Mercurial > repos > other > Puppet
comparison modules/firewall/spec/acceptance/rules_spec.rb @ 39:d6f2a0ee45c0 puppet-3.6
Add "Firewall" module
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 14 Mar 2015 20:58:03 +0000 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
38:a1960fb961c5 | 39:d6f2a0ee45c0 |
---|---|
1 require 'spec_helper_acceptance' | |
2 | |
3 describe 'complex ruleset 1', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do | |
4 before :all do | |
5 iptables_flush_all_tables | |
6 end | |
7 | |
8 after :all do | |
9 shell('iptables -t filter -P INPUT ACCEPT') | |
10 shell('iptables -t filter -P FORWARD ACCEPT') | |
11 shell('iptables -t filter -P OUTPUT ACCEPT') | |
12 shell('iptables -t filter --flush') | |
13 end | |
14 | |
15 it 'applies cleanly' do | |
16 pp = <<-EOS | |
17 firewall { '090 forward allow local': | |
18 chain => 'FORWARD', | |
19 proto => 'all', | |
20 source => '10.0.0.0/8', | |
21 destination => '10.0.0.0/8', | |
22 action => 'accept', | |
23 } | |
24 firewall { '100 forward standard allow tcp': | |
25 chain => 'FORWARD', | |
26 source => '10.0.0.0/8', | |
27 destination => '!10.0.0.0/8', | |
28 proto => 'tcp', | |
29 state => 'NEW', | |
30 port => [80,443,21,20,22,53,123,43,873,25,465], | |
31 action => 'accept', | |
32 } | |
33 firewall { '100 forward standard allow udp': | |
34 chain => 'FORWARD', | |
35 source => '10.0.0.0/8', | |
36 destination => '!10.0.0.0/8', | |
37 proto => 'udp', | |
38 port => [53,123], | |
39 action => 'accept', | |
40 } | |
41 firewall { '100 forward standard allow icmp': | |
42 chain => 'FORWARD', | |
43 source => '10.0.0.0/8', | |
44 destination => '!10.0.0.0/8', | |
45 proto => 'icmp', | |
46 action => 'accept', | |
47 } | |
48 | |
49 firewall { '090 ignore ipsec': | |
50 table => 'nat', | |
51 chain => 'POSTROUTING', | |
52 outiface => 'eth0', | |
53 ipsec_policy => 'ipsec', | |
54 ipsec_dir => 'out', | |
55 action => 'accept', | |
56 } | |
57 firewall { '093 ignore 10.0.0.0/8': | |
58 table => 'nat', | |
59 chain => 'POSTROUTING', | |
60 outiface => 'eth0', | |
61 destination => '10.0.0.0/8', | |
62 action => 'accept', | |
63 } | |
64 firewall { '093 ignore 172.16.0.0/12': | |
65 table => 'nat', | |
66 chain => 'POSTROUTING', | |
67 outiface => 'eth0', | |
68 destination => '172.16.0.0/12', | |
69 action => 'accept', | |
70 } | |
71 firewall { '093 ignore 192.168.0.0/16': | |
72 table => 'nat', | |
73 chain => 'POSTROUTING', | |
74 outiface => 'eth0', | |
75 destination => '192.168.0.0/16', | |
76 action => 'accept', | |
77 } | |
78 firewall { '100 masq outbound': | |
79 table => 'nat', | |
80 chain => 'POSTROUTING', | |
81 outiface => 'eth0', | |
82 jump => 'MASQUERADE', | |
83 } | |
84 firewall { '101 redirect port 1': | |
85 table => 'nat', | |
86 chain => 'PREROUTING', | |
87 iniface => 'eth0', | |
88 proto => 'tcp', | |
89 dport => '1', | |
90 toports => '22', | |
91 jump => 'REDIRECT', | |
92 } | |
93 EOS | |
94 | |
95 # Run it twice and test for idempotency | |
96 apply_manifest(pp, :catch_failures => true) | |
97 expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero | |
98 end | |
99 | |
100 it 'contains appropriate rules' do | |
101 shell('iptables-save') do |r| | |
102 [ | |
103 /INPUT ACCEPT/, | |
104 /FORWARD ACCEPT/, | |
105 /OUTPUT ACCEPT/, | |
106 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/, | |
107 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/, | |
108 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/, | |
109 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/ | |
110 ].each do |line| | |
111 expect(r.stdout).to match(line) | |
112 end | |
113 end | |
114 end | |
115 end | |
116 | |
117 describe 'complex ruleset 2' do | |
118 after :all do | |
119 shell('iptables -t filter -P INPUT ACCEPT') | |
120 shell('iptables -t filter -P FORWARD ACCEPT') | |
121 shell('iptables -t filter -P OUTPUT ACCEPT') | |
122 shell('iptables -t filter --flush') | |
123 expect(shell('iptables -t filter -X LOCAL_INPUT').stderr).to eq("") | |
124 expect(shell('iptables -t filter -X LOCAL_INPUT_PRE').stderr).to eq("") | |
125 end | |
126 | |
127 it 'applies cleanly' do | |
128 pp = <<-EOS | |
129 class { '::firewall': } | |
130 | |
131 Firewall { | |
132 proto => 'all', | |
133 stage => 'pre', | |
134 } | |
135 Firewallchain { | |
136 stage => 'pre', | |
137 purge => 'true', | |
138 ignore => [ | |
139 '--comment "[^"]*(?i:ignore)[^"]*"', | |
140 ], | |
141 } | |
142 | |
143 firewall { '010 INPUT allow established and related': | |
144 proto => 'all', | |
145 state => ['ESTABLISHED', 'RELATED'], | |
