First version of IPtables module

Author: klump

modules/iptables/manifests/init.pp

@@ -73,4 +73,16 @@
         provider => 'ip6tables';
     }
   }
+
+  # Testing new iptables module
+  class { 'iptables::ng':
+    chains          => {
+      'INPUT'   => 'DROP',
+      'FORWARD' => upcase($forward_policy),
+      'OUTPUT'  => 'ACCEPT',
+    },
+    rules           => $rules,
+    log_fallthrough => str2bool($log_fallthrough),
+  }
+
 }

modules/iptables/manifests/ng.pp

@@ -0,0 +1,167 @@
+# Copyright 2018 dhtech
+#
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file
+#
+# == Class: iptables
+#
+# Firewall hooks for the firewall lib.
+#
+# === Parameters
+#
+# [*rules*]
+#   The host specific rules for this machine as calculated from ipplan.
+#
+# [*log_fallthrough*]
+#   Log the packets that will be policy dropped in the INPUT chain.
+#
+# [*chains*]
+#   A hash containing chains with their default policy. Defaults to
+#   ```
+#   {
+#     'INPUT'   => 'DROP',
+#     'FORWARD' => 'DROP',
+#     'OUTPUT'  => 'ACCEPT',
+#   }
+#   ```
+# [*ipv4file*]
+#   The file to store the IPv4 rules in. Defaults to
+#   `/etc/iptables/rules.v4.puppet`
+#
+# [*ipv6file*]
+#   The file to store the IPv6 rules in. Defaults to
+#   `/etc/iptables/rules.v6.puppet`
+
+class iptables::ng (
+
+  Hash $rules,
+  Boolean $log_fallthrough,
+  Hash[String, Enum['ACCEPT', 'DROP', 'REJECT'], 1] $chains = {
+    'INPUT'   => 'DROP',
+    'FORWARD' => 'DROP',
+    'OUTPUT'  => 'ACCEPT',
+  },
+  String $ipv4file = '/etc/iptables/rules.v4.puppet',
+  String $ipv6file = '/etc/iptables/rules.v6.puppet',
+
+) {
+
+  $chains_header = $chains.map |$chain,$policy| { sprintf(":%s %s [0:0]", $chain, $policy) }
+
+  $enforce_command = '/usr/local/sbin/enforce-iptables'
+  file { 'enforce-command':
+    path   => $enforce_command,
+    source => 'puppet:///scripts/iptables/enforce-iptables.sh',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0750',
+  }
+
+
+  # Header and trailer rules
+  class { 'iptables::ng::header': }
+  class { 'iptables::ng::trailer':
+    log_input => $log_fallthrough,
+  }
+
+
+  # IPv4
+  concat { $ipv4file:
+    ensure         => present,
+    backup         => true,
+    warn           => '# This file is managed by Puppet. Do not edit.',
+    order          => 'numeric',
+    validate_cmd   => '/usr/sbin/iptables-restore -t < %',
+    ensure_newline => true,
+    notify         => Exec['enforce-puppet-iptables'],
+  }
+
+  concat::fragment { '00-ipv4-header':
+    target  => $ipv4file,
+    order   => 0,
+    content => ([
+     '*filter'
+    ] + $chains_header).join("\n"),
+  }
+
+  concat::fragment { '99-ipv4-trailer':
+    target  => $ipv4file,
+    order   => 9999,
+    content => [
+      'COMMIT'
+    ].join("\n"),
+  }
+
+  exec { 'enforce-puppet-iptables':
+    command     => "/usr/bin/echo ${enforce_command} ipv4 '${ipv4file}'",
+    refreshonly => true,
+    require     => File['enforce-command'],
+  }
+
+  each($rules['v4']) |$rule| {
+    $name = $rule['name']
+    $proto = $rule['proto']
+
+    iptables::ng::rule { "v4 ${name} ${proto}":
+        type   => 'ipv4',
+        chain  => 'INPUT',
+        action => 'ACCEPT',
+        order  => 500,
+        source => $rule['src'],
+        proto  => $rule['proto'],
+        dport  => $rule['dports'],
+        sport  => $rule['sports'],
+    }
+  }
+
+
+  # IPv6
+  concat { $ipv6file:
+    ensure         => present,
+    backup         => true,
+    warn           => '# This file is managed by Puppet. Do not edit.',
+    order          => numeric,
+    validate_cmd   => '/usr/sbin/ip6tables-restore -t < %',
+    ensure_newline => true,
+    notify         => Exec['enforce-puppet-ip6tables'],
+  }
+
+  concat::fragment { '00-ipv6-header':
+    target  => $ipv6file,
+    order   => 0,
+    content => ([
+     '*filter'
+    ] + $chains_header).join("\n"),
+  }
+
+  concat::fragment { '99-ipv6-trailer':
+    target  => $ipv6file,
+    order   => 9999,
+    content => [
+      'COMMIT',
+    ].join("\n"),
+  }
+
+  exec { 'enforce-puppet-ip6tables':
+    command     => "/usr/bin/echo ${enforce_command} ipv6 '${ipv6file}'",
+    refreshonly => true,
+    require     => File['enforce-command'],
+  }
+
+  each($rules['v6']) |$rule| {
+    $name = $rule['name']
+    $proto = $rule['proto']
+
+    iptables::ng::rule { "v6 ${name} ${proto}":
+        type   => 'ipv6',
+        chain  => 'INPUT',
+        action => 'ACCEPT',
+        order  => 500,
+        source => $rule['src'],
+        proto  => $rule['proto'],
+        dport  => $rule['dports'],
+        sport  => $rule['sports'],
+    }
+  }
+
+}

