Browse Source

swarm_ingress fwrule chain

sjohn/nft
Sean Johnson 2 years ago
parent
commit
de68bfd3e6
  1. 151
      Gemfile.lock
  2. 22
      _modules/minion_net.py
  3. 6
      app/cfdd/install.sls
  4. 3
      base/package_map.yaml
  5. 2
      base/repositories.sls
  6. 38
      fwrules/chains/mqtt_public.sls
  7. 75
      fwrules/chains/swarm_ingress.sls
  8. 6
      fwrules/init.sls
  9. 93
      kitchen.ci.yml
  10. 54
      kitchen.yml
  11. 8
      test/integration/default/fwrules.rb
  12. 31
      test/integration/swarm_ingress/fwrules.rb

151
Gemfile.lock

@ -9,14 +9,14 @@ GEM
addressable (2.7.0)
public_suffix (>= 2.0.2, < 5.0)
aws-eventstream (1.1.0)
aws-partitions (1.337.0)
aws-sdk-apigateway (1.47.0)
aws-partitions (1.356.0)
aws-sdk-apigateway (1.49.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-apigatewayv2 (1.23.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-athena (1.29.0)
aws-sdk-athena (1.30.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-autoscaling (1.22.0)
@ -25,139 +25,139 @@ GEM
aws-sdk-budgets (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudformation (1.40.0)
aws-sdk-cloudformation (1.41.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudfront (1.32.0)
aws-sdk-cloudfront (1.36.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudhsm (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudhsmv2 (1.25.0)
aws-sdk-cloudhsmv2 (1.27.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudtrail (1.25.0)
aws-sdk-cloudtrail (1.26.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudwatch (1.40.0)
aws-sdk-cloudwatch (1.42.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-cloudwatchlogs (1.33.0)
aws-sdk-cloudwatchlogs (1.34.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codecommit (1.36.0)
aws-sdk-codecommit (1.37.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codedeploy (1.33.0)
aws-sdk-codedeploy (1.34.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-codepipeline (1.33.0)
aws-sdk-codepipeline (1.34.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-configservice (1.47.0)
aws-sdk-configservice (1.49.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-core (3.102.1)
aws-sdk-core (3.104.3)
aws-eventstream (~> 1, >= 1.0.2)
aws-partitions (~> 1, >= 1.239.0)
aws-sigv4 (~> 1.1)
jmespath (~> 1.0)
aws-sdk-costandusagereportservice (1.23.0)
aws-sdk-costandusagereportservice (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-dynamodb (1.50.0)
aws-sdk-dynamodb (1.51.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ec2 (1.172.0)
aws-sdk-ec2 (1.188.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ecr (1.32.0)
aws-sdk-ecr (1.35.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ecs (1.66.0)
aws-sdk-ecs (1.67.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-efs (1.31.0)
aws-sdk-efs (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-eks (1.39.0)
aws-sdk-eks (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticache (1.39.0)
aws-sdk-elasticache (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticbeanstalk (1.33.0)
aws-sdk-elasticbeanstalk (1.35.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticloadbalancing (1.24.0)
aws-sdk-elasticloadbalancing (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticloadbalancingv2 (1.46.0)
aws-sdk-elasticloadbalancingv2 (1.47.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-elasticsearchservice (1.38.0)
aws-sdk-elasticsearchservice (1.39.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-firehose (1.30.0)
aws-sdk-firehose (1.32.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-iam (1.42.0)
aws-sdk-iam (1.43.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kafka (1.23.0)
aws-sdk-kafka (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kinesis (1.25.0)
aws-sdk-kinesis (1.26.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-kms (1.35.0)
aws-sdk-kms (1.36.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-lambda (1.45.0)
aws-sdk-lambda (1.48.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-organizations (1.17.0)
aws-sdk-core (~> 3, >= 3.39.0)
aws-sigv4 (~> 1.0)
aws-sdk-rds (1.89.0)
aws-sdk-rds (1.96.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-redshift (1.45.0)
aws-sdk-redshift (1.46.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53 (1.39.0)
aws-sdk-route53 (1.40.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53domains (1.24.0)
aws-sdk-route53domains (1.25.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-route53resolver (1.16.0)
aws-sdk-route53resolver (1.17.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-s3 (1.72.0)
aws-sdk-core (~> 3, >= 3.102.1)
aws-sdk-s3 (1.78.0)
aws-sdk-core (~> 3, >= 3.104.3)
aws-sdk-kms (~> 1)
aws-sigv4 (~> 1.1)
aws-sdk-securityhub (1.28.0)
aws-sdk-securityhub (1.30.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ses (1.32.0)
aws-sdk-ses (1.33.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sms (1.22.0)
aws-sdk-sms (1.24.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sns (1.26.0)
aws-sdk-sns (1.29.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-sqs (1.29.0)
aws-sdk-sqs (1.30.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sdk-ssm (1.83.0)
aws-sdk-ssm (1.86.0)
aws-sdk-core (~> 3, >= 3.99.0)
aws-sigv4 (~> 1.1)
aws-sigv4 (1.2.1)
aws-sigv4 (1.2.2)
aws-eventstream (~> 1, >= 1.0.2)
azure_graph_rbac (0.17.2)
ms_rest_azure (~> 0.12.0)
@ -167,27 +167,27 @@ GEM
ms_rest_azure (~> 0.12.0)
azure_mgmt_security (0.18.2)
ms_rest_azure (~> 0.12.0)
azure_mgmt_storage (0.21.1)
azure_mgmt_storage (0.21.2)
ms_rest_azure (~> 0.12.0)
bcrypt_pbkdf (1.0.1)
builder (3.2.4)
chef-config (16.2.50)
chef-config (16.3.45)
addressable
chef-utils (= 16.2.50)
chef-utils (= 16.3.45)
fuzzyurl
mixlib-config (>= 2.2.12, < 4.0)
mixlib-shellout (>= 2.0, < 4.0)
tomlrb (~> 1.2)
chef-telemetry (1.0.8)
chef-telemetry (1.0.14)
chef-config
concurrent-ruby (~> 1.0)
ffi-yajl (~> 2.2)
chef-utils (16.2.50)
chef-utils (16.3.45)
coderay (1.1.3)
concurrent-ruby (1.1.6)
concurrent-ruby (1.1.7)
declarative (0.0.20)
declarative-option (0.1.0)
diff-lcs (1.4.3)
diff-lcs (1.4.4)
docker-api (1.34.2)
excon (>= 0.47.0)
multi_json
@ -198,7 +198,7 @@ GEM
ed25519 (1.2.4)
equatable (0.6.1)
erubi (1.9.0)
excon (0.75.0)
excon (0.76.0)
faraday (0.17.3)
multipart-post (>= 1.2, < 3)
faraday-cookie_jar (0.0.6)
@ -235,23 +235,23 @@ GEM
http-cookie (1.0.3)
domain_name (~> 0.5)
httpclient (2.8.3)
i18n (1.8.3)
i18n (1.8.5)
concurrent-ruby (~> 1.0)
inifile (3.0.0)
inspec (4.21.1)
inspec (4.22.8)
faraday_middleware (~> 0.12.2)
inspec-core (= 4.21.1)
inspec-core (= 4.22.8)
train (~> 3.0)
train-aws (~> 0.1)
train-habitat (~> 0.1)
train-winrm (~> 0.2)
inspec-core (4.21.1)
inspec-core (4.22.8)
addressable (~> 2.4)
chef-telemetry (~> 1.0)
faraday (>= 0.9.0)
hashie (~> 3.4)
htmlentities (~> 4.3)
json_schemer (~> 0.2.1)
json_schemer (>= 0.2.1, < 0.2.12)
license-acceptance (>= 0.2.13, < 2.0)
method_source (>= 0.8, < 2.0)
mixlib-log (~> 3.0)
@ -271,7 +271,7 @@ GEM
tty-prompt (~> 0.17)
tty-table (~> 0.10)
jmespath (1.4.0)
json (2.3.0)
json (2.3.1)
json_schemer (0.2.11)
ecma-re-validator (~> 0.2)
hana (~> 1.3)
@ -287,7 +287,7 @@ GEM
kitchen-salt (0.6.3)
hashie (>= 3.5)
test-kitchen (>= 1.4)
kitchen-vagrant (1.6.1)
kitchen-vagrant (1.7.0)
test-kitchen (>= 1.4, < 3)
libyajl2 (1.2.0)
license-acceptance (1.0.19)
@ -296,21 +296,22 @@ GEM
tty-box (~> 0.3)
tty-prompt (~> 0.18)
little-plugger (1.1.4)
logging (2.2.2)
logging (2.3.0)
little-plugger (~> 1.1)
multi_json (~> 1.10)
multi_json (~> 1.14)
memoist (0.16.2)
method_source (1.0.0)
mini_mime (1.0.2)
minitest (5.14.1)
mixlib-config (3.0.6)
mixlib-config (3.0.9)
tomlrb
mixlib-install (3.12.1)
mixlib-install (3.12.3)
mixlib-shellout
mixlib-versioning
thor
mixlib-log (3.0.8)
mixlib-shellout (3.0.9)
mixlib-shellout (3.1.4)
chef-utils
mixlib-versioning (1.2.12)
ms_rest (0.7.6)
concurrent-ruby (~> 1.0)
@ -321,7 +322,7 @@ GEM
faraday (>= 0.9, < 2.0.0)
faraday-cookie_jar (~> 0.0.6)
ms_rest (~> 0.7.6)
multi_json (1.14.1)
multi_json (1.15.0)
multipart-post (2.1.1)
necromancer (0.5.1)
net-scp (3.0.0)
@ -330,7 +331,7 @@ GEM
net-ssh-gateway (2.0.0)
net-ssh (>= 4.0.0)
nori (2.6.0)
os (1.1.0)
os (1.1.1)
parallel (1.19.2)
parslet (1.8.2)
pastel (0.7.4)
@ -379,10 +380,10 @@ GEM
sync (0.5.0)
term-ansicolor (1.7.1)
tins (~> 1.0)
test-kitchen (2.5.2)
test-kitchen (2.6.0)
bcrypt_pbkdf (~> 1.0)
ed25519 (~> 1.2)
license-acceptance (~> 1.0, >= 1.0.11)
license-acceptance (>= 1.0.11, < 3.0)
mixlib-install (~> 3.6)
mixlib-shellout (>= 1.2, < 4.0)
net-scp (>= 1.1, < 4.0)
@ -398,7 +399,7 @@ GEM
tins (1.25.0)
sync
tomlrb (1.2.9)
train (3.3.4)
train (3.3.13)
activesupport (>= 5.2.4.3, < 6.0.0)
azure_graph_rbac (~> 0.16)
azure_mgmt_key_vault (~> 0.17)
@ -409,7 +410,7 @@ GEM
google-api-client (>= 0.23.9, < 0.35.0)
googleauth (>= 0.6.6, < 0.11.0)
inifile (~> 3.0)
train-core (= 3.3.4)
train-core (= 3.3.13)
train-winrm (~> 0.2)
train-aws (0.1.17)
aws-sdk-apigateway (~> 1.0)
@ -460,7 +461,7 @@ GEM
aws-sdk-sns (~> 1.9)
aws-sdk-sqs (~> 1.10)
aws-sdk-ssm (~> 1.0)
train-core (3.3.4)
train-core (3.3.13)
addressable (~> 2.5)
ffi (!= 1.13.0)
json (>= 1.8, < 3.0)
@ -475,7 +476,7 @@ GEM
pastel (~> 0.7.2)
strings (~> 0.1.6)
tty-cursor (~> 0.7)
tty-color (0.5.1)
tty-color (0.5.2)
tty-cursor (0.7.1)
tty-prompt (0.21.0)
necromancer (~> 0.5.0)
@ -485,7 +486,7 @@ GEM
tty-cursor (~> 0.7)
tty-screen (~> 0.7)
wisper (~> 2.0.0)
tty-screen (0.8.0)
tty-screen (0.8.1)
tty-table (0.11.0)
equatable (~> 0.6)
necromancer (~> 0.5)

