On Friday August 14th. from 9 p.m. to 9:30 p.m., we will upgrade GitLab software and its cloud platform release. Service may not be available during this maintenance window. Please schedule your work accordingly.

Commit 89abadea authored by Alex Tayts's avatar Alex Tayts

fix compatibility issues with firewall 2.0

parent 328679e2
......@@ -7,74 +7,64 @@ lookup_options:
# ipv4 default rules
iptables::rules_pre:
accept_icmp:
name: "100"
action: accept
'100 ipv4':
proto: icmp
accept_lo:
name: "110"
action: accept
'110 ipv4':
proto: 'all'
iniface: 'lo'
action: 'accept'
accept_related_established:
name: "120"
action: accept
'120 ipv4':
proto: 'all'
ctstate:
- 'RELATED'
- 'ESTABLISHED'
action: 'accept'
action: accept
iptables::rules_post:
reject_remaining_tcp:
name: "998"
'998 ipv4':
chain: INPUT
proto: 'tcp'
action: 'reject'
proto: tcp
action: reject
reject: 'tcp-reset'
tcp_flags: 'FIN,SYN,RST,ACK SYN'
reject_remaining_udp:
name: "999"
'999 ipv4':
chain: INPUT
proto: 'udp'
action: 'reject'
proto: udp
action: reject
reject: 'icmp-port-unreachable'
# ipv6 default rules
iptables::rules_pre_ipv6:
accept_icmpv6:
name: "100 ipv6"
'100 ipv6':
proto: 'ipv6-icmp'
action: 'accept'
action: accept
provider: 'ip6tables'
accept_lo_ipv6:
name: "110 ipv6"
'110 ipv6':
proto: 'all'
iniface: 'lo'
action: 'accept'
action: accept
provider: 'ip6tables'
accept_related_established_ipv6:
name: "120 ipv6"
'120 ipv6':
proto: 'all'
state:
- 'RELATED'
- 'ESTABLISHED'
action: 'accept'
action: accept
provider: 'ip6tables'
iptables::rules_post_ipv6:
reject_remaining_tcp_ipv6:
name: "998 ipv6"
'998 ipv6':
chain: INPUT
proto: 'tcp'
action: 'reject'
proto: tcp
action: reject
reject: 'tcp-reset'
tcp_flags: 'FIN,SYN,RST,ACK SYN'
provider: 'ip6tables'
reject_remaining_udp_ipv6:
name: "999 ipv6"
'999 ipv6':
chain: INPUT
proto: 'udp'
action: 'reject'
proto: udp
action: reject
reject: 'icmp6-port-unreachable'
provider: 'ip6tables'
......@@ -86,15 +76,13 @@ iptables::sshscan_chain:
# ssh defence firewall rules
iptables::rules_ssh_defence:
forward_to_defence:
name: "130 ssh defence"
'130 ssh defence':
chain: INPUT
proto: 'tcp'
proto: tcp
dport: '22'
state: 'NEW'
jump: SSHSCAN
log_attempts:
name: "100 log attempts"
'100 log hits':
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
......@@ -104,8 +92,7 @@ iptables::rules_ssh_defence:
log_level: 'debug'
log_prefix: 'SSH SCAN blocked: '
jump: LOG
drop_connections:
name: "110 drop attacker"
'110 drop attacker':
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
......@@ -113,13 +100,12 @@ iptables::rules_ssh_defence:
rhitcount: 10
rsource: true
action: 'drop'
allow_connections:
name: "120 accept connections"
'120 accept connections':
chain: SSHSCAN
proto: 'tcp'
proto: tcp
rname: 'SSH'
recent: 'set'
action: 'accept'
action: accept
# firewall ipv6 chain for ssh defence
iptables::sshscan_chain_ipv6:
......@@ -129,16 +115,14 @@ iptables::sshscan_chain_ipv6:
# ssh defence ipv6 firewall rules
iptables::rules_ssh_defence_ipv6:
forward_to_defence_ipv6:
name: "130 ipv6 ssh defence"
'130 ipv6 ssh defence':
chain: INPUT
proto: 'tcp'
proto: tcp
dport: '22'
state: 'NEW'
jump: SSHSCAN
provider: 'ip6tables'
log_ipv6_attempts:
name: "100 log ipv6 attempts"
'100 log ipv6 attempts':
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
......@@ -149,8 +133,7 @@ iptables::rules_ssh_defence_ipv6:
log_prefix: 'SSH SCAN blocked: '
jump: LOG
provider: 'ip6tables'
drop_ipv6_connections:
name: "110 drop ipv6 attacker"
'110 drop ipv6 attacker':
chain: SSHSCAN
rname: 'SSH'
recent: 'update'
......@@ -159,12 +142,11 @@ iptables::rules_ssh_defence_ipv6:
rsource: true
action: 'drop'
provider: 'ip6tables'
allow_ipv6_connections:
name: "120 accept ipv6 connections"
'120 accept ipv6 connections':
chain: SSHSCAN
proto: 'tcp'
proto: tcp
rname: 'SSH'
recent: 'set'
action: 'accept'
action: accept
provider: 'ip6tables'
......@@ -53,11 +53,11 @@ class iptables (
# create a hash with the parameters of the class to
# merge with the hiera lookup, which takes precedence
$opts = {
log_attempts => {
'100 log hits' => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
drop_connections => {
'110 drop attacker' => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
......@@ -71,11 +71,11 @@ class iptables (
# engage ssh defence for ipv6
if $public_ipv6 {
$opts_ipv6 = {
log_ipv6_attempts => {
'100 log ipv6 attempts' => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
},
drop_ipv6_connections => {
'110 drop ipv6 attacker' => {
rseconds => $ssh_defence_secs,
rhitcount => $ssh_defence_limit,
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment