Commit ef445b7e authored by m.pausch's avatar m.pausch
Browse files

Merge branch 'mr-firewall-destination-ips' into 'master'

Add support for arrays of destination ips.

See merge request !43
parents 1833db09 13945983
......@@ -42,6 +42,19 @@ module Sys
end
end
def build_set_of_ips(ips)
set_of_ips = Array(ips).map { |ip| IPAddr.new(ip) }
# Only works on buster and newer. In older debian-versions
# there is no prefix-method for IPv4-addresses.
addrs = set_of_ips.map { |ip| "#{ip}/#{ip.prefix}" }
if addrs.length == 1
addrs.first
else
"{#{addrs.join(', ')}}"
end
end
def port_to_s(p)
if p.is_a?(String)
p
......@@ -116,19 +129,14 @@ module Sys
firewall_rule << "oif #{rule_resource.dest_interface} " if rule_resource.dest_interface
if rule_resource.source
source_ips = Array(rule_resource.source).map { |ip| IPAddr.new(ip) }
source_ips.delete(IPAddr.new('0.0.0.0/0'))
source_ips.delete(IPAddr.new('::/128'))
# Only works on buster and newer. In older debian-versions
# there is no prefix-method for IPv4-addresses.
addrs = source_ips.map { |ip| "#{ip}/#{ip.prefix}" }
if addrs.length == 1
firewall_rule << "#{ip_family} saddr #{addrs.first} "
elsif addrs.length > 1
firewall_rule << "#{ip_family} saddr {#{addrs.join(',')}} "
end
source_set = build_set_of_ips(rule_resource.source)
firewall_rule << "#{ip_family} saddr #{source_set} "
end
if rule_resource.destination
destination_set = build_set_of_ips(rule_resource.destination)
firewall_rule << "#{ip_family} daddr #{destination_set} "
end
firewall_rule << "#{ip_family} daddr #{rule_resource.destination} " if rule_resource.destination
case rule_resource.protocol
when :icmp
......
......@@ -16,4 +16,4 @@ supports 'debian'
depends 'line', '< 1.0'
depends 'chef-vault'
version '1.64.1'
version '1.64.2'
......@@ -45,7 +45,6 @@ end
firewall_rule 'allow world to ssh' do
port 22
source '0.0.0.0/0'
only_if { node['sys']['firewall']['allow_ssh'] }
end
......
......@@ -68,6 +68,17 @@ firewall_rule 'block ip-range' do
command :drop
end
firewall_rule "block single destination ip" do
destination '192.168.99.99'
position 49
command :reject
end
firewall_rule 'block destination ip-range' do
destination ['192.168.99.99', '192.168.100.100']
command :drop
end
firewall_rule 'ipv6-source' do
port 80
family :ip6
......
......@@ -30,13 +30,14 @@ expected_rules = [
/\s+tcp dport 7788 accept.*/,
/\s+ip saddr 192.168.99.99 reject.*/,
/\s+ip saddr { 192.168.99.99, 192.168.100.100 } drop.*/,
/\s+ip daddr 192.168.99.99 reject.*/,
/\s+ip daddr { 192.168.99.99, 192.168.100.100 } drop.*/,
/\s+iif "lo" accept comment "allow loopback"/,
/\s+icmp type echo-request accept.*$/,
/\s+tcp dport 22 accept.*$/,
/\s+udp dport 60000-61000 accept.*$/,
/\s+ct state established,related accept.*$/,
/\s+icmpv6 type { echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept.*$/,
/\s+tcp dport 22 accept.*$/,
/\s+tcp dport { 2200, 2222 } accept.*$/,
/\s+tcp dport 1234 drop.*$/,
/\s+tcp dport 1235 reject.*$/,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment