other/Puppet: modules/firewall/spec/acceptance/rules

author	IBBoard <dev@ibboard.co.uk>
date	Sat, 14 Mar 2015 20:58:03 +0000
parents
children

rev	line source
39 d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	1 require 'spec_helper_acceptance'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	2
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	3 describe 'complex ruleset 1', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	4 before :all do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	5 iptables_flush_all_tables
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	6 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	7
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	8 after :all do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	9 shell('iptables -t filter -P INPUT ACCEPT')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	10 shell('iptables -t filter -P FORWARD ACCEPT')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	11 shell('iptables -t filter -P OUTPUT ACCEPT')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	12 shell('iptables -t filter --flush')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	13 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	14
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	15 it 'applies cleanly' do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	16 pp = <<-EOS
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	17 firewall { '090 forward allow local':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	18 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	19 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	20 source => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	21 destination => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	22 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	23 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	24 firewall { '100 forward standard allow tcp':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	25 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	26 source => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	27 destination => '!10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	28 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	29 state => 'NEW',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	30 port => [80,443,21,20,22,53,123,43,873,25,465],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	31 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	32 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	33 firewall { '100 forward standard allow udp':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	34 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	35 source => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	36 destination => '!10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	37 proto => 'udp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	38 port => [53,123],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	39 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	40 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	41 firewall { '100 forward standard allow icmp':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	42 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	43 source => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	44 destination => '!10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	45 proto => 'icmp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	46 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	47 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	48
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	49 firewall { '090 ignore ipsec':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	50 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	51 chain => 'POSTROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	52 outiface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	53 ipsec_policy => 'ipsec',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	54 ipsec_dir => 'out',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	55 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	56 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	57 firewall { '093 ignore 10.0.0.0/8':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	58 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	59 chain => 'POSTROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	60 outiface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	61 destination => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	62 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	63 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	64 firewall { '093 ignore 172.16.0.0/12':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	65 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	66 chain => 'POSTROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	67 outiface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	68 destination => '172.16.0.0/12',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	69 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	70 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	71 firewall { '093 ignore 192.168.0.0/16':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	72 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	73 chain => 'POSTROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	74 outiface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	75 destination => '192.168.0.0/16',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	76 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	77 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	78 firewall { '100 masq outbound':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	79 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	80 chain => 'POSTROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	81 outiface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	82 jump => 'MASQUERADE',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	83 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	84 firewall { '101 redirect port 1':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	85 table => 'nat',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	86 chain => 'PREROUTING',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	87 iniface => 'eth0',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	88 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	89 dport => '1',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	90 toports => '22',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	91 jump => 'REDIRECT',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	92 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	93 EOS
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	94
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	95 # Run it twice and test for idempotency
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	96 apply_manifest(pp, :catch_failures => true)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	97 expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	98 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	99
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	100 it 'contains appropriate rules' do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	101 shell('iptables-save') do \|r\|
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	102 [
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	103 /INPUT ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	104 /FORWARD ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	105 /OUTPUT ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	106 /-A FORWARD -s 10.0.0.0\/(8\|255\.0\.0\.0) -d 10.0.0.0\/(8\|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	107 /-A FORWARD -s 10.0.0.0\/(8\|255\.0\.0\.0) (! -d\|-d !) 10.0.0.0\/(8\|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	108 /-A FORWARD -s 10.0.0.0\/(8\|255\.0\.0\.0) (! -d\|-d !) 10.0.0.0\/(8\|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	109 /-A FORWARD -s 10.0.0.0\/(8\|255\.0\.0\.0) (! -d\|-d !) 10.0.0.0\/(8\|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	110 ].each do \|line\|
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	111 expect(r.stdout).to match(line)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	112 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	113 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	114 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	115 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	116
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	117 describe 'complex ruleset 2' do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	118 after :all do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	119 shell('iptables -t filter -P INPUT ACCEPT')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	120 shell('iptables -t filter -P FORWARD ACCEPT')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	121 shell('iptables -t filter -P OUTPUT ACCEPT')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	122 shell('iptables -t filter --flush')
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	123 expect(shell('iptables -t filter -X LOCAL_INPUT').stderr).to eq("")
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	124 expect(shell('iptables -t filter -X LOCAL_INPUT_PRE').stderr).to eq("")
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	125 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	126
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	127 it 'applies cleanly' do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	128 pp = <<-EOS
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	129 class { '::firewall': }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	130
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	131 Firewall {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	132 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	133 stage => 'pre',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	134 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	135 Firewallchain {
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	136 stage => 'pre',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	137 purge => 'true',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	138 ignore => [
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	139 '--comment "[^"](?i:ignore)[^"]"',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	140 ],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	141 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	142