22
_modules/minion_net.py

@ -1,10 +1,15 @@
#!python
# -*- coding: utf-8 -*-
import logging
import socket
from copy import copy
from salt.utils.network import calc_net, ipaddr
from salt.utils.network import (
calc_net, ipaddr, is_ip, is_subnet,
)
log = logging.getLogger(__name__)
def first_public_address():
@ -151,4 +156,17 @@ def flatten_hostnames(names):
v4.extend(_v4)
v6.extend(_v6)
return v4, v6
return v4, v6
def split_ips_ipsets(sources):
ips, ipsets = [], []
for source in sources:
if is_ip(source) or is_subnet(source):
ips.append(source)
elif source.startswith("set:"):
ipsets.append(source[4:])
else:
log.warning("unknown source item {}".format(source))
return ips, ipsets

6
app/cfdd/install.sls

@ -22,9 +22,9 @@ write systemd cfdd@.service:
reload systemd units:
module.run:
- name: service.systemctl_reload
- onchanges:
- file: write systemd cfdd@.service
- service.systemctl_reload: []
- onchanges:
- file: write systemd cfdd@.service
systemd drop-in cfdd@.service.d:
file.directory:

3
base/package_map.yaml

@ -24,6 +24,9 @@ Debian:
iptables-persistent:
name: iptables-persistent
latest: true
then: "rm -f /etc/iptables/rules.v4 /etc/iptables/rules.v6"
triggers:
reload: true
ipset:
name: ipset
latest: true

2
base/repositories.sls

@ -27,4 +27,4 @@ logdna:
refresh package database:
module.run:
- name: pkg.refresh_db
- pkg.refresh_db: []

38
fwrules/chains/mqtt_public.sls

@ -1,38 +0,0 @@
---
{% set chain = "mqtt_public" %}
{% set families = [
("ipv4", ["0.0.0.0/0"]),
("ipv6", ["::/0"]),
] %}
{% set ports = [
("mqtts-tcp", 4883, "tcp"),
("mqtts-ws", 4884, "tcp"),
] %}
{% for family, addresses in families %}
{{ chain }} {{ family }} chain:
iptables.chain_present:
- name: {{ chain }}
- family: {{ family }}
{{ chain }} {{ family }} input:
iptables.append:
- table: filter
- family: {{ family }}
- chain: INPUT
- jump: {{ chain }}
{% for protocol, port, transport in ports %}
{{ chain }} {{ family }} {{ protocol }} {{ transport }}:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain }}
- source: {{ addresses | join(",") }}
- protocol: {{ transport }}
- match: {{ transport }}
- dport: {{ port }}
- jump: ACCEPT
{% endfor %}
{% endfor %}

