Puppet Class: base_firewall::post_ipv4

Defined in:
manifests/post_ipv4.pp

Overview

Class: base_firewall::post_ipv4

Defines a set of base firewall rules that are applied after any other rules.

Parameters

See base_firewall for a definition of the parameters.

Authors

Andrew Kroh

Parameters:

  • chain_policy (Any) 


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'manifests/post_ipv4.pp', line 14

class base_firewall::post_ipv4 (
  $chain_policy,
) {

  # Break dependency cycle and set default provider
  # for rules defined in this scope.
  Firewall {
    before   => undef,
    provider => 'iptables',
  }

# ------------------------------------------------------

  firewall { '999 drop all incoming':
    proto => 'all',
    jump  => 'DROP_INPUT',
    chain => 'INPUT',
  }->

  firewall { '999 drop all outgoing':
    proto => 'all',
    jump  => 'DROP_OUTPUT',
    chain => 'OUTPUT',
  }->

  firewall { '999 drop all forwarding':
    proto => 'all',
    jump  => 'DROP_FORWARD',
    chain => 'FORWARD',
  }

# ------------------------------------------------------

  if $chain_policy == 'drop' and $::iptables_input_policy != 'drop' {
    exec { 'IPv4 INPUT policy is DROP':
      command => 'iptables -P INPUT DROP',
      user    => root,
      path    => $::path,
      require => Firewall['999 drop all incoming'],
    }
  }

  if $chain_policy == 'drop' and $::iptables_output_policy != 'drop' {
    exec { 'IPv4 OUTPUT policy is DROP':
      command => 'iptables -P OUTPUT DROP',
      user    => root,
      path    => $::path,
      require => Firewall['999 drop all outgoing'],
    }
  }

  if $chain_policy == 'drop' and $::iptables_forward_policy != 'drop' {
    exec { 'IPv4 FORWARD policy is DROP':
      command => 'iptables -P FORWARD DROP',
      user    => root,
      path    => $::path,
      require => Firewall['999 drop all forwarding'],
    }
  }

}