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	143 firewall { '010 INPUT allow established and related':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	144 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	145 state => ['ESTABLISHED', 'RELATED'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	146 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	147 before => Firewallchain['INPUT:filter:IPv4'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	148 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	149 firewall { "011 reject local traffic not on loopback interface":
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	150 iniface => '! lo',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	151 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	152 destination => '127.0.0.1/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	153 action => 'reject',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	154 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	155 firewall { '012 accept loopback':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	156 iniface => 'lo',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	157 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	158 before => Firewallchain['INPUT:filter:IPv4'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	159 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	160 firewall { '020 ssh':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	161 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	162 dport => '22',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	163 state => 'NEW',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	164 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	165 before => Firewallchain['INPUT:filter:IPv4'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	166 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	167 firewall { '025 smtp':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	168 outiface => '! eth0:2',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	169 chain => 'OUTPUT',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	170 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	171 dport => '25',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	172 state => 'NEW',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	173 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	174 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	175 firewall { '013 icmp echo-request':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	176 proto => 'icmp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	177 icmp => 'echo-request',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	178 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	179 source => '10.0.0.0/8',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	180 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	181 firewall { '013 icmp destination-unreachable':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	182 proto => 'icmp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	183 icmp => 'destination-unreachable',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	184 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	185 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	186 firewall { '013 icmp time-exceeded':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	187 proto => 'icmp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	188 icmp => 'time-exceeded',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	189 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	190 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	191 firewall { '443 ssl on aliased interface':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	192 proto => 'tcp',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	193 dport => '443',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	194 state => 'NEW',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	195 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	196 iniface => 'eth0:3',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	197 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	198 firewall { '999 reject':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	199 action => 'reject',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	200 reject => 'icmp-host-prohibited',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	201 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	202
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	203 firewallchain { 'LOCAL_INPUT_PRE:filter:IPv4': }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	204 firewall { '001 LOCAL_INPUT_PRE':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	205 jump => 'LOCAL_INPUT_PRE',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	206 require => Firewallchain['LOCAL_INPUT_PRE:filter:IPv4'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	207 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	208 firewallchain { 'LOCAL_INPUT:filter:IPv4': }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	209 firewall { '900 LOCAL_INPUT':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	210 jump => 'LOCAL_INPUT',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	211 require => Firewallchain['LOCAL_INPUT:filter:IPv4'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	212 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	213 firewallchain { 'INPUT:filter:IPv4':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	214 policy => 'drop',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	215 ignore => [
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	216 '-j fail2ban-ssh',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	217 '--comment "[^"](?i:ignore)[^"]"',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	218 ],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	219 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	220
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	221
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	222 firewall { '010 allow established and related':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	223 chain => 'FORWARD',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	224 proto => 'all',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	225 state => ['ESTABLISHED','RELATED'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	226 action => 'accept',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	227 before => Firewallchain['FORWARD:filter:IPv4'],
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	228 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	229 firewallchain { 'FORWARD:filter:IPv4':
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	230 policy => 'drop',
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	231 }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	232
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	233 firewallchain { 'OUTPUT:filter:IPv4': }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	234
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	235
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	236 # purge unknown rules from mangle table
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	237 firewallchain { ['PREROUTING:mangle:IPv4', 'INPUT:mangle:IPv4', 'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4', 'POSTROUTING:mangle:IPv4']: }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	238
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	239 # and the nat table
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	240 firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: }
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	241 EOS
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	242
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	243 # Run it twice and test for idempotency
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	244 apply_manifest(pp, :catch_failures => true)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	245 unless fact('selinux') == 'true'
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	246 apply_manifest(pp, :catch_changes => true)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	247 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	248 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	249
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	250 it 'contains appropriate rules' do
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	251 shell('iptables-save') do \|r\|
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	252 [
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	253 /INPUT DROP/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	254 /FORWARD DROP/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	255 /OUTPUT ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	256 /LOCAL_INPUT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	257 /LOCAL_INPUT_PRE/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	258 /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	259 /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	260 /-A INPUT -d 127.0.0.0\/(8\|255\.0\.0\.0) (! -i\|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	261 /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	262 /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	263 /-A INPUT -s 10.0.0.0\/(8\|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	264 /-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	265 /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	266 /-A OUTPUT (! -o\|-o !) eth0:2 -p tcp -m multiport --dports 25 -m comment --comment \"025 smtp\" -m state --state NEW -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	267 /-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m comment --comment \"443 ssl on aliased interface\" -m state --state NEW -j ACCEPT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	268 /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	269 /-A INPUT -m comment --comment \"999 reject\" -j REJECT --reject-with icmp-host-prohibited/,
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	270 /-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	271 ].each do \|line\|
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	272 expect(r.stdout).to match(line)
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	273 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	274 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	275 end
d6f2a0ee45c0 Add "Firewall" module IBBoard <dev@ibboard.co.uk> parents: diff changeset	276 end

