CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

fw changes

Browse Source
This commit is contained in:
m0duspwnens
2023-01-04 16:06:14 -05:00
parent 203e612452
commit f10238da42
5 changed files with 43 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/curator/init.sls
View File

@@ -6,6 +6,7 @@
{% from 'allowed_states.map.jinja' import allowed_states %} {% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %} {% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'docker/docker.map.jinja' import DOCKER %}
{% from "curator/map.jinja" import CURATOROPTIONS %} {% from "curator/map.jinja" import CURATOROPTIONS %}
{% from "curator/map.jinja" import CURATORMERGED %} {% from "curator/map.jinja" import CURATORMERGED %}
{% set REMOVECURATORCRON = False %} {% set REMOVECURATORCRON = False %}
@@ -129,7 +130,8 @@ so-curator:
- name: so-curator - name: so-curator
- user: curator - user: curator
- networks: - networks:
- sosbridge: [] - sosbridge:
- ipv4_address: {{ DOCKER.containers['so-curator'].ip }}
- interactive: True - interactive: True
- tty: True - tty: True
- binds: - binds:

8
salt/docker/defaults.yaml
View File

@@ -15,10 +15,6 @@ docker:
ports: ports:
9200: tcp 9200: tcp
9300: tcp 9300: tcp
'so-elastic-fleet-package-registry':
final_octet: 40
ports:
8080: tcp
'so-filebeat': 'so-filebeat':
final_octet: 23 final_octet: 23
'so-grafana': 'so-grafana':
@@ -82,3 +78,7 @@ docker:
final_octet: 42 final_octet: 42
'so-curator': 'so-curator':
final_octet: 43 final_octet: 43
'so-elastic-fleet-package-registry':
final_octet: 44
ports:
8080: tcp

2
salt/firewall/containers.map.jinja
View File

@@ -1,6 +1,8 @@
{% set NODE_CONTAINERS = [ {% set NODE_CONTAINERS = [
'so-curator',
'so-dockerregistry', 'so-dockerregistry',
'so-elasticsearch', 'so-elasticsearch',
'so-elastic-fleet-package-registry',
'so-grafana', 'so-grafana',
'so-influxdb', 'so-influxdb',
'so-kibana', 'so-kibana',

4
salt/firewall/hostgroups.yaml
View File

@@ -1,4 +1,4 @@
{%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} {% from 'docker/docker.map.jinja' import DOCKER %}
firewall: firewall:
hostgroups: hostgroups:
anywhere: anywhere:
@@ -10,7 +10,7 @@ firewall:
ips: ips:
delete: delete:
insert: insert:
- {{ DNET }}/24 - {{ DOCKER.sosrange }}
localhost: localhost:
ips: ips:
delete: delete:

46
salt/firewall/iptables.jinja
View File

@@ -1,8 +1,9 @@
{% from 'docker/docker.map.jinja' import DOCKER %} {% from 'docker/docker.map.jinja' import DOCKER -%}
{% from 'firewall/containers.map.jinja' import NODE_CONTAINERS %} {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
{% from 'firewall/map.jinja' import hostgroups with context %} {% from 'firewall/map.jinja' import hostgroups with context -%}
{% from 'firewall/map.jinja' import assigned_hostgroups with context %} {% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023
*nat *nat
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
@@ -38,21 +39,25 @@
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -j OUTPUT_direct -A OUTPUT -j OUTPUT_direct
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s {{DOCKER.range}} ! -o sosbridge -j MASQUERADE -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
-A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING -j POSTROUTING_ZONES
{%- for container in NODE_CONTAINERS %} {%- for container in NODE_CONTAINERS %}
{%- for port, proto in DOCKER.containers[container].ports.items() %} {%- if DOCKER.containers[container].ports is defined %}
{%- for port, proto in DOCKER.containers[container].ports.items() %}
-A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE -A POSTROUTING -s {{DOCKER.containers[container].ip}}/32 -d {{DOCKER.containers[container].ip}}/32 -p {{proto}} -m {{proto}} --dport {{port}} -j MASQUERADE
{%- endfor %} {%- endfor %}
{%- endif %}
{%- endfor %} {%- endfor %}
-A DOCKER -i sosbridge -j RETURN -A DOCKER -i sosbridge -j RETURN
{%- for container in NODE_CONTAINERS %} {%- for container in NODE_CONTAINERS %}
{%- for port, proto in DOCKER.containers[container].ports.items() %} {%- if DOCKER.containers[container].ports is defined %}
{%- for port, proto in DOCKER.containers[container].ports.items() %}
-A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}} -A DOCKER ! -i sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j DNAT --to-destination {{DOCKER.containers[container].ip}}:{{port}}
{%- endfor %} {%- endfor %}
{%- endif %}
{%- endfor %} {%- endfor %}
-A POSTROUTING_ZONES -o sosbridge -g POST_docker -A POSTROUTING_ZONES -o sosbridge -g POST_docker
@@ -78,7 +83,8 @@
-A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow -A PRE_public -j PRE_public_allow
COMMIT COMMIT
# Completed on Wed Jan 4 15:23:09 2023
# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023
*mangle *mangle
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
@@ -119,7 +125,8 @@ COMMIT
-A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow -A PRE_public -j PRE_public_allow
COMMIT COMMIT
# Completed on Wed Jan 4 15:23:09 2023
# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023
*security *security
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0] :FORWARD ACCEPT [0:0]
@@ -131,7 +138,8 @@ COMMIT
-A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct -A OUTPUT -j OUTPUT_direct
COMMIT COMMIT
# Completed on Wed Jan 4 15:23:09 2023
# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023
*raw *raw
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
@@ -163,8 +171,8 @@ COMMIT
-A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow -A PRE_public -j PRE_public_allow
COMMIT COMMIT
# Completed on Wed Jan 4 15:23:09 2023
# Generated by iptables-save v1.4.21 on Wed Jan 4 15:23:09 2023
*filter *filter
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
:FORWARD DROP [0:0] :FORWARD DROP [0:0]
@@ -255,6 +263,15 @@ COMMIT
-A OUTPUT -o lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct -A OUTPUT -j OUTPUT_direct
-A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
{%- for container in NODE_CONTAINERS %}
{%- if DOCKER.containers[container].ports is defined %}
{%- for port, proto in DOCKER.containers[container].ports.items() %}
-A DOCKER -d {{DOCKER.containers[container].ip}}/32 ! -i sosbridge -o sosbridge -p {{proto}} -m {{proto}} --dport {{port}} -j ACCEPT
{%- endfor %}
{%- endif %}
{%- endfor %}
-A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2 -A DOCKER-ISOLATION-STAGE-1 -i sosbridge ! -o sosbridge -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN -A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP
@@ -304,3 +321,4 @@ COMMIT
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: " -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
-A LOGGING -j DROP -A LOGGING -j DROP
COMMIT COMMIT
# Completed on Wed Jan 4 15:23:09 2023