summaryrefslogtreecommitdiff
path: root/doc/forum/How_to_make_P.Property.Firewall.rule_persistent
diff options
context:
space:
mode:
Diffstat (limited to 'doc/forum/How_to_make_P.Property.Firewall.rule_persistent')
-rw-r--r--doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment94
-rw-r--r--doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_2_bd74fdd792309a70d7de5f5198cf1092._comment21
-rw-r--r--doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_3_f9fb0a214ee8bc4fac11c3c16747cbe2._comment8
-rw-r--r--doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_4_b3880a95912d446befd537a74989cba4._comment87
4 files changed, 210 insertions, 0 deletions
diff --git a/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment
new file mode 100644
index 00000000..06939eec
--- /dev/null
+++ b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment
@@ -0,0 +1,94 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="A first attempt"
+ date="2019-07-18T23:30:44Z"
+ content="""
+Here's what I came up with. I don't know if I'm missing some more obvious way. Thanks to Stefan Gronke on github for answering \"what's a simple way to make an iptables systemd service\"
+
+[[!format haskell \"\"\"
+module Propellor.Property.SiteSpecific.Tethera.Firewall (
+ iptablesRules
+ , iptablesUnits
+ , saved
+ ) where
+
+import Propellor.Base
+import Propellor.Property.Firewall
+-- import qualified Propellor.Property.Cmd as Cmd
+import qualified Propellor.Property.File as File
+
+iptablesRules :: [Port] -> [Port] -> Property DebianLike
+iptablesRules tcpPorts udpPorts = propertyList \"IPTables based firewall\" $ props
+ & installed
+ & rule INPUT Filter DROP (Ctstate [INVALID])
+ & rule INPUT Filter ACCEPT (InIFace \"lo\")
+ & rule OUTPUT Filter ACCEPT (OutIFace \"lo\")
+ & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
+ & rule INPUT Filter ACCEPT (Proto ICMP)
+ & openPorts TCP tcpPorts
+ & openPorts UDP udpPorts
+ & rule OUTPUT Filter ACCEPT Everything
+ & rule INPUT Filter DROP Everything
+ & rule FORWARD Filter DROP Everything
+ where
+ openPorts proto lst = combineProperties \"open TCP ports\" $
+ toProps (map
+ (\p -> (rule INPUT Filter ACCEPT
+ ((Proto proto) :- (DPort p)) ))
+ lst)
+
+saved :: Property UnixLike
+saved = combineProperties \"iptables rules saved\" $ props
+ & cmdProperty \"iptables-save\" [\"-f\", rulesFile ]
+ `changesFile` rulesFile
+ `requires` File.dirExists rulesDir
+ & cmdProperty \"ip6tables-save\" [\"-f\", rules6File ]
+ `changesFile` rules6File
+ `requires` File.dirExists rulesDir
+ where
+ rulesDir = \"/etc/iptables\"
+ rulesFile = rulesDir ++ \"/iptables.rules\"
+ rules6File = rulesDir ++ \"/ip6tables.rules\"
+
+iptablesUnits :: Property UnixLike
+iptablesUnits = combineProperties \"systemd units for iptables\" $ props
+ & unitFile \"iptables\"
+ & unitFile \"ip6tables\"
+ where
+ unitDir = \"/etc/systemd/system\"
+ unitFile baseName = combineProperties (\"systemd units for \" ++ baseName) $ props
+ & File.hasContent (unitDir ++ \"/\"++baseName++\".service\")
+ [
+ \"[Unit]\"
+ , \"Description=Packet Filtering Framework\"
+ , \"DefaultDependencies=no\"
+ , \"After=systemd-sysctl.service\"
+ , \"Before=sysinit.target\"
+ , \"[Service]\"
+ , \"Type=oneshot\"
+ , \"ExecStart=/sbin/\"++baseName++\"-restore /etc/iptables/\"++baseName++\".rules\"
+ , \"ExecReload=/sbin/\"++baseName++\"-restore /etc/iptables/\"++baseName++\".rules\"
+ , \"ExecStop=/usr/local/bin/flush-\"++baseName++\".sh\"
+ , \"RemainAfterExit=yes\"
+ , \"[Install]\"
+ , \"WantedBy=multi-user.target\"
+ ]
+ & File.hasContent fipSh
+ [
+ \"#!/bin/sh\"
+ , \"iptables -F\"
+ , \"iptables -X\"
+ , \"iptables -t nat -F\"
+ , \"iptables -t nat -X\"
+ , \"iptables -t mangle -F\"
+ , \"iptables -t mangle -X\"
+ , \"iptables -P INPUT ACCEPT\"
+ , \"iptables -P FORWARD ACCEPT\"
+ , \"iptables -P OUTPUT ACCEPT\"
+ ]
+ & File.mode fipSh 0755
+ where
+ fipSh = \"/usr/local/bin/flush-\"++baseName++\".sh\"
+\"\"\"]]
+"""]]
diff --git a/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_2_bd74fdd792309a70d7de5f5198cf1092._comment b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_2_bd74fdd792309a70d7de5f5198cf1092._comment
new file mode 100644
index 00000000..93944ebf
--- /dev/null
+++ b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_2_bd74fdd792309a70d7de5f5198cf1092._comment
@@ -0,0 +1,21 @@
+[[!comment format=mdwn
+ username="joey"
+ subject="""comment 2"""
+ date="2019-07-19T14:09:01Z"
+ content="""
+Funny, I never considered that the Firewall properties don't do anything
+persistent.
