
* `ssh_defence_limit` - ssh defence hit count
---
lookup_options:
iptables::rules:
merge:
strategy: deep
merge_hash_arrays: true
# ipv4 default rules
iptables::rules_pre:
accept_icmp:
name: "100"
action: accept
proto: icmp
accept_lo:
name: "110"
proto: 'all'
iniface: 'lo'
action: 'accept'
accept_related_established:
name: "120"
proto: 'all'
ctstate:
- 'RELATED'
- 'ESTABLISHED'
action: 'accept'
iptables::rules_post:
reject_remaining_tcp:
name: "998"
chain: INPUT
proto: 'tcp'
action: 'reject'
reject: 'tcp-reset'
tcp_flags: 'FIN,SYN,RST,ACK SYN'
reject_remaining_udp:
name: "999"
chain: INPUT
proto: 'udp'
action: 'reject'
reject: 'icmp-port-unreachable'
# ipv6 default rules
iptables::rules_pre_ipv6:
accept_icmpv6:
name: "100 ipv6"
proto: 'ipv6-icmp'
action: 'accept'
provider: 'ip6tables'
accept_lo_ipv6:
name: "110 ipv6"
proto: 'all'
iniface: 'lo'
action: 'accept'
provider: 'ip6tables'
accept_related_established_ipv6:
name: "120 ipv6"
proto: 'all'
state:
- 'RELATED'
- 'ESTABLISHED'
action: 'accept'
provider: 'ip6tables'
iptables::rules_post_ipv6:
reject_remaining_tcp_ipv6:
name: "998 ipv6"
chain: INPUT
proto: 'tcp'
action: 'reject'
reject: 'tcp-reset'
tcp_flags: 'FIN,SYN,RST,ACK SYN'
provider: 'ip6tables'
reject_remaining_udp_ipv6:
name: "999 ipv6"
chain: INPUT
proto: 'udp'
action: 'reject'
reject: 'icmp6-port-unreachable'
provider: 'ip6tables'
# firewall chain for ssh defence
iptables::sshscan_chain:
sshscan_chain:
name: 'SSHSCAN:filter:IPv4'
ensure: present
# ssh defence firewall rules
iptables::rules_ssh_defence:
forward_to_defence:
name: "130 ssh defence"
chain: INPUT
proto: 'tcp'
dport: '22'
state: 'NEW'
jump: SSHSCAN
log_attempts:
name: "100 log attempts"
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
rseconds: 300
rhitcount: 10
rsource: true
log_level: 'debug'
log_prefix: 'SSH SCAN blocked: '
jump: LOG
drop_connections:
name: "110 drop attacker"
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
rseconds: 300
rhitcount: 10
rsource: true
action: 'drop'
allow_connections:
name: "120 accept connections"
chain: SSHSCAN
proto: 'tcp'
rname: 'SSH'
recent: 'set'
action: 'accept'
# firewall ipv6 chain for ssh defence
iptables::sshscan_chain_ipv6:
sshscan_chain_ipv6:
name: 'SSHSCAN:filter:IPv6'
ensure: present
# ssh defence ipv6 firewall rules
iptables::rules_ssh_defence_ipv6:
forward_to_defence_ipv6:
name: "130 ipv6 ssh defence"
chain: INPUT
proto: 'tcp'
dport: '22'
state: 'NEW'
jump: SSHSCAN
provider: 'ip6tables'
log_ipv6_attempts:
name: "100 log ipv6 attempts"
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
rseconds: 300
rhitcount: 10
rsource: true
log_level: 'debug'
log_prefix: 'SSH SCAN blocked: '
jump: LOG
provider: 'ip6tables'
drop_ipv6_connections:
name: "110 drop ipv6 attacker"
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
rseconds: 300
rhitcount: 10
rsource: true
action: 'drop'
provider: 'ip6tables'
allow_ipv6_connections:
name: "120 accept ipv6 connections"
chain: SSHSCAN
proto: 'tcp'
rname: 'SSH'
recent: 'set'
action: 'accept'
provider: 'ip6tables'
---
version: 5
defaults: # Used for any hierarchy level that omits these keys.
datadir: data # This path is relative to hiera.yaml's directory.
data_hash: yaml_data # Use the built-in YAML backend.
hierarchy:
- name: "Common data"
path: "common.yaml"
# Pull firewall rule and chain definitions from hiera and create resources
# out of them. Can be used as a resource in a manifest.
#
# Optionally creates ssh defence iptables rules. Note that adding it
# implies ssh being accessible to the world.
#
# TODO: Add ssh defence code for IPv6
class iptables (
$rules_pre = {},
$rules_post = {},
$rules_pre_ipv6 = {},
$rules_post_ipv6 = {},
$rules = {},
$chains = {},
$managed = true,
$ssh_defence = false,
$ssh_defence_secs = 300,
$ssh_defence_limit = 5,
) {
# enable firewall
include firewall
# purge all firewall rules not managed by puppet
resources { 'firewall': purge => $managed }
# check if the server has public IPv6 address
$public_ipv6 = ($facts['networking']['network6'] =~ /^2607:f6d0/)
# Create firewall chains
create_resources('firewallchain', $chains)
# Create the ipv4 rules at the top of the stack
create_resources('firewall', $rules_pre)
# Create the ipv4 rules at the bottom of the stack
create_resources('firewall', $rules_post)
# Check if a server has a public ipv6 address
if $public_ipv6 {
# Create the ipv6 rules at the top of the stack
create_resources('firewall', $rules_pre_ipv6)
# Create the ipv6 rules at the bottom of the stack
create_resources('firewall', $rules_post_ipv6)
}
# Create the rest of the rules
create_resources('firewall_multi', $rules)
# Turn ssh defence on if requested
if $ssh_defence {
# create a hash with the parameters of the class to
# merge with the hiera lookup, which takes precedence
$opts = {
log_attempts => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
drop_connections => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
}
$opts_merged = deep_merge(lookup('iptables::rules_ssh_defence'), $opts)
create_resources('firewallchain', lookup('iptables::sshscan_chain'))
create_resources('firewall', $opts_merged)
# engage ssh defence for ipv6
if $public_ipv6 {
$opts_ipv6 = {
log_ipv6_attempts => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
drop_ipv6_connections => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
}
$opts_merged_ipv6 = deep_merge(lookup('iptables::rules_ssh_defence_ipv6'), $opts_ipv6)
create_resources('firewallchain', lookup('iptables::sshscan_chain_ipv6'))
create_resources('firewall', $opts_merged_ipv6)
}
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment