Firewall Module - Update Rules and apply them to SN

2025-12-26 02:43:11 +01:00 · 2018-10-10 14:03:39 -04:00
parent a44c3e62d2
commit bf229f65e3
3 changed files with 54 additions and 0 deletions
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -114,6 +114,40 @@ enable_maternode_redis_6379_{{ip}}:
    - position: 1
    - save: True

+enable_masternode_kibana_5601_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5601
+    - position: 1
+    - save: True
+
+enable_masternode_ES_9200_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 9200
+    - position: 1
+    - save: True
+
+enable_masternode_ES_9300_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 9300
+    - position: 1
+    - save: True
+
+
 {% endfor %}

 # Make it so all the minions can talk to salt and update etc.
@@ -237,6 +271,18 @@ enable_standard_analyst_443_{{ip}}:
    - position: 1
    - save: True

+#THIS IS TEMPORARY
+enable_standard_analyst_5601_{{ip}}:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - proto: tcp
+    - source: {{ ip }}
+    - dport: 5601
+    - position: 1
+    - save: True
+
 {% endfor %}

 # Rules for storage nodes connecting to master
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -2,6 +2,7 @@ base:
  'G@role:so-sensor':
    - ssl
    - common
+    - firewall
    - pcap
    - suricata
    - bro
@@ -29,26 +30,31 @@ base:
  'G@role:so-node and I@node:node_type:parser':
    - match: pillar
    - common
+    - firewall
    - logstash

  'G@role:so-node and I@node:node_type:hot':
    - match: pillar
    - common
+    - firewall
    - logstash
    - elasticsearch

  'G@role:so-node and I@node:node_type:warm':
    - match: pillar
    - common
+    - firewall
    - elasticsearch

  'G@role:so-node and I@node:node_type:storage':
    - match: compound
    - common
+    - firewall
    - logstash
    - elasticsearch

  'G@role:mastersensor':
    - common
+    - firewall
    - sensor
    - master
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -621,6 +621,8 @@ set_initial_firewall_policy() {
  get_main_ip
  if [ $INSTALLTYPE == 'MASTERONLY' ]; then
    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls
+    printf "  - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls
+

  fi
  if [ $INSTALLTYPE == 'SENSORONLY' ]; then