75
fwrules/chains/swarm_ingress.sls

@ -0,0 +1,75 @@
---
include:
- fwrules.ipsets.management
- fwrules.ipsets.minions
{% set chain_name = "DOCKER-USER" %}
{# [ (service, port, transport, sources), ... ] #}
{% set ports = [
("mqtt-tcp", 1883, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtt-ws", 1884, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtts-tcp", 4883, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("mqtts-ws", 4884, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("portainer-agent", 9001, "tcp", {"ipv4": ["set:minions"], "ipv6": ["set:minions"]}),
("icecast-direct", 9090, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-http", 8080, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("unifi-https", 8443, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-portal-http", 8880, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-portal-https", 8843, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-speed", 6789, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-stun", 3478, "udp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
] %}
{% for family in ["ipv4", "ipv6"] %}
{{ chain_name }} {{ family }}:
iptables.chain_present:
- name: {{ chain_name }}
- family: {{ family }}
{% for service, port, transport, sources in ports %}
{% set addresses, ipsets = salt["minion_net.split_ips_ipsets"](sources.get(family, [])) %}
{% for ipset in ipsets %}
{% set set_name = "{}-{}".format(ipset, family) %}
{{ chain_name }} {{ family }} {{ transport }} {{ service }} {{ ipset }}:
iptables.insert:
- position: 1
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- protocol: {{ transport }}
- match: {{ ["set", transport] | tojson }}
- set: {{ set_name }} src
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}
{% if addresses %}
{{ chain_name }} {{ family }} {{ transport }} {{ service }} addresses:
iptables.insert:
- position: 1
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- protocol: {{ transport }}
- match: {{ transport }}
- source: {{ addresses | join(",") }}
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain_name }} {{ family }}
{% endif %}
{% endfor %}
{{ chain_name }} {{ family }} default deny:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: DROP
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}

6
fwrules/init.sls

@ -174,14 +174,14 @@ v6 log dropped:
- require:
- pkg: iptables
enable netfilter-persistent:
netfilter-persistent:
service.running:
- name: netfilter-persistent
- enable: true
- require:
- pkg: iptables-persistent
save iptables ipv4 rules:
save iptables v4 rules:
module.run:
- iptables.save:
- family: ipv4
@ -190,7 +190,7 @@ save iptables ipv4 rules:
- unless:
- test -e /etc/iptables/rules.v4
save iptables ipv6 rules:
save iptables v6 rules:
module.run:
- iptables.save:
- family: ipv6

93
kitchen.ci.yml

@ -1,93 +0,0 @@
---
driver:
name: docker
transport:
name: docker
driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
cap_add:
- CAP_SYS_ADMIN
verifier:
name: inspec
sudo: true
reporter:
- cli
platforms:
- name: debian-9
driver_config:
image: debian:9
provision_command:
- apt-get install -y python3-pip git
- pip3 install pytoml
provisioner:
name: salt_solo
require_chef: false
state_collection: .
is_file_root: true
# Salt-solo installation options
salt_install: bootstrap
salt_version: latest
salt_bootstrap_options: "-x python3"
salt_copy_filter:
- .git
- .kitchen
dependencies:
- name: openssh
repo: git
source: https://github.com/saltstack-formulas/openssh-formula.git
# Provision with states
state_top:
base:
'*':
- base.files
- base.repositories
- base.packages
- base.python
- base.sshd
- base.unattended_upgrades
- fwrules
pillars:
top.sls:
base:
'*':
- firewall
firewall.sls:
firewall:
chains:
- elasticsearch_exporter_private
- http_public
- management
- mqtt_public
- node_exporter_private
defaults:
conntrack: false
policies:
INPUT: ACCEPT
FORWARD: DROP
OUTPUT: ACCEPT
management:
ipv4:
- "107.155.67.64/29"
ipv6:
- "2604:880:396::/48"
resolve_names:
- "adephagia.synology.me":
widen_ipv6: 64
suites:
- name: default
provisioner:
pillars: {}

