feat: add firewall module
- add nftables/ipset modules - add custom firewall module
This commit is contained in:
@@ -0,0 +1,26 @@
|
||||
# manage the firewall
|
||||
class firewall (
|
||||
Hash $ipset_queries = {},
|
||||
){
|
||||
|
||||
$ipset_queries.each |$ipset, $query| {
|
||||
$ips = sort(query_nodes($query, 'networking.ip'))
|
||||
|
||||
nftables::set{$ipset:
|
||||
type => 'ipv4_addr',
|
||||
flags => ['dynamic'],
|
||||
elements => $ips,
|
||||
}
|
||||
}
|
||||
|
||||
class {'nftables':
|
||||
in_ssh => false,
|
||||
in_icmp => true,
|
||||
out_ntp => false,
|
||||
out_dns => false,
|
||||
out_http => false,
|
||||
out_https => false,
|
||||
out_icmp => true,
|
||||
out_all => false,
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
class firewall::rules::in::cobbler (
|
||||
Array[Stdlib::Port] $ports = [25150,25151],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
nftables::rule { "default_in-cobbler_${proto}_${port}":
|
||||
content => "${proto} dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::consul (
|
||||
Array[Stdlib::Port] $ports = [8300,8301,8302,8500,8503,8600],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-consul_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
class firewall::rules::in::dns (
|
||||
Array[Stdlib::Port] $ports = [53],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
Optional[String] $ipset = undef,
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
if $ipset != '' {
|
||||
$rule = "${proto} dport ${port} ip saddr @${ipset} accept"
|
||||
}else{
|
||||
$rule = "${proto} dport ${port} accept"
|
||||
}
|
||||
nftables::rule { "default_in-dns_${proto}_${port}":
|
||||
content => $rule,
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# 9100: node_exporter
|
||||
# 9558: sysstemd_exporter
|
||||
class firewall::rules::in::exporters (
|
||||
Array[Stdlib::Port] $ports = [9100,9558],
|
||||
String $ipset = 'prometheus',
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-metrics_exporter_tcp_${port}":
|
||||
content => "tcp dport ${port} ip saddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::http (
|
||||
Array[Stdlib::Port] $ports = [80],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-http_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::https (
|
||||
Array[Stdlib::Port] $ports = [443],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-https_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::ntp (
|
||||
Array[Stdlib::Port] $ports = [123],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-ntp_${port}":
|
||||
content => "udp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
class firewall::rules::in::ssh (
|
||||
Array[Stdlib::Port] $ports = [22],
|
||||
Optional[String] $ipset = undef,
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
if $ipset != '' {
|
||||
$rule = "tcp dport ${port} ip saddr @${ipset} accept"
|
||||
}else{
|
||||
$rule = "tcp dport ${port} accept"
|
||||
}
|
||||
nftables::rule { "default_in-ssh_tcp_${port}":
|
||||
content => $rule,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
class firewall::rules::in::tftp (
|
||||
Array[Stdlib::Port] $ports = [69],
|
||||
Array[Enum['tcp','udp']] $protocols = ['udp','tcp'],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
$protocols.each |$proto| {
|
||||
nftables::rule { "default_in-tftp_${proto}_${port}":
|
||||
content => "${proto} dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::in::vault (
|
||||
Array[Stdlib::Port] $ports = [8200, 8201],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_in-vaultserver_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,29 @@
|
||||
class firewall::rules::out::consul (
|
||||
String $ipset = 'consul',
|
||||
) {
|
||||
|
||||
# serf traffic (lan and wan)
|
||||
nftables::rule { 'default_out-consul_udp_8301':
|
||||
content => 'udp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8301':
|
||||
content => 'tcp dport 8301 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_udp_8302':
|
||||
content => 'udp dport 8302 accept',
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8302':
|
||||
content => 'tcp dport 8302 accept',
|
||||
}
|
||||
|
||||
# communication with servers
|
||||
nftables::rule { 'default_out-consul_tcp_8300':
|
||||
content => "tcp dport 8300 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8500':
|
||||
content => "tcp dport 8500 ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { 'default_out-consul_tcp_8503':
|
||||
content => "tcp dport 8503 ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
class firewall::rules::out::dns (
|
||||
String $ipset = 'dns_resolver',
|
||||
Array[Stdlib::Port] $ports = [53],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-dns_udp_${port}":
|
||||
content => "udp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
nftables::rule { "default_out-dns_tcp_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::out::http (
|
||||
Array[Stdlib::Port] $ports = [80],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-http_tcp_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
class firewall::rules::out::https (
|
||||
Array[Stdlib::Port] $ports = [443],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-https_tcp_${port}":
|
||||
content => "tcp dport ${port} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::ntp (
|
||||
String $ipset = 'ntp',
|
||||
Array[Stdlib::Port] $ports = [123],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-ntp_udp_${port}":
|
||||
content => "udp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::puppet (
|
||||
String $ipset = 'puppetmaster',
|
||||
Array[Stdlib::Port] $ports = [8140],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-puppet_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
class firewall::rules::out::vault (
|
||||
String $ipset = 'vault',
|
||||
Array[Stdlib::Port] $ports = [8200],
|
||||
) {
|
||||
|
||||
$ports.each |$port| {
|
||||
nftables::rule { "default_out-vault_${port}":
|
||||
content => "tcp dport ${port} ip daddr @${ipset} accept",
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user