From 973ae8a187b09070fcbae37f04d0c0afc2490f7a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 11 Jul 2018 15:31:30 -0400 Subject: [PATCH] Firewall Module - Its Working --- salt/firewall/init.sls | 71 +++++++++++++++++++++------ salt/master/files/registry/config.yml | 2 +- 2 files changed, 57 insertions(+), 16 deletions(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 38706bd7c..f0c6b0e94 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,4 +1,4 @@ -# Default Rules for everyone +# Firewall Magic # Keep localhost in the game iptables_allow_localhost: @@ -38,28 +38,59 @@ iptables_allow_pings: - proto: icmp - save: True -# Set the policy to deny everything unless defined -enable_reject_policy: - iptables.set_policy: +# Create the chain for logging +iptables_LOGGING_limit: + iptables.append: + - table: filter + - chain: LOGGING + - match: limit + - jump: LOG + - limit: 2/min + - log-level: 4 + - log-prefix: "IPTables-dropped: " + +# Make the input policy send stuff that doesn't match to be logged and dropped +iptables_log_input_drops: + iptables.append: - table: filter - chain: INPUT - - policy: DROP - - require: - - iptables: iptables_allow_localhost - - iptables: iptables_allow_established - - iptables: iptables_allow_ssh - - iptables: iptables_allow_pings + - jump: LOGGING + - save: True + +# Set the policy to deny everything unless defined +#enable_reject_policy: +# iptables.set_policy: +# - table: filter +# - chain: INPUT +# - policy: DROP +# - require: +# - iptables: iptables_allow_localhost +# - iptables: iptables_allow_established +# - iptables: iptables_allow_ssh +# - iptables: iptables_allow_pings # Enable global DOCKER-USER block rule enable_docker_user_fw_policy: iptables.insert: - table: filter - chain: DOCKER-USER - - jump: DROP + - jump: LOGGING - in-interface: '!docker0' - out-interface: docker0 - position: 1 - - save: true + - save: True + +enable_docker_user_established: + iptables.insert: + - table: filter + - chain: DOCKER-USER + - jump: ACCEPT + - in-interface: '!docker0' + - out-interface: docker0 + - position: 1 + - save: True + - match: conntrack + - ctstate: 'RELATED,ESTABLISHED' # Rules if you are a Master {% if grains['role'] == 'so-master' %} @@ -68,23 +99,25 @@ enable_docker_user_fw_policy: {% for ip in pillar.get('minions') %} enable_salt_minions_4505_{{ip}}: - iptables.append: + iptables.insert: - table: filter - chain: INPUT - jump: ACCEPT - proto: tcp - source: {{ ip }} - dport: 4505 + - position: 1 - save: True enable_salt_minions_4506_{{ip}}: - iptables.append: + iptables.insert: - table: filter - chain: INPUT - jump: ACCEPT - proto: tcp - source: {{ ip }} - dport: 4506 + - position: 1 - save: True enable_salt_minions_5000_{{ip}}: @@ -159,4 +192,12 @@ enable_standard_beats_5044_{{ip}}: # Rules if you are a Warm Node -# Some Fixer upper type rules \ No newline at end of file +# Some Fixer upper type rules +# Drop it like it's hot +# Make the input policy send stuff that doesn't match to be logged and dropped +iptables_drop_all_the_things: + iptables.append: + - table: filter + - chain: LOGGING + - jump: DROP + - save: True diff --git a/salt/master/files/registry/config.yml b/salt/master/files/registry/config.yml index b212e9671..db9f9c32b 100644 --- a/salt/master/files/registry/config.yml +++ b/salt/master/files/registry/config.yml @@ -21,4 +21,4 @@ health: threshold: 3 proxy: remoteurl: https://registry-1.docker.io - +