+
+I don't think we want to get propellor involved in booting the system,
+either..
+
+Using iptables-save seems to have a problem: If there are other iptables
+rules that were not set by this run of propellor, it will save those
+as well. So it could save rules that were set up by something else that was
+intended to be temporary, or perhaps rules that were set by a earlier
+propellor config and that then got deleted out of the propellor config.
+
+Another way to do it could be to have Firewall.rule add its configuration
+to Info and then Firewall.save could see the collected Info from all
+the rules and use it to generate the boot script itself.
+"""]]
diff --git a/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_3_f9fb0a214ee8bc4fac11c3c16747cbe2._comment b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_3_f9fb0a214ee8bc4fac11c3c16747cbe2._comment
new file mode 100644
index 00000000..ad4bad4a
--- /dev/null
+++ b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_3_f9fb0a214ee8bc4fac11c3c16747cbe2._comment
@@ -0,0 +1,8 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="Firewall.flush needed?"
+ date="2019-08-03T15:38:21Z"
+ content="""
+A simple(-minded) solution to the problem with ip-tables-save is to provide a way to invoke \"iptables -F\". It seems like this is needed in general, just to have a known starting point. At least most examples of setting up a firewall with iptables start by flushing the existing rules.
+"""]]
diff --git a/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_4_b3880a95912d446befd537a74989cba4._comment b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_4_b3880a95912d446befd537a74989cba4._comment
new file mode 100644
index 00000000..511deffa
--- /dev/null
+++ b/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_4_b3880a95912d446befd537a74989cba4._comment
@@ -0,0 +1,87 @@
+[[!comment format=mdwn
+ username="david"
+ avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
+ subject="giving up on Firewall persistence"
+ date="2019-08-11T11:29:07Z"
+ content="""
+I ran out of time/motivation to do this \"right\", so I just hardcoded all the things, and made a new module called IPTables
+
+[[!format haskell \"\"\"
+module Propellor.Property.SiteSpecific.Tethera.IPTables (
+ systemdUnits
+ , rules
+ ) where
+
+import Propellor.Base
+import qualified Propellor.Property.File as File
+
+
+systemdUnits :: Property UnixLike
+systemdUnits = combineProperties \"systemd units for iptables\" $ props
+ & unitFile \"iptables\"
+ & unitFile \"ip6tables\"
+ where
+ unitDir = \"/etc/systemd/system\"
+ unitFile baseName = combineProperties (\"systemd units for \" ++ baseName) $ props
+ & File.hasContent (unitDir ++ \"/\"++baseName++\".service\")
+ [
+ \"[Unit]\"
+ , \"Description=Packet Filtering Framework\"
+ , \"DefaultDependencies=no\"
+ , \"After=systemd-sysctl.service\"
+ , \"Before=sysinit.target\"
+ , \"[Service]\"
+ , \"Type=oneshot\"
+ , \"ExecStart=/sbin/\"++baseName++\"-restore -n /etc/iptables/\"++baseName++\".rules\"
+ , \"ExecReload=/sbin/\"++baseName++\"-restore -n /etc/iptables/\"++baseName++\".rules\"
+ , \"ExecStop=/usr/local/bin/flush-\"++baseName++\".sh\"
+ , \"RemainAfterExit=yes\"
+ , \"[Install]\"
+ , \"WantedBy=multi-user.target\"
+ ]
+ & File.hasContent fipSh
+ [
+ \"#!/bin/sh\"
+ , baseName ++ \" -F INPUT\"
+ , baseName ++ \" -F FORWARD\"
+ , baseName ++ \" -F OUTPUT\"
+ , baseName ++ \" -P INPUT ACCEPT\"
+ , baseName ++ \" -P FORWARD ACCEPT\"
+ , baseName ++ \" -P OUTPUT ACCEPT\"
+ ]
+ & File.mode fipSh 0o0755
+ where
+ fipSh = \"/usr/local/bin/flush-\"++baseName++\".sh\"
+
+
+-- this currently makes the possibly bad assumption that the same rule
+-- file will work for both v4 and v6
+rules :: Property UnixLike
+rules = combineProperties \"systemd units for iptables\" $ props
+ & ruleFile \"iptables\"
+ & ruleFile \"ip6tables\"
+ where
+ ruleDir = \"/etc/iptables\"
+ ruleFile baseName = combineProperties (baseName ++ \" rules\") $ props
+ & File.hasContent (ruleDir ++ \"/\"++baseName++\".rules\")
+
+ [ \"*filter\"
+ , \":INPUT ACCEPT [0:0]\"
+ , \":FORWARD ACCEPT [0:0]\"
+ , \":OUTPUT ACCEPT [0:0]\"
+ , \"-A INPUT -m conntrack --ctstate INVALID -j DROP\"
+ , \"-A INPUT -i lo -j ACCEPT\"
+ , \"-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\"
+ , \"-A INPUT -p icmp -j ACCEPT\"
+ , \"-6 -A INPUT -p ipv6-icmp -j ACCEPT\"
+ , \"-6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT\"
+ , \"-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT\"
+ , \"-A INPUT -j DROP\"
+ , \"-A FORWARD -j DROP\"
+ , \"-A OUTPUT -o lo -j ACCEPT\"
+ , \"-A OUTPUT -j ACCEPT\"
+ , \"COMMIT\"
+ ]
+ `requires` File.dirExists ruleDir
+\"\"\"]]
+"""]]