From 04cecf737c904313863075412ea6b5a8d7cad328 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Sun, 11 Sep 2016 16:54:07 +0200 Subject: [PATCH] Add iptables rules to testvm --- test-vagrant-salt/salt/gateway/iptables.rules | 5 +- test-vagrant-salt/salt/testvm/init.sls | 1 + test-vagrant-salt/salt/testvm/iptables/init.sls | 22 ++++++++ .../salt/testvm/iptables/iptables.rules | 61 ++++++++++++++++++++++ 4 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 test-vagrant-salt/salt/testvm/iptables/init.sls create mode 100644 test-vagrant-salt/salt/testvm/iptables/iptables.rules diff --git a/test-vagrant-salt/salt/gateway/iptables.rules b/test-vagrant-salt/salt/gateway/iptables.rules index 612f07b..178b401 100644 --- a/test-vagrant-salt/salt/gateway/iptables.rules +++ b/test-vagrant-salt/salt/gateway/iptables.rules @@ -1,4 +1,4 @@ -# Gateway firwall configuration +# Gateway firewall configuration *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] @@ -38,6 +38,9 @@ # Forward HTTP, HTTPS -4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT -4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT + +# Log dropped packets +-A FORWARD -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[FWD DROP] " COMMIT *nat diff --git a/test-vagrant-salt/salt/testvm/init.sls b/test-vagrant-salt/salt/testvm/init.sls index 44acbea..484fe1a 100644 --- a/test-vagrant-salt/salt/testvm/init.sls +++ b/test-vagrant-salt/salt/testvm/init.sls @@ -1,3 +1,4 @@ include: + - .iptables - .users - .postfix diff --git a/test-vagrant-salt/salt/testvm/iptables/init.sls b/test-vagrant-salt/salt/testvm/iptables/init.sls new file mode 100644 index 0000000..a4996d6 --- /dev/null +++ b/test-vagrant-salt/salt/testvm/iptables/init.sls @@ -0,0 +1,22 @@ +# Firewall configuration +iptables-persistent: + pkg.installed + +netfilter-persistent: + service.running: + - require: + - pkg: iptables-persistent + +/etc/iptables/rules.v4: + file.managed: + - source: salt://testvm/iptables/iptables.rules + - makedirs: True + - watch_in: + - service: netfilter-persistent + +/etc/iptables/rules.v6: + file.symlink: + - target: rules.v4 + - force: True + - watch_in: + - service: netfilter-persistent diff --git a/test-vagrant-salt/salt/testvm/iptables/iptables.rules b/test-vagrant-salt/salt/testvm/iptables/iptables.rules new file mode 100644 index 0000000..58c4c45 --- /dev/null +++ b/test-vagrant-salt/salt/testvm/iptables/iptables.rules @@ -0,0 +1,61 @@ +# Test VM firewall configuration +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] + +# Trust local loopback +-A INPUT -i lo -j ACCEPT + +# Drop invalid packets +-A INPUT -m conntrack --ctstate INVALID -j DROP + +# Accept everything on ICMP +-4 -A INPUT -p icmp -j ACCEPT +-6 -A INPUT -p ipv6-icmp -j ACCEPT + +# Drop DHCP requests but accept answers +-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP +-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT + +-A INPUT -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT + +# Accept only SSH from eth0 (Vagrant network) +-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT +-A INPUT -i eth0 -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN eth0 DROP] " +-A INPUT -i eth0 -j DROP + +# Accept SMTP from the internal network +-4 -A INPUT -i eth1 -s 192.168.33.0/24 -p tcp -m tcp --dport 25 -j ACCEPT + +# Accept DNS, NTP +-A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT + +# Log and drop +-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] " +-A INPUT -j DROP + +# Filter output +-A OUTPUT -o lo -j ACCEPT +-4 -A OUTPUT -p icmp -j ACCEPT +-6 -A OUTPUT -p ipv6-icmp -j ACCEPT +-4 -A OUTPUT -p udp -m udp --dport 68 --sport 67 -j DROP +-4 -A OUTPUT -p udp -m udp --dport 67 --sport 68 -j ACCEPT +-A OUTPUT -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT + +# Do not send anything to eth0 but DNS and established SSH connections (Vagrant network) +-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -j ACCEPT +-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j ACCEPT +-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j ACCEPT +-A OUTPUT -o eth0 -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[OUT eth0 DROP] " +-A OUTPUT -o eth0 -j DROP + +# Accept sending dns, http, https, smtp to eth1 +-4 -A OUTPUT -o eth1 -p tcp -m multiport --dports 25,53,80,443 -j ACCEPT +-4 -A OUTPUT -o eth1 -p udp -m udp --dport 53 -j ACCEPT + +-A OUTPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[OUT DROP] " +-A OUTPUT -j DROP +COMMIT -- 2.1.4