summaryrefslogtreecommitdiff
path: root/doc/forum/How_to_make_P.Property.Firewall.rule_persistent/comment_1_0656133cfbc13b7369a74f351a9388c4._comment
blob: 06939eecc51130cbdfe6596a465a89946c2f6db4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
[[!comment format=mdwn
 username="david"
 avatar="http://cdn.libravatar.org/avatar/22c2d800db6a7699139df604a67cb221"
 subject="A  first attempt"
 date="2019-07-18T23:30:44Z"
 content="""
Here's what I came up with. I don't know if I'm missing some more obvious way. Thanks to Stefan Gronke on github for answering \"what's a simple way to make an iptables systemd service\"

[[!format haskell \"\"\"
module Propellor.Property.SiteSpecific.Tethera.Firewall (
    iptablesRules
  , iptablesUnits
  , saved
  ) where

import Propellor.Base
import Propellor.Property.Firewall
-- import qualified Propellor.Property.Cmd as Cmd
import qualified Propellor.Property.File as File

iptablesRules :: [Port] -> [Port] -> Property DebianLike
iptablesRules tcpPorts udpPorts = propertyList \"IPTables based firewall\" $ props
  & installed
  & rule INPUT Filter DROP (Ctstate [INVALID])
  & rule INPUT Filter ACCEPT (InIFace \"lo\")
  & rule OUTPUT Filter ACCEPT (OutIFace \"lo\")
  & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
  & rule INPUT Filter ACCEPT (Proto ICMP)
  & openPorts TCP tcpPorts
  & openPorts UDP udpPorts
  & rule OUTPUT Filter ACCEPT Everything
  & rule INPUT Filter DROP Everything
  & rule FORWARD Filter DROP Everything
  where
    openPorts proto lst = combineProperties \"open TCP ports\" $
                   toProps (map
                             (\p -> (rule INPUT Filter ACCEPT 
                                     ((Proto proto) :- (DPort p)) ))
                             lst)

saved :: Property UnixLike
saved = combineProperties \"iptables rules saved\" $ props
  & cmdProperty \"iptables-save\" [\"-f\", rulesFile ]
        `changesFile` rulesFile
    `requires` File.dirExists rulesDir
  & cmdProperty \"ip6tables-save\" [\"-f\", rules6File ]
        `changesFile` rules6File
    `requires` File.dirExists rulesDir
  where
    rulesDir = \"/etc/iptables\"
    rulesFile = rulesDir ++ \"/iptables.rules\"
    rules6File = rulesDir ++ \"/ip6tables.rules\"

iptablesUnits :: Property UnixLike  
iptablesUnits = combineProperties \"systemd units for iptables\" $ props
                & unitFile \"iptables\"
                & unitFile \"ip6tables\"                
  where
    unitDir = \"/etc/systemd/system\"
    unitFile baseName = combineProperties (\"systemd units for \" ++ baseName) $ props
                & File.hasContent (unitDir ++ \"/\"++baseName++\".service\")
                [
                  \"[Unit]\"
                , \"Description=Packet Filtering Framework\"
                , \"DefaultDependencies=no\"
                , \"After=systemd-sysctl.service\"
                , \"Before=sysinit.target\"
                , \"[Service]\"
                , \"Type=oneshot\"
                , \"ExecStart=/sbin/\"++baseName++\"-restore /etc/iptables/\"++baseName++\".rules\"
                , \"ExecReload=/sbin/\"++baseName++\"-restore /etc/iptables/\"++baseName++\".rules\"
                , \"ExecStop=/usr/local/bin/flush-\"++baseName++\".sh\"
                , \"RemainAfterExit=yes\"
                , \"[Install]\"
                , \"WantedBy=multi-user.target\"
                ]
                & File.hasContent fipSh
                [
                  \"#!/bin/sh\"
                , \"iptables -F\"
                , \"iptables -X\"
                , \"iptables -t nat -F\"
                , \"iptables -t nat -X\"
                , \"iptables -t mangle -F\"
                , \"iptables -t mangle -X\"
                , \"iptables -P INPUT ACCEPT\"
                , \"iptables -P FORWARD ACCEPT\"
                , \"iptables -P OUTPUT ACCEPT\"
                ]
                & File.mode fipSh 0755
      where
            fipSh = \"/usr/local/bin/flush-\"++baseName++\".sh\"
\"\"\"]]
"""]]