You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
143 lines
5.0 KiB
Kotlin
143 lines
5.0 KiB
Kotlin
package org.domaindrivenarchitecture.provs.framework.extensions.server_software.standalone_server.firewall
|
|
|
|
import org.domaindrivenarchitecture.provs.framework.core.Prov
|
|
import org.domaindrivenarchitecture.provs.framework.core.ProvResult
|
|
import org.domaindrivenarchitecture.provs.framework.ubuntu.install.base.aptInstall
|
|
|
|
|
|
fun Prov.saveIpTables() = requireAll {
|
|
sh("""
|
|
iptables-save > /etc/iptables/rules.v4
|
|
ip6tables-save > /etc/iptables/rules.v6
|
|
|
|
netfilter-persistent save""",
|
|
sudo = true)
|
|
}
|
|
|
|
|
|
fun Prov.makeIpTablesPersistent() = requireAll {
|
|
// inspired by https://gist.github.com/alonisser/a2c19f5362c2091ac1e7
|
|
// enables iptables-persistent to be installed without manual input
|
|
sh("""
|
|
echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections
|
|
echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections
|
|
""".trimIndent())
|
|
|
|
aptInstall("iptables-persistent netfilter-persistent")
|
|
saveIpTables()
|
|
}
|
|
|
|
|
|
fun Prov.resetFirewall() = requireAll {
|
|
sh("""
|
|
#!/bin/bash
|
|
sudo iptables -F
|
|
sudo iptables -X
|
|
sudo iptables -t nat -F
|
|
sudo iptables -t nat -X
|
|
sudo iptables -t mangle -F
|
|
sudo iptables -t mangle -X
|
|
|
|
# the rules allow us to reconnect by opening up all traffic.
|
|
sudo iptables -P INPUT ACCEPT
|
|
sudo iptables -P FORWARD ACCEPT
|
|
sudo iptables -P OUTPUT ACCEPT
|
|
|
|
# print out all rules to the console after running this file.
|
|
sudo iptables -nL
|
|
""", sudo = true
|
|
)
|
|
}
|
|
|
|
|
|
fun Prov.provisionFirewall(addNetworkProtections: Boolean = false) = requireAll {
|
|
if (addNetworkProtections) {
|
|
networkProtections()
|
|
}
|
|
|
|
// inspired by: https://github.com/ChrisTitusTech/firewallsetup/blob/master/firewall
|
|
sh("""
|
|
# Firewall
|
|
|
|
# Accept all traffic first to avoid ssh lockdown via iptables firewall rules #
|
|
iptables -P INPUT ACCEPT
|
|
iptables -P FORWARD ACCEPT
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
# Flush all chains
|
|
iptables --flush
|
|
|
|
# Allow unlimited traffic on the loopback interface
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
iptables -A OUTPUT -o lo -j ACCEPT
|
|
|
|
# Previously initiated and accepted exchanges bypass rule checking
|
|
# Allow unlimited outbound traffic
|
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
#Ratelimit SSH for attack protection
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
|
|
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
|
|
|
|
# Allow http/https ports to be accessible from the outside
|
|
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # http
|
|
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # https
|
|
|
|
# UDP packet rule. This is just a random udp packet rule as an example only
|
|
# iptables -A INPUT -p udp --dport 5021 -m state --state NEW -j ACCEPT
|
|
|
|
# Allow pinging of your server
|
|
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
|
|
# Drop all other traffic
|
|
iptables -A INPUT -j DROP
|
|
|
|
# print the activated rules to the console when script is completed
|
|
iptables -nL
|
|
|
|
# Set default policies
|
|
iptables --policy INPUT DROP
|
|
iptables --policy OUTPUT DROP
|
|
iptables --policy FORWARD DROP
|
|
""", sudo = true)
|
|
if (chk("docker -v")) {
|
|
ipTablesRecreateDockerRules()
|
|
} else {
|
|
ProvResult(true, "No need to create iptables docker rules as no docker installed.")
|
|
}
|
|
}
|
|
|
|
|
|
fun Prov.networkProtections() = def {
|
|
sh("""
|
|
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
|
|
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
|
|
|
|
# Drop source routed packets
|
|
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
|
|
|
|
# Enable TCP SYN cookie protection from SYN floods
|
|
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
|
|
|
|
# Don't accept ICMP redirect messages
|
|
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
|
|
|
|
# Don't send ICMP redirect messages
|
|
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
|
|
|
|
# Enable source address spoofing protection
|
|
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
|
|
|
|
# Log packets with impossible source addresses
|
|
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
|
|
""".trimIndent())
|
|
}
|
|
|
|
|
|
fun Prov.ipTablesRecreateDockerRules() = requireAll {
|
|
// see https://stackoverflow.com/questions/25917941/docker-how-to-re-create-dockers-additional-iptables-rules
|
|
cmd("sudo service docker restart")
|
|
} |