39

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

1 require 'spec_helper_acceptance'

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

2

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

3 describe 'complex ruleset 1', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

4 before :all do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

5 iptables_flush_all_tables

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

6 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

7

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

8 after :all do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

9 shell('iptables -t filter -P INPUT ACCEPT')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

10 shell('iptables -t filter -P FORWARD ACCEPT')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

11 shell('iptables -t filter -P OUTPUT ACCEPT')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

12 shell('iptables -t filter --flush')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

13 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

14

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

15 it 'applies cleanly' do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

16 pp = <<-EOS

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

17 firewall { '090 forward allow local':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

18 chain => 'FORWARD',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

19 proto => 'all',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

20 source => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

21 destination => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

22 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

23 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

24 firewall { '100 forward standard allow tcp':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

25 chain => 'FORWARD',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

26 source => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

27 destination => '!10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

28 proto => 'tcp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

29 state => 'NEW',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

30 port => [80,443,21,20,22,53,123,43,873,25,465],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

31 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

32 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

33 firewall { '100 forward standard allow udp':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

34 chain => 'FORWARD',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

35 source => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

36 destination => '!10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

37 proto => 'udp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

38 port => [53,123],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

39 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

40 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

41 firewall { '100 forward standard allow icmp':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

42 chain => 'FORWARD',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

43 source => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

44 destination => '!10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

45 proto => 'icmp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

46 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

47 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

48

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

49 firewall { '090 ignore ipsec':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

50 table => 'nat',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

51 chain => 'POSTROUTING',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

52 outiface => 'eth0',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

53 ipsec_policy => 'ipsec',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

54 ipsec_dir => 'out',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

55 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

56 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

57 firewall { '093 ignore 10.0.0.0/8':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

58 table => 'nat',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

59 chain => 'POSTROUTING',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

60 outiface => 'eth0',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

61 destination => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

62 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

63 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

64 firewall { '093 ignore 172.16.0.0/12':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

65 table => 'nat',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

66 chain => 'POSTROUTING',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

67 outiface => 'eth0',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

68 destination => '172.16.0.0/12',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

69 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

70 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

71 firewall { '093 ignore 192.168.0.0/16':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

72 table => 'nat',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

73 chain => 'POSTROUTING',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

74 outiface => 'eth0',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

75 destination => '192.168.0.0/16',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

76 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

77 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

78 firewall { '100 masq outbound':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

79 table => 'nat',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

80 chain => 'POSTROUTING',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

81 outiface => 'eth0',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

82 jump => 'MASQUERADE',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

83 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

84 firewall { '101 redirect port 1':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

85 table => 'nat',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

86 chain => 'PREROUTING',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

87 iniface => 'eth0',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

88 proto => 'tcp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

89 dport => '1',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

90 toports => '22',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

91 jump => 'REDIRECT',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

92 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

93 EOS

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

94

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

95 # Run it twice and test for idempotency

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

96 apply_manifest(pp, :catch_failures => true)

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

97 expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

98 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

99

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

100 it 'contains appropriate rules' do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

101 shell('iptables-save') do |r|

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

102 [

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

103 /INPUT ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

104 /FORWARD ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

105 /OUTPUT ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

106 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

107 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

108 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

109 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

110 ].each do |line|

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

111 expect(r.stdout).to match(line)

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

112 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

113 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

114 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

115 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

116

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

117 describe 'complex ruleset 2' do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

118 after :all do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

119 shell('iptables -t filter -P INPUT ACCEPT')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

120 shell('iptables -t filter -P FORWARD ACCEPT')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

121 shell('iptables -t filter -P OUTPUT ACCEPT')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

122 shell('iptables -t filter --flush')

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

123 expect(shell('iptables -t filter -X LOCAL_INPUT').stderr).to eq("")

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

124 expect(shell('iptables -t filter -X LOCAL_INPUT_PRE').stderr).to eq("")

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

125 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

126

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

127 it 'applies cleanly' do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

128 pp = <<-EOS

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

129 class { '::firewall': }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

130

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

131 Firewall {

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

132 proto => 'all',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

133 stage => 'pre',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

134 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

135 Firewallchain {

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

136 stage => 'pre',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

137 purge => 'true',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

138 ignore => [

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

139 '--comment "[^"]*(?i:ignore)[^"]*"',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

