Mercurial > repos > other > Puppet

comparison modules/firewall/spec/acceptance/rules_spec.rb @ 39:d6f2a0ee45c0 puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add "Firewall" module
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 Mar 2015 20:58:03 +0000
parents
children
comparison
equal deleted inserted replaced
38:a1960fb961c5 39:d6f2a0ee45c0
1 require 'spec_helper_acceptance'
2
3 describe 'complex ruleset 1', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
4 before :all do
5 iptables_flush_all_tables
6 end
7
8 after :all do
9 shell('iptables -t filter -P INPUT ACCEPT')
10 shell('iptables -t filter -P FORWARD ACCEPT')
11 shell('iptables -t filter -P OUTPUT ACCEPT')
12 shell('iptables -t filter --flush')
13 end
14
15 it 'applies cleanly' do
16 pp = <<-EOS
17 firewall { '090 forward allow local':
18 chain => 'FORWARD',
19 proto => 'all',
20 source => '10.0.0.0/8',
21 destination => '10.0.0.0/8',
22 action => 'accept',
23 }
24 firewall { '100 forward standard allow tcp':
25 chain => 'FORWARD',
26 source => '10.0.0.0/8',
27 destination => '!10.0.0.0/8',
28 proto => 'tcp',
29 state => 'NEW',
30 port => [80,443,21,20,22,53,123,43,873,25,465],
31 action => 'accept',
32 }
33 firewall { '100 forward standard allow udp':
34 chain => 'FORWARD',
35 source => '10.0.0.0/8',
36 destination => '!10.0.0.0/8',
37 proto => 'udp',
38 port => [53,123],
39 action => 'accept',
40 }
41 firewall { '100 forward standard allow icmp':
42 chain => 'FORWARD',
43 source => '10.0.0.0/8',
44 destination => '!10.0.0.0/8',
45 proto => 'icmp',
46 action => 'accept',
47 }
48
49 firewall { '090 ignore ipsec':
50 table => 'nat',
51 chain => 'POSTROUTING',
52 outiface => 'eth0',
53 ipsec_policy => 'ipsec',
54 ipsec_dir => 'out',
55 action => 'accept',
56 }
57 firewall { '093 ignore 10.0.0.0/8':
58 table => 'nat',
59 chain => 'POSTROUTING',
60 outiface => 'eth0',
61 destination => '10.0.0.0/8',
62 action => 'accept',
63 }
64 firewall { '093 ignore 172.16.0.0/12':
65 table => 'nat',
66 chain => 'POSTROUTING',
67 outiface => 'eth0',
68 destination => '172.16.0.0/12',
69 action => 'accept',
70 }
71 firewall { '093 ignore 192.168.0.0/16':
72 table => 'nat',
73 chain => 'POSTROUTING',
74 outiface => 'eth0',
75 destination => '192.168.0.0/16',
76 action => 'accept',
77 }
78 firewall { '100 masq outbound':
79 table => 'nat',
80 chain => 'POSTROUTING',
81 outiface => 'eth0',
82 jump => 'MASQUERADE',
83 }
84 firewall { '101 redirect port 1':
85 table => 'nat',
86 chain => 'PREROUTING',
87 iniface => 'eth0',
88 proto => 'tcp',
89 dport => '1',
90 toports => '22',
91 jump => 'REDIRECT',
92 }
93 EOS
94
95 # Run it twice and test for idempotency
96 apply_manifest(pp, :catch_failures => true)
97 expect(apply_manifest(pp, :catch_failures => true).exit_code).to be_zero
98 end
99
100 it 'contains appropriate rules' do
101 shell('iptables-save') do |r|
102 [
103 /INPUT ACCEPT/,
104 /FORWARD ACCEPT/,
105 /OUTPUT ACCEPT/,
