diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index a0bd50717..e6fa05638 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -11,6 +11,9 @@ {%- set FLEET_NODE = salt['pillar.get']('static:fleet_node') %} {%- set FLEET_NODE_IP = salt['pillar.get']('static:fleet_ip') %} +{% import_yaml 'firewall/ports.yml' as firewall_ports %} +{% set firewall_aliases = salt['pillar.get']('firewall:aliases', firewall_ports.firewall.aliases, merge=True) %} + # Quick Fix for Docker being difficult iptables_fix_docker: iptables.chain_present: @@ -124,324 +127,29 @@ iptables_allow_master_docker: - position: 1 - save: True -{% for ip in pillar.get('firewall:master:ips') %} -# Allow Redis -enable_masternode_{{ip}}_{{port}}: +{% for alias in ['master', 'minions', 'forward_nodes', 'search_nodes', 'beats_endpoint', 'osquery_endpoint', 'wazuh_endpoint', 'analyst'] %} + {% for ip in firewall_aliases[alias].ips %} + {% for servicename, services in firewall_aliases[alias].ports.items() %} + {% for proto, ports in services.items() %} + {% for port in ports %} +{{alias}}_{{ip}}_{{servicename}}_{{port}}_{{proto}}: iptables.insert: - table: filter - chain: DOCKER-USER - jump: ACCEPT - - proto: tcp + - proto: {{ proto }} - source: {{ ip }} - dport: {{ port }} - position: 1 - save: True - -enable_masternode_kibana_5601_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 5601 - - position: 1 - - save: True - -enable_masternode_ES_9200_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9200 - - position: 1 - - save: True - -enable_masternode_ES_9300_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9300 - - position: 1 - - save: True - -enable_masternode_ES_9400_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9400 - - position: 1 - - save: True - -enable_masternode_ES_9500_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9500 - - position: 1 - - save: True - -enable_masternode_influxdb_8086_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 8086 - - position: 1 - - save: True - -enable_masternode_mysql_3306_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 3306 - - position: 1 - - save: True - -enable_master_osquery_8090_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 8090 - - position: 1 - - save: True - -enable_master_playbook_3200_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 3200 - - position: 1 - - save: True - -enable_master_navigator_4200_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 4200 - - position: 1 - - save: True - -enable_master_cortex_9001_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9001 - - position: 1 - - save: True - -enable_master_cyberchef_9080_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9080 - - position: 1 - - save: True - -# Add rule(s) for Wazuh manager -enable_wazuh_manager_1514_tcp_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 1514 - - position: 1 - - save: True - -enable_wazuh_manager_1514_udp_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: udp - - source: {{ ip }} - - dport: 1514 - - position: 1 - - save: True - -{% endfor %} - -{% for k in pillar.get('masterfw-custom', {}) %} -enable_custom_masterfw_{{ k }}: - iptables.insert: - - table: filter - - chain: {{ k.chain }} - - jump: ACCEPT - - proto: {{ k.proto }} - - source: {{ k.source }} - - dport: {{ k.dport }} - - position: 1 - - save: True - -{% endfor %} - -# Make it so all the minions can talk to salt and update etc. -{% for ip in pillar.get('firewall:minions') %} - -enable_salt_minions_salt_4505_{{ip}}: - iptables.insert: - - table: filter - - chain: INPUT - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 4505 - - position: 1 - - save: True - -enable_salt_minions_salt_4506_{{ip}}: - iptables.insert: - - table: filter - - chain: INPUT - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 4506 - - position: 1 - - save: True - -enable_salt_minions_registry_5000_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 5000 - - position: 1 - - save: True - -enable_salt_minions_acng_3142_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 3142 - - position: 1 - - save: True - -enable_minions_influxdb_8086_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 8086 - - position: 1 - - save: True - -enable_minion_osquery_8080_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 8080 - - position: 1 - - save: True - -enable_minion_wazuh_55000_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 55000 - - position: 1 - - save: True - -{% endfor %} - -# Allow Forward Nodes to send their beats traffic -{% for ip in pillar.get('firewall:forward_nodes') %} - -enable_forwardnode_beats_5044_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 5044 - - position: 1 - - save: True - -enable_forwardnode_beats_5644_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 5644 - - position: 1 - - save: True - -enable_forwardnode_sensoroni_443_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 443 - - position: 1 - - save: True - -enable_forwardnode_sensoroni_9822_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9822 - - position: 1 - - save: True - + {% endfor %} + {% endfor %} + {% endfor %} + {% endfor %} {% endfor %} # Allow Fleet Node to send its beats traffic {% if FLEET_NODE %} - enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}: iptables.insert: - table: filter @@ -452,120 +160,8 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}: - dport: 5644 - position: 1 - save: True - {% endif %} -{% for ip in pillar.get('firewall:search_nodes') %} - -enable_searchnode_redis_6379_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 6379 - - position: 1 - - save: True - -enable_searchnode_ES_9300_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 9300 - - position: 1 - - save: True - -{% endfor %} - -# Allow Beats Endpoints to send their beats traffic -{% for ip in pillar.get('firewall:beats_endpoint') %} - -enable_standard_beats_5044_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 5044 - - position: 1 - - save: True - -{% endfor %} - -# Allow OSQuery Endpoints to send their traffic -{% for ip in pillar.get('firewall:osquery_endpoint') %} - -enable_standard_osquery_8090_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 8090 - - position: 1 - - save: True - -{% endfor %} - -# Allow Wazuh Endpoints to send their traffic -{% for ip in pillar.get('firewall:wazuh_endpoint') %} - -enable_wazuh_endpoint_tcp_1514_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 1514 - - position: 1 - - save: True - -enable_wazuh_endpoint_udp_1514_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: udp - - source: {{ ip }} - - dport: 1514 - - position: 1 - - save: True - -{% endfor %} - -# All Analysts get the following access to the master: -{% for ip in pillar.get('firewall:analyst') %} - -enable_standard_analyst_80_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 80 - - position: 1 - - save: True - -enable_standard_analyst_443_{{ip}}: - iptables.insert: - - table: filter - - chain: DOCKER-USER - - jump: ACCEPT - - proto: tcp - - source: {{ ip }} - - dport: 443 - - position: 1 - - save: True - -{% endfor %} {% endif %} # All Nodes get the below rules: diff --git a/salt/firewall/ports.yml b/salt/firewall/ports.yml new file mode 100644 index 000000000..0cb40b29a --- /dev/null +++ b/salt/firewall/ports.yml @@ -0,0 +1,16 @@ +firewall: + aliases: + master: + ports: + sn1: + tcp: + - 1000 + - 1001 + udp: + - 1003 + sn2: + tcp: + - 2000 + - 2001 + udp: + - 2000 \ No newline at end of file diff --git a/salt/firewall/ports.yml.old b/salt/firewall/ports.yml.old new file mode 100644 index 000000000..f318863c5 --- /dev/null +++ b/salt/firewall/ports.yml.old @@ -0,0 +1,63 @@ +firewall: + aliases: + analyst: + ports: + tcp: + - 80 + - 443 + udp: + beats_endpoint: + ports: + tcp: + - 5044 + forward_nodes: + ports: + tcp: + - 443 + - 5044 + - 5644 + - 9822 + udp: + master: + ports: + tcp: + - 1514 + - 3200 + - 3306 + - 4200 + - 5601 + - 6379 + - 8086 + - 8090 + - 9001 + - 9200 + - 9300 + - 9400 + - 9500 + udp: + - 1514 + minions: + ports: + tcp: + - 3142 + - 4505 + - 4506 + - 5000 + - 8080 + - 8086 + - 55000 + osquery_endpoint: + ports: + tcp: + - 8090 + search_nodes: + ports: + tcp: + - 6379 + - 9300 + wazuh_endpoint: + ports: + tcp: + - 1514 + udp: + -1514