modules/iptables/manifests/ng/advanced_rule.pp

@@ -0,0 +1,54 @@
+# Copyright 2018 dhtech
+#
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file
+#
+# == Class: iptables::ng::rule
+#
+# Firewall rules for the firewall lib.
+#
+# === Parameters
+#
+# [*type*]
+#   Version of the IP protocol for this rule. Must be `4` or `6`.
+#
+# [*rule*]
+#   The rule that should be used. In a format that can be understood
+#   by `iptables-restore` it will have `-A ${chain} ` prepended
+#
+# [*order*]
+#   Allows you to change the order in which the rules are placed. Header rules
+#   should have `order < 200`, trailer rules `order >= 800`. Defaults to `500`
+
+define iptables::ng::advanced_rule (
+
+  Enum['ipv4', 'ipv6', 'both'] $type,
+  String $rule,
+  Integer $order = 500,
+
+) {
+
+  include iptables::ng
+
+
+  if $type in ['ipv4', 'both'] {
+
+    concat::fragment { "v4 ${name}":
+        target  => $::iptables::ng::ipv4file,
+        order   => $order,
+        content => $rule,
+    }
+
+  }
+
+  if $type in ['ipv6', 'both'] {
+
+    concat::fragment { "v6 ${name}":
+        target  => $::iptables::ng::ipv6file,
+        order   => $order,
+        content => $rule,
+    }
+
+  }
+
+}

modules/iptables/manifests/ng/header.pp

@@ -0,0 +1,100 @@
+# Copyright 2018 dhtech
+#
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file
+#
+# Initial iptables rules that always applies
+
+class iptables::ng::header {
+
+  iptables::ng::advanced_rule { 'accept related established rules':
+    type  => 'both',
+    order => 1,
+    rule  => [
+      '-A INPUT -m state --state RELATED,ESTABLISHED',
+      '-m comment --comment "accept related established rules"',
+      '-j ACCEPT',
+    ].join(' '),
+  }
+
+  iptables::ng::advanced_rule { 'accept all to lo interface':
+    type  => 'both',
+    order => 10,
+    rule  => [
+      '-A INPUT -i lo',
+      '-m comment --comment "accept all to lo interface"',
+      '-j ACCEPT',
+    ].join(' '),
+  }
+
+
+  # IPv4 ICMP
+  iptables::ng::advanced_rule { 'v4 accept icmp, heavy rate limited':
+    type  => 'ipv4',
+    order => 20,
+    rule  => [
+      '-A INPUT -p icmp',
+      '-m limit --limit 5/sec --limit-burst 20',
+      '-m comment --comment "accept icmp, heavy rate limited"',
+      '-j ACCEPT',
+    ].join(' '),
+  }
+
+  iptables::ng::advanced_rule { 'v4 reject with icmp udp echo, heavy rate limited':
+    type  => 'ipv4',
+    order => 21,
+    rule  => [
+      '-A INPUT -p udp',
+      '-m multiport --dports 33434:33523',
+      '-m limit --limit 5/sec --limit-burst 20',
+      '-m comment --comment "reject with icmp udp echo, heavy rate limited"',
+      '-j REJECT --reject-with icmp-port-unreachable',
+    ].join(' '),
+  }
+
+  iptables::ng::advanced_rule { 'v4 drop remaining icmp':
+    type  => 'ipv4',
+    order => 29,
+    rule  => [
+      '-A INPUT -p icmp',
+      '-m comment --comment "drop remaining icmp"',
+      '-j DROP',
+    ].join(' '),
+  }
+
+
+  # IPv6 ICMP
+  iptables::ng::advanced_rule { 'v6 accept icmp, heavy rate limited':
+    type  => 'ipv6',
+    order => 20,
+    rule  => [
+      '-A INPUT -p ipv6-icmp',
+      '-m limit --limit 5/sec --limit-burst 20',
+      '-m comment --comment "accept icmp, heavy rate limited"',
+      '-j ACCEPT',
+    ].join(' '),
+  }
+
+  iptables::ng::advanced_rule { 'v6 reject with icmp udp echo, heavy rate limited':
+    type  => 'ipv6',
+    order => 21,
+    rule  => [
+      '-A INPUT -p udp',
+      '-m multiport --dports 33434:33523',
+      '-m limit --limit 5/sec --limit-burst 20',
+      '-m comment --comment "reject with icmp udp echo, heavy rate limited"',
+      '-j REJECT --reject-with icmp6-port-unreachable',
+    ].join(' '),
+  }
+
+  iptables::ng::advanced_rule { 'v6 drop remaining icmp':
+    type  => 'ipv6',
+    order => 29,
+    rule  => [
+      '-A INPUT -p ipv6-icmp',
+      '-m comment --comment "drop remaining icmp"',
+      '-j DROP',
+    ].join(' '),
+  }
+
+}