106 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) -d 10.0.0.0\/(8|255\.0\.0\.0) -m comment --comment \"090 forward allow local\" -j ACCEPT/,
107 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"100 forward standard allow icmp\" -j ACCEPT/,
108 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p tcp -m multiport --ports 80,443,21,20,22,53,123,43,873,25,465 -m comment --comment \"100 forward standard allow tcp\" -m state --state NEW -j ACCEPT/,
109 /-A FORWARD -s 10.0.0.0\/(8|255\.0\.0\.0) (! -d|-d !) 10.0.0.0\/(8|255\.0\.0\.0) -p udp -m multiport --ports 53,123 -m comment --comment \"100 forward standard allow udp\" -j ACCEPT/
110 ].each do |line|
111 expect(r.stdout).to match(line)
112 end
113 end
114 end
115 end
116
117 describe 'complex ruleset 2' do
118 after :all do
119 shell('iptables -t filter -P INPUT ACCEPT')
120 shell('iptables -t filter -P FORWARD ACCEPT')
121 shell('iptables -t filter -P OUTPUT ACCEPT')
122 shell('iptables -t filter --flush')
123 expect(shell('iptables -t filter -X LOCAL_INPUT').stderr).to eq("")
124 expect(shell('iptables -t filter -X LOCAL_INPUT_PRE').stderr).to eq("")
125 end
126
127 it 'applies cleanly' do
128 pp = <<-EOS
129 class { '::firewall': }
130
131 Firewall {
132 proto => 'all',
133 stage => 'pre',
134 }
135 Firewallchain {
136 stage => 'pre',
137 purge => 'true',
138 ignore => [
139 '--comment "[^"]*(?i:ignore)[^"]*"',
140 ],
141 }
142
143 firewall { '010 INPUT allow established and related':
144 proto => 'all',
145 state => ['ESTABLISHED', 'RELATED'],
146 action => 'accept',
147 before => Firewallchain['INPUT:filter:IPv4'],
148 }
149 firewall { "011 reject local traffic not on loopback interface":
150 iniface => '! lo',
151 proto => 'all',
152 destination => '127.0.0.1/8',
153 action => 'reject',
154 }
155 firewall { '012 accept loopback':
156 iniface => 'lo',
157 action => 'accept',
158 before => Firewallchain['INPUT:filter:IPv4'],
159 }
160 firewall { '020 ssh':
161 proto => 'tcp',
162 dport => '22',
163 state => 'NEW',
164 action => 'accept',
165 before => Firewallchain['INPUT:filter:IPv4'],
166 }
167 firewall { '025 smtp':
168 outiface => '! eth0:2',
169 chain => 'OUTPUT',
170 proto => 'tcp',
171 dport => '25',
172 state => 'NEW',
173 action => 'accept',
174 }
175 firewall { '013 icmp echo-request':
176 proto => 'icmp',
177 icmp => 'echo-request',
178 action => 'accept',
179 source => '10.0.0.0/8',
180 }
181 firewall { '013 icmp destination-unreachable':
182 proto => 'icmp',
183 icmp => 'destination-unreachable',
184 action => 'accept',
185 }
186 firewall { '013 icmp time-exceeded':
187 proto => 'icmp',
188 icmp => 'time-exceeded',
189 action => 'accept',
190 }
191 firewall { '443 ssl on aliased interface':
192 proto => 'tcp',
193 dport => '443',
194 state => 'NEW',
195 action => 'accept',
196 iniface => 'eth0:3',
197 }
198 firewall { '999 reject':
199 action => 'reject',
200 reject => 'icmp-host-prohibited',
201 }
202
203 firewallchain { 'LOCAL_INPUT_PRE:filter:IPv4': }
204 firewall { '001 LOCAL_INPUT_PRE':
205 jump => 'LOCAL_INPUT_PRE',
