Mercurial > repos > other > Puppet

changeset 40:222904296578 puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add firewall handling when we run without APF
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 Mar 2015 22:22:26 +0000
parents d6f2a0ee45c0
children 765bf01c2044
files manifests/templates.pp modules/my_fw/manifests/post.pp modules/my_fw/manifests/pre.pp
diffstat 3 files changed, 83 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/manifests/templates.pp	Sat Mar 14 20:58:03 2015 +0000
+++ b/manifests/templates.pp	Sat Mar 14 22:22:26 2015 +0000
@@ -31,6 +31,11 @@
 	$imapserver,
 	$firewall_cmd = 'iptables',
 	) {
+
+	if $firewall_cmd == 'iptables' {
+		include vpsfirewall
+	}
+
 	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
 	file { '/etc/hosts':
 		ensure => present,
@@ -59,6 +64,51 @@
 	}
 }
 
+class vpsfirewall {
+	resources { "firewall":
+		purge => false,
+	}
+	firewallchain { 'INPUT:filter:IPv4':
+		purge => true,		
+		ignore => [
+			'-j f2b-[^ ]+$',
+			'^(:|-A )f2b-',
+			'--comment "Great Firewall of China"',
+			'--comment "Do not purge',
+			],
+	}
+	Firewall {
+		before => Class['my_fw::post'],
+		require => Class['my_fw::pre'],
+	}
+	class { ['my_fw::pre', 'my_fw::post']: }
+	class { 'firewall': }
+	firewallchain { 'GREATFIREWALLOFCHINA:filter:IPv4':
+		ensure => present,
+	}
+	firewall { '050 Check our Great Firewall Against China':
+		chain => 'INPUT',
+		jump => 'GREATFIREWALLOFCHINA',
+	}
+	firewall { '100 allow https and http':
+		port => [80, 443],
+		proto => tcp,
+		action => accept,
+	}
+	firewall { '101 allow SMTP':
+		port => [25, 465],
+		proto => tcp,
+		action => accept,
+	}
+	firewall { '102 allow IMAPS':
+		port => 993,
+		proto => tcp,
+		action => accept,
+	}
+	# Note: SSH port will be managed manually as we 
+	# put it on a different port to hide from script kiddy noise
+}
+
 ## Classes to allow facet behaviour using preconfigured setups of classes
 
 class repos {
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/my_fw/manifests/post.pp	Sat Mar 14 22:22:26 2015 +0000
@@ -0,0 +1,7 @@
+class my_fw::post {
+  firewall { '999 drop all':
+    proto   => 'all',
+    action  => 'drop',
+    before  => undef,
+  }
+}
\ No newline at end of file
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/my_fw/manifests/pre.pp	Sat Mar 14 22:22:26 2015 +0000
@@ -0,0 +1,26 @@
+class my_fw::pre {
+  Firewall {
+    require => undef,
+  }
+   # Default firewall rules
+  firewall { '000 accept all icmp':
+    proto   => 'icmp',
+    action  => 'accept',
+  } ->
+  firewall { '001 accept all to lo interface':
+    proto   => 'all',
+    iniface => 'lo',
+    action  => 'accept',
+  } ->
+  firewall { "002 reject local traffic not on loopback interface":
+    iniface     => '! lo',
+    proto       => 'all',
+    destination => '127.0.0.1/8',
+    action      => 'reject',
+  } ->
+  firewall { '003 accept related established rules':
+    proto   => 'all',
+    state => ['RELATED', 'ESTABLISHED'],
+    action  => 'accept',
+  }
+}