484 lines
11 KiB
Puppet
484 lines
11 KiB
Puppet
class fuel::iptables (
|
|
$network_address,
|
|
$network_cidr,
|
|
|
|
$admin_iface = $::fuel::params::admin_interface,
|
|
$ssh_port = '22',
|
|
$ssh_network = '0.0.0.0/0',
|
|
$ssh_rseconds = 60,
|
|
$ssh_rhitcount = 4,
|
|
$nailgun_web_port = $::fuel::params::nailgun_port,
|
|
$nailgun_internal_port = $::fuel::params::nailgun_internal_port,
|
|
$nailgun_serialization_port = $::fuel::params::nailgun_serialization_port,
|
|
$nailgun_repo_port = $::fuel::params::repo_port,
|
|
$postgres_port = $::fuel::params::db_port,
|
|
$ostf_port = $::fuel::params::ostf_port,
|
|
$rsync_port = '873',
|
|
$rsyslog_port = '514',
|
|
$ntp_port = '123',
|
|
$rabbitmq_ports = ['4369','5672','61613'],
|
|
$rabbitmq_admin_port = '15672',
|
|
$fuelweb_port = $::fuel::params::nailgun_ssl_port,
|
|
$keystone_port = $::fuel::params::keystone_port,
|
|
$keystone_admin_port = $::fuel::params::keystone_admin_port,
|
|
$chain = 'INPUT',
|
|
) inherits fuel::params {
|
|
|
|
include ::provision::iptables
|
|
|
|
firewallchain { 'INPUT:filter:IPv4':
|
|
ensure => present,
|
|
policy => drop,
|
|
before => undef,
|
|
purge => true,
|
|
}
|
|
|
|
firewallchain { 'FORWARD:filter:IPv4':
|
|
ensure => present,
|
|
policy => drop,
|
|
before => undef,
|
|
purge => true,
|
|
}
|
|
|
|
firewallchain { 'POSTROUTING:nat:IPv4':
|
|
ensure => present,
|
|
policy => accept,
|
|
before => undef,
|
|
purge => true,
|
|
}
|
|
|
|
firewallchain { 'POSTROUTING:mangle:IPv4':
|
|
ensure => present,
|
|
policy => accept,
|
|
before => undef,
|
|
purge => true,
|
|
}
|
|
|
|
# Chains for externally defined rules (not managed by Puppet)
|
|
|
|
firewallchain { 'ext-filter-input:filter:IPv4':
|
|
ensure => present,
|
|
before => undef,
|
|
purge => false,
|
|
}
|
|
|
|
firewallchain { 'ext-filter-forward:filter:IPv4':
|
|
ensure => present,
|
|
before => undef,
|
|
purge => false,
|
|
}
|
|
|
|
firewallchain { 'ext-nat-postrouting:nat:IPv4':
|
|
ensure => present,
|
|
before => undef,
|
|
purge => false,
|
|
}
|
|
|
|
firewallchain { 'ext-mangle-postrouting:mangle:IPv4':
|
|
ensure => present,
|
|
before => undef,
|
|
purge => false,
|
|
}
|
|
|
|
## INPUT:filter:IPv4
|
|
|
|
firewall { '000 allow loopback':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'all',
|
|
iniface => 'lo',
|
|
action => 'accept',
|
|
}
|
|
|
|
# use SSH brute frorce protection only for external networks
|
|
if $ssh_network == '0.0.0.0/0' {
|
|
|
|
firewall { '007 ssh: new pipe for a sessions':
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
iniface => "! $admin_iface",
|
|
state => 'NEW',
|
|
recent => 'set',
|
|
}
|
|
|
|
firewall { '008 ssh: more than allowed attempts logged':
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
iniface => "! $admin_iface",
|
|
state => 'NEW',
|
|
recent => 'update',
|
|
rseconds => $ssh_rseconds,
|
|
rhitcount => $ssh_rhitcount,
|
|
jump => 'LOG',
|
|
log_prefix => 'iptables SSH brute-force: ',
|
|
log_level => '7',
|
|
}
|
|
|
|
firewall { '009 ssh: block more than allowed attempts':
|
|
proto => 'tcp',
|
|
dport => $ssh_port,
|
|
iniface => "! $admin_iface",
|
|
state => 'NEW',
|
|
recent => 'update',
|
|
rseconds => $ssh_rseconds,
|
|
rhitcount => $ssh_rhitcount,
|
|
action => 'drop',
|
|
}
|
|
|
|
}
|
|
|
|
firewall { '010 ssh':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $ssh_port,
|
|
proto => 'tcp',
|
|
source => $ssh_network,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '020 ntp':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $ntp_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '030 ntp_udp':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $ntp_port,
|
|
proto => 'udp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '040 snmp':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => '162',
|
|
proto => 'udp',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '050 nailgun_web':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $nailgun_web_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '060 nailgun_internal':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $nailgun_internal_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '065 nailgun_serialization_port':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $nailgun_serialization_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '070 nailgun_internal_block_ext':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $nailgun_internal_port,
|
|
proto => 'tcp',
|
|
action => 'reject',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '080 postgres_local':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $postgres_port,
|
|
proto => 'tcp',
|
|
src_type => 'LOCAL',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '090 postgres':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $postgres_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '100 postgres_block_ext':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $postgres_port,
|
|
proto => 'tcp',
|
|
action => 'reject',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '110 ostf_admin':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $ostf_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '120 ostf_local':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $ostf_port,
|
|
proto => 'tcp',
|
|
src_type => 'LOCAL',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '130 ostf_block_ext':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $ostf_port,
|
|
proto => 'tcp',
|
|
action => 'reject',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '140 rsync':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $rsync_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '150 rsyslog':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $rsyslog_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '160 rsyslog':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $rsyslog_port,
|
|
proto => 'udp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '170 rabbitmq_admin_net':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $rabbitmq_ports,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '180 rabbitmq_local':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => concat($rabbitmq_ports, $rabbitmq_admin_port),
|
|
proto => 'tcp',
|
|
src_type => 'LOCAL',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '190 rabbitmq_block_ext':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $rabbitmq_ports,
|
|
proto => 'tcp',
|
|
action => 'reject',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '200 fuelweb_port':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $fuelweb_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '210 keystone_admin':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $keystone_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '220 keystone_admin_port admin_net':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $keystone_admin_port,
|
|
proto => 'tcp',
|
|
iniface => $admin_iface,
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '230 nailgun_repo_admin':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
dport => $nailgun_repo_port,
|
|
proto => 'tcp',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '240 allow icmp echo-request':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'icmp',
|
|
icmp => 'echo-request',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '250 allow icmp echo-reply':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'icmp',
|
|
icmp => 'echo-reply',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '260 allow icmp dest-unreach':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'icmp',
|
|
icmp => 'destination-unreachable',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '270 allow icmp time-exceeded':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'icmp',
|
|
icmp => 'time-exceeded',
|
|
action => 'accept',
|
|
state => ['NEW'],
|
|
}
|
|
|
|
firewall { '970 externally defined rules: ext-filter-input':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'all',
|
|
jump => 'ext-filter-input',
|
|
}
|
|
|
|
firewall { '980 accept related established rules':
|
|
chain => $chain,
|
|
table => 'filter',
|
|
proto => 'all',
|
|
state => ['RELATED', 'ESTABLISHED'],
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '999 iptables denied':
|
|
chain => 'INPUT',
|
|
table => 'filter',
|
|
proto => 'all',
|
|
limit => '5/min',
|
|
jump => 'LOG',
|
|
log_prefix => 'iptables denied: ',
|
|
log_level => '7',
|
|
}
|
|
|
|
## FORWARD:filter:IPv4
|
|
|
|
firewall { '010 forward admin_net':
|
|
chain => 'FORWARD',
|
|
table => 'filter',
|
|
proto => 'all',
|
|
source => "${network_address}/${network_cidr}",
|
|
iniface => $admin_iface,
|
|
state => ['NEW'],
|
|
action => 'accept',
|
|
}
|
|
|
|
firewall { '970 externally defined rules':
|
|
chain => 'FORWARD',
|
|
table => 'filter',
|
|
proto => 'all',
|
|
jump => 'ext-filter-forward',
|
|
}
|
|
|
|
firewall { '980 forward admin_net conntrack':
|
|
chain => 'FORWARD',
|
|
table => 'filter',
|
|
proto => 'all',
|
|
state => ['RELATED', 'ESTABLISHED'],
|
|
action => 'accept',
|
|
}
|
|
|
|
## POSTROUTING:nat:IPv4
|
|
|
|
firewall { '010 forward_admin_net':
|
|
chain => 'POSTROUTING',
|
|
table => 'nat',
|
|
proto => 'all',
|
|
source => "${network_address}/${network_cidr}",
|
|
outiface => 'e+',
|
|
jump => 'MASQUERADE',
|
|
}
|
|
|
|
firewall { '980 externally defined rules: ext-nat-postrouting':
|
|
chain => 'POSTROUTING',
|
|
table => 'nat',
|
|
proto => 'all',
|
|
jump => 'ext-nat-postrouting',
|
|
}
|
|
|
|
## POSTROUTING:mangle:IPv4
|
|
|
|
firewall { '010 recalculate dhcp checksum':
|
|
chain => 'POSTROUTING',
|
|
table => 'mangle',
|
|
proto => 'udp',
|
|
dport => 68,
|
|
jump => 'CHECKSUM',
|
|
checksum_fill => true,
|
|
}
|
|
|
|
firewall { '980 externally defined rules: ext-mangle-postrouting':
|
|
chain => 'POSTROUTING',
|
|
table => 'mangle',
|
|
proto => 'all',
|
|
jump => 'ext-mangle-postrouting',
|
|
}
|
|
}
|