Puppet Class: iptables::rules::base

Defined in:
manifests/rules/base.pp

Overview

NOTE: THIS IS A PRIVATE CLASS

Set up the basic iptables rules pertinent to system security

The rules defined in here follow the following suggestion: * 1 -> ESTABLISHED,RELATED rules. * 2-5 -> Standard ACCEPT/DENY rules. * 6-10 -> Jumps to other rule sets. * 11-20 -> Pure accept rules. * 22-30 -> Logging and rejection rules.

Parameters:

  • allow_ping (Boolean) (defaults to: true)

    Allow ICMP type 8 (ping) packets into the host

    • This is enabled by default for RFC 1122 compliance

  • drop_broadcast (Boolean) (defaults to: true)

    Drop all broadcast traffic to this host

  • drop_multicast (Boolean) (defaults to: true)

    Drop all multicast traffic to this host

See Also:



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# File 'manifests/rules/base.pp', line 25

class iptables::rules::base (
  Boolean $allow_ping     = true,
  Boolean $drop_broadcast = true,
  Boolean $drop_multicast = true
){
  assert_private()

  iptables_rule { 'global':
    table    => 'filter',
    first    => true,
    absolute => true,
    header   => false,
    content  => '-A INPUT -j LOCAL-INPUT
                  -A FORWARD -j LOCAL-INPUT',
    apply_to =>  'all'
  }

  iptables_rule { 'allow_lo':
    table    => 'filter',
    order    => '2',
    content  => '-i lo -j ACCEPT',
    apply_to => 'all'
  }

  iptables_rule { 'established_related':
    table    => 'filter',
    order    => '1',
    content  => '-m state --state ESTABLISHED,RELATED -j ACCEPT',
    apply_to => 'all'
  }

  if $allow_ping {
    # Respond to pings per RFC 1122 - Section: 3.2.2.6
    iptables_rule { 'allow_v4_echo_request':
      table    => 'filter',
      order    => '11',
      content  => '-p icmp --icmp-type echo-request -j ACCEPT',
      apply_to => 'ipv4'
    }

    if ( defined('$::ipv6_enabled') and getvar('::ipv6_enabled') ) {
      iptables_rule { 'allow_v6_echo_request':
        table    => 'filter',
        order    => '11',
        content  => '-p icmpv6 --icmpv6-type echo-request -j ACCEPT',
        apply_to => 'ipv6'
      }
    }
  }

  if $drop_broadcast {
    iptables_rule { 'drop_broadcast':
      table    => 'filter',
      order    => '27',
      content  => '-m pkttype --pkt-type broadcast -j DROP',
      apply_to => 'ipv4'
    }

    iptables_rule { 'drop_v6_broadcast':
      table    => 'filter',
      order    => '27',
      content  => '-m pkttype --pkt-type broadcast -j DROP',
      apply_to => 'ipv6'
    }
  }

  if $drop_multicast {
    iptables_rule { 'drop_v6_multicast':
      table    => 'filter',
      order    => '27',
      content  => '-m pkttype --pkt-type multicast -j DROP',
      apply_to => 'ipv6'
    }

    iptables_rule { 'drop_v4_multicast':
      table    => 'filter',
      order    => '27',
      content  => '-m addrtype --src-type MULTICAST -j DROP',
      apply_to => 'ipv4'
    }
  }

  # Log
  iptables_rule { 'log_all':
    table    => 'filter',
    order    => '29',
    content  => '-m state --state NEW -j LOG --log-prefix "IPT:"',
    apply_to => 'all'
  }

  # Drop All
  iptables_rule { 'drop_all':
    table    => 'filter',
    absolute => true,
    content  => '-j DROP',
    apply_to => 'all'
  }
}