140 ],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

141 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

142

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

143 firewall { '010 INPUT allow established and related':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

144 proto => 'all',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

145 state => ['ESTABLISHED', 'RELATED'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

146 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

147 before => Firewallchain['INPUT:filter:IPv4'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

148 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

149 firewall { "011 reject local traffic not on loopback interface":

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

150 iniface => '! lo',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

151 proto => 'all',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

152 destination => '127.0.0.1/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

153 action => 'reject',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

154 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

155 firewall { '012 accept loopback':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

156 iniface => 'lo',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

157 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

158 before => Firewallchain['INPUT:filter:IPv4'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

159 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

160 firewall { '020 ssh':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

161 proto => 'tcp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

162 dport => '22',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

163 state => 'NEW',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

164 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

165 before => Firewallchain['INPUT:filter:IPv4'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

166 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

167 firewall { '025 smtp':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

168 outiface => '! eth0:2',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

169 chain => 'OUTPUT',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

170 proto => 'tcp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

171 dport => '25',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

172 state => 'NEW',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

173 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

174 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

175 firewall { '013 icmp echo-request':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

176 proto => 'icmp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

177 icmp => 'echo-request',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

178 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

179 source => '10.0.0.0/8',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

180 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

181 firewall { '013 icmp destination-unreachable':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

182 proto => 'icmp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

183 icmp => 'destination-unreachable',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

184 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

185 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

186 firewall { '013 icmp time-exceeded':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

187 proto => 'icmp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

188 icmp => 'time-exceeded',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

189 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

190 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

191 firewall { '443 ssl on aliased interface':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

192 proto => 'tcp',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

193 dport => '443',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

194 state => 'NEW',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

195 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

196 iniface => 'eth0:3',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

197 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

198 firewall { '999 reject':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

199 action => 'reject',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

200 reject => 'icmp-host-prohibited',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

201 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

202

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

203 firewallchain { 'LOCAL_INPUT_PRE:filter:IPv4': }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

204 firewall { '001 LOCAL_INPUT_PRE':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

205 jump => 'LOCAL_INPUT_PRE',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

206 require => Firewallchain['LOCAL_INPUT_PRE:filter:IPv4'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

207 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

208 firewallchain { 'LOCAL_INPUT:filter:IPv4': }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

209 firewall { '900 LOCAL_INPUT':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

210 jump => 'LOCAL_INPUT',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

211 require => Firewallchain['LOCAL_INPUT:filter:IPv4'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

212 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

213 firewallchain { 'INPUT:filter:IPv4':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

214 policy => 'drop',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

215 ignore => [

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

216 '-j fail2ban-ssh',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

217 '--comment "[^"]*(?i:ignore)[^"]*"',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

218 ],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

219 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

220

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

221

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

222 firewall { '010 allow established and related':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

223 chain => 'FORWARD',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

224 proto => 'all',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

225 state => ['ESTABLISHED','RELATED'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

226 action => 'accept',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

227 before => Firewallchain['FORWARD:filter:IPv4'],

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

228 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

229 firewallchain { 'FORWARD:filter:IPv4':

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

230 policy => 'drop',

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

231 }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

232

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

233 firewallchain { 'OUTPUT:filter:IPv4': }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

234

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

235

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

236 # purge unknown rules from mangle table

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

237 firewallchain { ['PREROUTING:mangle:IPv4', 'INPUT:mangle:IPv4', 'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4', 'POSTROUTING:mangle:IPv4']: }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

238

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

239 # and the nat table

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

240 firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: }

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

241 EOS

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

242

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

243 # Run it twice and test for idempotency

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

244 apply_manifest(pp, :catch_failures => true)

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

245 unless fact('selinux') == 'true'

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

246 apply_manifest(pp, :catch_changes => true)

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

247 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

248 end

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

249

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

250 it 'contains appropriate rules' do

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

251 shell('iptables-save') do |r|

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

252 [

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

253 /INPUT DROP/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

254 /FORWARD DROP/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

255 /OUTPUT ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

256 /LOCAL_INPUT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

257 /LOCAL_INPUT_PRE/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

258 /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

259 /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

260 /-A INPUT -d 127.0.0.0\/(8|255\.0\.0\.0) (! -i|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

261 /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>

parents:

diff changeset

262 /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/,

d6f2a0ee45c0 Add "Firewall" module

IBBoard <dev@ibboard.co.uk>