From d091e46dc061d81c3a9e2f561efa15a4ee94a187 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Mon, 8 Jun 2015 17:45:58 -0400
Subject: Implement Advanced Firewalling support

* Provide a Define function which will allow to manage IPtables rules.
* Manage rules in 'pre' and 'post' Puppet stages, it allows to create
  rules before and after regular Puppet stages (ie: to make sure no rule
  exists *before* and everything is blocked *after* regular Puppet
  stages)

Change-Id: I84fc79096f6fc3db76a61d012d8cb62dd12bdd89
---
 manifests/firewall/post.pp | 51 +++++++++++++++++++++++++++++
 manifests/firewall/pre.pp  | 57 +++++++++++++++++++++++++++++++++
 manifests/firewall/rule.pp | 80 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 188 insertions(+)
 create mode 100644 manifests/firewall/post.pp
 create mode 100644 manifests/firewall/pre.pp
 create mode 100644 manifests/firewall/rule.pp

(limited to 'manifests/firewall')

diff --git a/manifests/firewall/post.pp b/manifests/firewall/post.pp
new file mode 100644
index 0000000..b76db75
--- /dev/null
+++ b/manifests/firewall/post.pp
@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::firewall::post
+#
+# Firewall rules during 'post' Puppet stage
+#
+# === Parameters:
+#
+# [*debug*]
+#   (optional) Set log output to debug output
+#   Defaults to false
+#
+# [*firewall_settings*]
+#   (optional) Allow to add custom parameters to firewall rules
+#   Should be an hash.
+#   Default to {}
+#
+class tripleo::firewall::post(
+  $debug             = false,
+  $firewall_settings = {},
+){
+
+  if $debug {
+    warning('debug is enabled, the traffic is not blocked.')
+  } else {
+    firewall { '998 log all':
+      proto => 'all',
+      jump  => 'LOG',
+    }
+    tripleo::firewall::rule{ '999 drop all':
+      proto  => 'all',
+      action => 'drop',
+      extras => $firewall_settings,
+    }
+    notice('At this stage, all network traffic is blocked.')
+  }
+
+}
diff --git a/manifests/firewall/pre.pp b/manifests/firewall/pre.pp
new file mode 100644
index 0000000..2d7203a
--- /dev/null
+++ b/manifests/firewall/pre.pp
@@ -0,0 +1,57 @@
+#
+# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::firewall::pre
+#
+# Firewall rules during 'pre' Puppet stage
+#
+# === Parameters:
+#
+# [*firewall_settings*]
+#   (optional) Allow to add custom parameters to firewall rules
+#   Should be an hash.
+#   Default to {}
+#
+class tripleo::firewall::pre(
+  $firewall_settings = {},
+){
+
+  # ensure the correct packages are installed
+  include ::firewall
+
+  # defaults 'pre' rules
+  tripleo::firewall::rule{ '000 accept related established rules':
+    proto  => 'all',
+    state  => ['RELATED', 'ESTABLISHED'],
+    extras => $firewall_settings,
+  }
+
+  tripleo::firewall::rule{ '001 accept all icmp':
+    proto  => 'icmp',
+    extras => $firewall_settings,
+  }
+
+  tripleo::firewall::rule{ '002 accept all to lo interface':
+    proto   => 'all',
+    iniface => 'lo',
+    extras  => $firewall_settings,
+  }
+
+  tripleo::firewall::rule{ '003 accept ssh':
+    port   => '22',
+    extras => $firewall_settings,
+  }
+
+}
diff --git a/manifests/firewall/rule.pp b/manifests/firewall/rule.pp
new file mode 100644
index 0000000..02afbc2
--- /dev/null
+++ b/manifests/firewall/rule.pp
@@ -0,0 +1,80 @@
+#
+# Copyright (C) 2015 eNovance SAS <licensing@enovance.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Define: tripleo::firewall::rule
+#
+# Define used to manage IPtables rules.
+#
+# === Parameters:
+#
+# [*port*]
+#  (optional) The port associated to the rule.
+#  Defaults to undef
+#
+# [*proto*]
+#  (optional) The protocol associated to the rule.
+#  Defaults to 'tcp'
+#
+# [*action*]
+#  (optional) The action policy associated to the rule.
+#  Defaults to 'accept'
+#
+# [*state*]
+#  (optional) Array of states associated to the rule..
+#  Defaults to ['NEW']
+#
+# [*source*]
+#  (optional) The source IP address associated to the rule.
+#  Defaults to '0.0.0.0/0'
+#
+# [*iniface*]
+#  (optional) The network interface associated to the rule.
+#  Defaults to undef
+#
+# [*chain*]
+#  (optional) The chain associated to the rule.
+#  Defaults to 'INPUT'
+#
+# [*extras*]
+#  (optional) Hash of any puppetlabs-firewall supported parameters.
+#  Defaults to {}
+#
+define tripleo::firewall::rule (
+  $port    = undef,
+  $proto   = 'tcp',
+  $action  = 'accept',
+  $state   = ['NEW'],
+  $source  = '0.0.0.0/0',
+  $iniface = undef,
+  $chain   = 'INPUT',
+  $extras  = {},
+) {
+
+  $basic = {
+    'port'    => $port,
+    'proto'   => $proto,
+    'action'  => $action,
+    'state'   => $state,
+    'source'  => $source,
+    'iniface' => $iniface,
+    'chain'   => $chain,
+  }
+
+  $rule = merge($basic, $extras)
+  validate_hash($rule)
+
+  create_resources('firewall', { "${title}" => $rule })
+
+}
-- 
cgit 1.2.3-korg