146 action => 'accept', | |
147 before => Firewallchain['INPUT:filter:IPv4'], | |
148 } | |
149 firewall { "011 reject local traffic not on loopback interface": | |
150 iniface => '! lo', | |
151 proto => 'all', | |
152 destination => '127.0.0.1/8', | |
153 action => 'reject', | |
154 } | |
155 firewall { '012 accept loopback': | |
156 iniface => 'lo', | |
157 action => 'accept', | |
158 before => Firewallchain['INPUT:filter:IPv4'], | |
159 } | |
160 firewall { '020 ssh': | |
161 proto => 'tcp', | |
162 dport => '22', | |
163 state => 'NEW', | |
164 action => 'accept', | |
165 before => Firewallchain['INPUT:filter:IPv4'], | |
166 } | |
167 firewall { '025 smtp': | |
168 outiface => '! eth0:2', | |
169 chain => 'OUTPUT', | |
170 proto => 'tcp', | |
171 dport => '25', | |
172 state => 'NEW', | |
173 action => 'accept', | |
174 } | |
175 firewall { '013 icmp echo-request': | |
176 proto => 'icmp', | |
177 icmp => 'echo-request', | |
178 action => 'accept', | |
179 source => '10.0.0.0/8', | |
180 } | |
181 firewall { '013 icmp destination-unreachable': | |
182 proto => 'icmp', | |
183 icmp => 'destination-unreachable', | |
184 action => 'accept', | |
185 } | |
186 firewall { '013 icmp time-exceeded': | |
187 proto => 'icmp', | |
188 icmp => 'time-exceeded', | |
189 action => 'accept', | |
190 } | |
191 firewall { '443 ssl on aliased interface': | |
192 proto => 'tcp', | |
193 dport => '443', | |
194 state => 'NEW', | |
195 action => 'accept', | |
196 iniface => 'eth0:3', | |
197 } | |
198 firewall { '999 reject': | |
199 action => 'reject', | |
200 reject => 'icmp-host-prohibited', | |
201 } | |
202 | |
203 firewallchain { 'LOCAL_INPUT_PRE:filter:IPv4': } | |
204 firewall { '001 LOCAL_INPUT_PRE': | |
205 jump => 'LOCAL_INPUT_PRE', | |
206 require => Firewallchain['LOCAL_INPUT_PRE:filter:IPv4'], | |
207 } | |
208 firewallchain { 'LOCAL_INPUT:filter:IPv4': } | |
209 firewall { '900 LOCAL_INPUT': | |
210 jump => 'LOCAL_INPUT', | |
211 require => Firewallchain['LOCAL_INPUT:filter:IPv4'], | |
212 } | |
213 firewallchain { 'INPUT:filter:IPv4': | |
214 policy => 'drop', | |
215 ignore => [ | |
216 '-j fail2ban-ssh', | |
217 '--comment "[^"]*(?i:ignore)[^"]*"', | |
218 ], | |
219 } | |
220 | |
221 | |
222 firewall { '010 allow established and related': | |
223 chain => 'FORWARD', | |
224 proto => 'all', | |
225 state => ['ESTABLISHED','RELATED'], | |
226 action => 'accept', | |
227 before => Firewallchain['FORWARD:filter:IPv4'], | |
228 } | |
229 firewallchain { 'FORWARD:filter:IPv4': | |
230 policy => 'drop', | |
231 } | |
232 | |
233 firewallchain { 'OUTPUT:filter:IPv4': } | |
234 | |
235 | |
236 # purge unknown rules from mangle table | |
237 firewallchain { ['PREROUTING:mangle:IPv4', 'INPUT:mangle:IPv4', 'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4', 'POSTROUTING:mangle:IPv4']: } | |
238 | |
239 # and the nat table | |
240 firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: } | |
241 EOS | |
242 | |
243 # Run it twice and test for idempotency | |
244 apply_manifest(pp, :catch_failures => true) | |
245 unless fact('selinux') == 'true' | |
246 apply_manifest(pp, :catch_changes => true) | |
247 end | |
248 end | |
249 | |
250 it 'contains appropriate rules' do | |
251 shell('iptables-save') do |r| | |
252 [ | |
253 /INPUT DROP/, | |
254 /FORWARD DROP/, | |
255 /OUTPUT ACCEPT/, | |
256 /LOCAL_INPUT/, | |
257 /LOCAL_INPUT_PRE/, | |
258 /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/, | |
259 /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/, | |
260 /-A INPUT -d 127.0.0.0\/(8|255\.0\.0\.0) (! -i|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/, | |
261 /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/, | |
262 /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/, | |
263 /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/, | |
264 /-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/, | |
265 /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/, | |
266 /-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m comment --comment \"025 smtp\" -m state --state NEW -j ACCEPT/, | |
267 /-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m comment --comment \"443 ssl on aliased interface\" -m state --state NEW -j ACCEPT/, | |
268 /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/, | |
269 /-A INPUT -m comment --comment \"999 reject\" -j REJECT --reject-with icmp-host-prohibited/, | |
270 /-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/ | |
271 ].each do |line| | |
272 expect(r.stdout).to match(line) | |
273 end | |
274 end | |
275 end | |
276 end |