Commit a87b8df6 authored by Walter Heck's avatar Walter Heck Committed by GitHub

Merge pull request #21 from choonming/feature/firewall

Adding firewall rules for opstheater services
parents 055ac681 4183c089
......@@ -15,6 +15,40 @@
# Default value (for production): 'https'
'opstheater::http_mode': 'https'
#########################
## Firewall settings
########################
# Enable firewall rules
# Default value: false
'opstheater::manage_firewall': true
# Purge unmanaged firewall rules
# Default value: true
'opstheater::purge_firewalls': true
# Purge unmanaged firewall chains
# Default value: true
'opstheater::purge_firewallchains': true
# IPs to be whitelisted in the opstheater chain in an array.
# Append all the new IPs in this array. Do not remove existing ones
# Default value: [ ]
'opstheater::ip_whitelist':
- "%{hiera('opstheater::icinga::ipaddress')}"
- "%{hiera('opstheater::mysql::ipaddress')}"
- "%{hiera('opstheater::elasticsearch::ipaddress')}"
- "%{hiera('opstheater::gitlab::ipaddress')}"
- "%{hiera('opstheater::foreman::ipaddress')}"
- "%{hiera('opstheater::mattermost::ipaddress')}"
- "%{hiera('opstheater::kibana::ipaddress')}"
- "%{hiera('opstheater::puppet::ipaddress')}"
# IP address for VPN or internal network to access opstheater dashboards
# Default value: 0.0.0.0
'opstheater::vpn_ip': '0.0.0.0'
# SMTP Settings
# FQDN of SMTP server (eg: smtp.gmail.com)
'opstheater::smtp::fqdn': 'localhost'
......@@ -39,6 +73,8 @@
##########################
'opstheater::foreman::fqdn': "master.%{hiera('opstheater::domain')}"
'opstheater::foreman::url': "%{hiera('opstheater::http_mode')}://%{hiera('opstheater::foreman::fqdn')}"
'opstheater::foreman::ipaddress': "%{hiera('opstheater::puppet::ipaddress')}"
'opstheater::puppet::ipaddress': '10.20.1.10'
##########################
......
......@@ -11,8 +11,13 @@ class opstheater::profile::base {
}
# configure ssh
include ::ssh::client
include ::ssh::server
include opstheater::profile::ssh
# manage iptables rules
$manage_firewall = hiera('opstheater::manage_firewall', undef)
if $manage_firewall {
include opstheater::profile::firewall
}
# configure filebeat
include opstheater::profile::base::filebeat
......
......@@ -16,5 +16,21 @@ class opstheater::profile::elasticsearch{
} else {
fail("No elasticsearch instances found in hiera for class opstheater::profile::elasticsearch on ${::fqdn}.")
}
@firewall { '200 allow elasticsearch 9200 access':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '9200',
tag => 'opstheater',
}
@firewall { '200 allow elasticsearch 9300 access':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '9300',
tag => 'opstheater',
}
}
class opstheater::profile::firewall {
$purge_firewalls = hiera('opstheater::purge_firewalls', true)
$purge_firewallchains = hiera('opstheater::purge_firewallchains', true)
$ip_whitelist = hiera('opstheater::ip_whitelist', undef)
include ::firewall
include ::opstheater::profile::firewall::pre
include ::opstheater::profile::firewall::post
resources { 'firewall':
purge => $purge_firewalls,
}
resources { 'firewallchain':
purge => $purge_firewallchains,
}
firewallchain { 'OPSTHEATER:filter:IPv4':
ensure => present,
purge => true,
}
$ip_list = unique($ip_whitelist)
$ip_list.each | String $ip | {
firewall { "100 accept connections for ${ip}":
chain => 'OPSTHEATER',
action => 'accept'
proto => 'all',
source => $ip,
}
}
Firewall <| tag == 'opstheater' |>
Firewall {
before => Class['opstheater::profile::firewall::pre']
require => Class['opstheater::profile::firewall::post']
}
}
class opstheater::profile::firewall::post {
firewall { '999 drop all':
proto => 'all',
action => 'drop',
before => undef,
}
}
class opstheater::profile::firewall::pre {
Firewall {
require => undef,
}
# Default firewall rules
firewall { '000 accept all icmp':
proto => 'icmp',
action => 'accept',
}->
firewall { '001 accept all to lo interface':
proto => 'all',
iniface => 'lo',
action => 'accept',
}->
firewall { '002 reject local traffic not on loopback interface':
iniface => '! lo',
proto => 'all',
destination => '127.0.0.1/8',
action => 'reject',
}->
firewall { '003 accept related established rules':
proto => 'all',
state => ['RELATED', 'ESTABLISHED'],
action => 'accept',
}
}
......@@ -81,4 +81,23 @@ class opstheater::profile::foremanproxy {
proxy => 'http://localhost:3000/',
}
}
@firewall { '203 allow HTTP access to foreman':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '80',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
@firewall { '204 allow HTTPS access to foreman':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '443',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -180,4 +180,22 @@ class opstheater::profile::gitlab {
include opstheater::profile::filebeat::gitlab
include opstheater::profile::filebeat::mattermost
@firewall { '205 allow HTTP access to gitlab':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '80',
source => hiera('opstheater::vpn_ip', '0.0.0.0')
tag => 'opstheater',
}
@firewall { '206 allow HTTPS access to gitlab':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '443',
source => hiera('opstheater::vpn_ip', '0.0.0.0')
tag => 'opstheater',
}
}
......@@ -47,4 +47,13 @@ class opstheater::profile::grafana {
},
}
@firewall { '207 allow HTTP access to grafana':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '3000',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -38,4 +38,12 @@ class opstheater::profile::icinga::client {
Icinga2::Object::Zone <<| |>>
@firewall { '201 allow access to icinga client':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '5665',
tag => 'opstheater',
}
}
......@@ -42,4 +42,12 @@ class opstheater::profile::icinga::server {
Icinga2::Object::Service <<| |>>
Icinga2::Object::Zone <<| |>>
@firewall { '201 allow access to icinga master':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '5665',
tag => 'opstheater',
}
}
......@@ -183,4 +183,22 @@ class opstheater::profile::icinga::web {
value => '"UTC"',
}
@firewall { '202 allow HTTP access to icinga web':
chain => 'INPUT',
action => 'accept',
proto => 'http',
dport => '80',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
@firewall { '203 allow HTTPS access to icinga web':
chain => 'INPUT',
action => 'accept',
proto => 'http',
dport => '443',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -9,4 +9,12 @@ class opstheater::profile::kibana {
include opstheater::profile::filebeat::kibana
@firewall { '208 allow HTTP access to kibana':
chain => 'INPUT',
action => 'accept',
proto => 'tcp',
dport => '5601',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
......@@ -43,4 +43,11 @@ class opstheater::profile::logstash {
create_resources('logstash::plugin', $plugins)
}
@firewall { '209 allow access to logstash':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => hiera('opstheater::profile::logstash::input_beats_port'),
}
}
......@@ -30,5 +30,13 @@ class opstheater::profile::mysql {
include opstheater::profile::filebeat::mysql
@firewall { '210 allow access to mysql':
chain => 'INPUT',
jump => 'OPSTHEATER',
proto => 'tcp',
dport => '3306',
tag => 'opstheater',
}
}
class opstheater::profile::ssh {
include ::ssh::server
include ::ssh::client
@@firewall { '010 allow SSH access':
chain => 'INPUT',
action => 'allow',
proto => 'tcp',
dport => '22',
source => hiera('opstheater::vpn_ip', '0.0.0.0'),
tag => 'opstheater',
}
}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment