From d091e46dc061d81c3a9e2f561efa15a4ee94a187 Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Mon, 8 Jun 2015 17:45:58 -0400 Subject: Implement Advanced Firewalling support * Provide a Define function which will allow to manage IPtables rules. * Manage rules in 'pre' and 'post' Puppet stages, it allows to create rules before and after regular Puppet stages (ie: to make sure no rule exists *before* and everything is blocked *after* regular Puppet stages) Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89 --- manifests/firewall/post.pp | 51 +++++++++++++++++++++++++++++ manifests/firewall/pre.pp | 57 +++++++++++++++++++++++++++++++++ manifests/firewall/rule.pp | 80 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 188 insertions(+) create mode 100644 manifests/firewall/post.pp create mode 100644 manifests/firewall/pre.pp create mode 100644 manifests/firewall/rule.pp (limited to 'manifests/firewall') diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp new file mode 100644 index 0000000..b76db75 --- /dev/null +++ b/manifests/firewall/post.pp @@ -0,0 +1,51 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::firewall::post +# +# Firewall rules during 'post' Puppet stage +# +# === Parameters: +# +# [*debug*] +# (optional) Set log output to debug output +# Defaults to false +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class tripleo::firewall::post( + $debug = false, + $firewall_settings = {}, +){ + + if $debug { + warning('debug is enabled, the traffic is not blocked.') + } else { + firewall { '998 log all': + proto => 'all', + jump => 'LOG', + } + tripleo::firewall::rule{ '999 drop all': + proto => 'all', + action => 'drop', + extras => $firewall_settings, + } + notice('At this stage, all network traffic is blocked.') + } + +} diff --git a/manifests/firewall/pre.pp b/manifests/firewall/pre.pp new file mode 100644 index 0000000..2d7203a --- /dev/null +++ b/manifests/firewall/pre.pp @@ -0,0 +1,57 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::firewall::pre +# +# Firewall rules during 'pre' Puppet stage +# +# === Parameters: +# +# [*firewall_settings*] +# (optional) Allow to add custom parameters to firewall rules +# Should be an hash. +# Default to {} +# +class tripleo::firewall::pre( + $firewall_settings = {}, +){ + + # ensure the correct packages are installed + include ::firewall + + # defaults 'pre' rules + tripleo::firewall::rule{ '000 accept related established rules': + proto => 'all', + state => ['RELATED', 'ESTABLISHED'], + extras => $firewall_settings, + } + + tripleo::firewall::rule{ '001 accept all icmp': + proto => 'icmp', + extras => $firewall_settings, + } + + tripleo::firewall::rule{ '002 accept all to lo interface': + proto => 'all', + iniface => 'lo', + extras => $firewall_settings, + } + + tripleo::firewall::rule{ '003 accept ssh': + port => '22', + extras => $firewall_settings, + } + +} diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp new file mode 100644 index 0000000..02afbc2 --- /dev/null +++ b/manifests/firewall/rule.pp @@ -0,0 +1,80 @@ +# +# Copyright (C) 2015 eNovance SAS +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Define: tripleo::firewall::rule +# +# Define used to manage IPtables rules. +# +# === Parameters: +# +# [*port*] +# (optional) The port associated to the rule. +# Defaults to undef +# +# [*proto*] +# (optional) The protocol associated to the rule. +# Defaults to 'tcp' +# +# [*action*] +# (optional) The action policy associated to the rule. +# Defaults to 'accept' +# +# [*state*] +# (optional) Array of states associated to the rule.. +# Defaults to ['NEW'] +# +# [*source*] +# (optional) The source IP address associated to the rule. +# Defaults to '0.0.0.0/0' +# +# [*iniface*] +# (optional) The network interface associated to the rule. +# Defaults to undef +# +# [*chain*] +# (optional) The chain associated to the rule. +# Defaults to 'INPUT' +# +# [*extras*] +# (optional) Hash of any puppetlabs-firewall supported parameters. +# Defaults to {} +# +define tripleo::firewall::rule ( + $port = undef, + $proto = 'tcp', + $action = 'accept', + $state = ['NEW'], + $source = '0.0.0.0/0', + $iniface = undef, + $chain = 'INPUT', + $extras = {}, +) { + + $basic = { + 'port' => $port, + 'proto' => $proto, + 'action' => $action, + 'state' => $state, + 'source' => $source, + 'iniface' => $iniface, + 'chain' => $chain, + } + + $rule = merge($basic, $extras) + validate_hash($rule) + + create_resources('firewall', { "${title}" => $rule }) + +} -- cgit 1.2.3-korg