puppet/modules/site_config/manifests/initial_firewall.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64

class site_config::initial_firewall {

  # This class is intended to setup an initial firewall, before shorewall is
  # configured. The purpose of this is for the rare case where shorewall fails
  # to start, we should not expose services to the public.

  $ssh_config = hiera('ssh')
  $ssh_port   = $ssh_config['port']

  package { 'iptables':
    ensure => present
  }

  file {
    # This firewall enables ssh access, dns lookups and web lookups (for
    # package installation) but otherwise restricts all outgoing and incoming
    # ports
    '/etc/network/ipv4firewall_up.rules':
      content => template('site_config/ipv4firewall_up.rules.erb'),
      owner   => root,
      group   => 0,
      mode    => '0644';

    # This firewall denys all ipv6 traffic - we will need to change this
    # when we begin to support ipv6
    '/etc/network/ipv6firewall_up.rules':
      content => template('site_config/ipv6firewall_up.rules.erb'),
      owner   => root,
      group   => 0,
      mode    => '0644';

    # Run the iptables-restore in if-pre-up so that the network is locked down
    # until the correct interfaces and ips are connected
    '/etc/network/if-pre-up.d/ipv4tables':
      content => "#!/bin/sh\n/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules\n",
      owner   => root,
      group   => 0,
      mode    => '0744';

    # Same as above for IPv6
    '/etc/network/if-pre-up.d/ipv6tables':
      content => "#!/bin/sh\n/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules\n",
      owner   => root,
      group   => 0,
      mode    => '0744';
  }

  # Immediately setup these firewall rules, but only if shorewall is not running
  exec {
    'default_ipv4_firewall':
      command   => '/sbin/iptables-restore < /etc/network/ipv4firewall_up.rules',
      logoutput => true,
      unless    => 'test -x /etc/init.d/shorewall && /etc/init.d/shorewall status',
      subscribe => File['/etc/network/ipv4firewall_up.rules'],
      require   => File['/etc/network/ipv4firewall_up.rules'];

    'default_ipv6_firewall':
      command   => '/sbin/ip6tables-restore < /etc/network/ipv6firewall_up.rules',
      logoutput => true,
      unless    => 'test -x /etc/init.d/shorewall6 && /etc/init.d/shorewall6 status',
      subscribe => File['/etc/network/ipv6firewall_up.rules'],
      require   => File['/etc/network/ipv6firewall_up.rules'];
  }
}