206 require => Firewallchain['LOCAL_INPUT_PRE:filter:IPv4'],
207 }
208 firewallchain { 'LOCAL_INPUT:filter:IPv4': }
209 firewall { '900 LOCAL_INPUT':
210 jump => 'LOCAL_INPUT',
211 require => Firewallchain['LOCAL_INPUT:filter:IPv4'],
212 }
213 firewallchain { 'INPUT:filter:IPv4':
214 policy => 'drop',
215 ignore => [
216 '-j fail2ban-ssh',
217 '--comment "[^"]*(?i:ignore)[^"]*"',
218 ],
219 }
220
221
222 firewall { '010 allow established and related':
223 chain => 'FORWARD',
224 proto => 'all',
225 state => ['ESTABLISHED','RELATED'],
226 action => 'accept',
227 before => Firewallchain['FORWARD:filter:IPv4'],
228 }
229 firewallchain { 'FORWARD:filter:IPv4':
230 policy => 'drop',
231 }
232
233 firewallchain { 'OUTPUT:filter:IPv4': }
234
235
236 # purge unknown rules from mangle table
237 firewallchain { ['PREROUTING:mangle:IPv4', 'INPUT:mangle:IPv4', 'FORWARD:mangle:IPv4', 'OUTPUT:mangle:IPv4', 'POSTROUTING:mangle:IPv4']: }
238
239 # and the nat table
240 firewallchain { ['PREROUTING:nat:IPv4', 'INPUT:nat:IPv4', 'OUTPUT:nat:IPv4', 'POSTROUTING:nat:IPv4']: }
241 EOS
242
243 # Run it twice and test for idempotency
244 apply_manifest(pp, :catch_failures => true)
245 unless fact('selinux') == 'true'
246 apply_manifest(pp, :catch_changes => true)
247 end
248 end
249
250 it 'contains appropriate rules' do
251 shell('iptables-save') do |r|
252 [
253 /INPUT DROP/,
254 /FORWARD DROP/,
255 /OUTPUT ACCEPT/,
256 /LOCAL_INPUT/,
257 /LOCAL_INPUT_PRE/,
258 /-A INPUT -m comment --comment \"001 LOCAL_INPUT_PRE\" -j LOCAL_INPUT_PRE/,
259 /-A INPUT -m comment --comment \"010 INPUT allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/,
260 /-A INPUT -d 127.0.0.0\/(8|255\.0\.0\.0) (! -i|-i !) lo -m comment --comment \"011 reject local traffic not on loopback interface\" -j REJECT --reject-with icmp-port-unreachable/,
261 /-A INPUT -i lo -m comment --comment \"012 accept loopback\" -j ACCEPT/,
262 /-A INPUT -p icmp -m comment --comment \"013 icmp destination-unreachable\" -m icmp --icmp-type 3 -j ACCEPT/,
263 /-A INPUT -s 10.0.0.0\/(8|255\.0\.0\.0) -p icmp -m comment --comment \"013 icmp echo-request\" -m icmp --icmp-type 8 -j ACCEPT/,
264 /-A INPUT -p icmp -m comment --comment \"013 icmp time-exceeded\" -m icmp --icmp-type 11 -j ACCEPT/,
265 /-A INPUT -p tcp -m multiport --dports 22 -m comment --comment \"020 ssh\" -m state --state NEW -j ACCEPT/,
266 /-A OUTPUT (! -o|-o !) eth0:2 -p tcp -m multiport --dports 25 -m comment --comment \"025 smtp\" -m state --state NEW -j ACCEPT/,
267 /-A INPUT -i eth0:3 -p tcp -m multiport --dports 443 -m comment --comment \"443 ssl on aliased interface\" -m state --state NEW -j ACCEPT/,
268 /-A INPUT -m comment --comment \"900 LOCAL_INPUT\" -j LOCAL_INPUT/,
269 /-A INPUT -m comment --comment \"999 reject\" -j REJECT --reject-with icmp-host-prohibited/,
270 /-A FORWARD -m comment --comment \"010 allow established and related\" -m state --state RELATED,ESTABLISHED -j ACCEPT/
271 ].each do |line|
272 expect(r.stdout).to match(line)
273 end
274 end
275 end
276 end