54
kitchen.yml

@ -1,18 +1,32 @@
---
driver:
name: vagrant
name: docker
transport:
name: docker
driver_config:
use_sudo: false
privileged: true
provision_command: mkdir -p /run/sshd
run_command: /lib/systemd/systemd
cap_add:
- CAP_SYS_ADMIN
verifier:
name: inspec
sudo: true
reporter:
- cli
- cli
platforms:
- name: debian-9
driver:
box: generic/debian9
driver_config:
image: debian:9
provision_command:
- apt-get install -y python3-pip git
- pip3 install pytoml
provisioner:
name: salt_solo
@ -23,10 +37,16 @@ provisioner:
# Salt-solo installation options
salt_install: bootstrap
salt_version: latest
salt_bootstrap_options: "-x python3"
salt_copy_filter:
- .git
- .kitchen
# Salt minion opts
salt_minion_extra_config:
use_superseded:
- module.run
dependencies:
- name: openssh
repo: git
@ -55,10 +75,9 @@ provisioner:
- elasticsearch_exporter_private
- http_public
- management
- mqtt_public
- node_exporter_private
defaults:
conntrack: false
conntrack: true
policies:
INPUT: ACCEPT
FORWARD: DROP
@ -75,4 +94,25 @@ provisioner:
suites:
- name: default
provisioner:
pillars: {}
pillars: {}
- name: swarm_ingress
provisioner:
pillars:
firewall.sls:
firewall:
chains:
- swarm_ingress
defaults:
conntrack: true
policies:
INPUT: ACCEPT
FORWARD: DROP
OUTPUT: ACCEPT
management:
ipv4:
- "107.155.67.64/29"
ipv6:
- "2604:880:396::/48"
resolve_names:
- "adephagia.synology.me":
widen_ipv6: 64

8
test/integration/default/fwrules.rb

@ -2,15 +2,11 @@ describe iptables do
it { should have_rule("-P INPUT ACCEPT") }
it { should have_rule("-P FORWARD DROP") }
it { should have_rule("-P OUTPUT ACCEPT") }
it { should have_rule("-N mqtt_public") }
it { should have_rule("-N http_public") }
it { should have_rule("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") }
it { should have_rule("-A INPUT -s 127.0.0.0/8 -j ACCEPT") }
it { should have_rule("-A INPUT -m set --match-set management-ipv4 src -j ACCEPT") }
it { should have_rule("-A INPUT -j mqtt_public") }
it { should have_rule("-A INPUT -j http_public") }
it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4883 -j ACCEPT") }
it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4884 -j ACCEPT") }
it { should have_rule("-A http_public -p tcp -m tcp --dport 80 -j ACCEPT") }
it { should have_rule("-A http_public -p tcp -m tcp --dport 443 -j ACCEPT") }
end
@ -19,7 +15,6 @@ describe ip6tables do
it { should have_rule("-P INPUT ACCEPT") }
it { should have_rule("-P FORWARD DROP") }
it { should have_rule("-P OUTPUT ACCEPT") }
it { should have_rule("-N mqtt_public") }
it { should have_rule("-N http_public") }
it { should have_rule("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") }
it { should have_rule("-A INPUT -s ::1/128 -j ACCEPT") }
@ -28,10 +23,7 @@ describe ip6tables do
it { should have_rule("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT") }
it { should have_rule("-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT") }
it { should have_rule("-A INPUT -m set --match-set management-ipv6 src -j ACCEPT") }
it { should have_rule("-A INPUT -j mqtt_public") }
it { should have_rule("-A INPUT -j http_public") }
it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4883 -j ACCEPT") }
it { should have_rule("-A mqtt_public -p tcp -m tcp --dport 4884 -j ACCEPT") }
it { should have_rule("-A http_public -p tcp -m tcp --dport 80 -j ACCEPT") }
it { should have_rule("-A http_public -p tcp -m tcp --dport 443 -j ACCEPT") }
end

31
test/integration/swarm_ingress/fwrules.rb

@ -0,0 +1,31 @@
describe iptables do
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv4 src -m udp --dport 3478 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 6789 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8843 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8880 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8443 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 9090 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv4 src -m tcp --dport 9001 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -j DROP" }
end
describe ip6tables do
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv6 src -m udp --dport 3478 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 6789 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8843 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8880 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8443 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 9090 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv6 src -m tcp --dport 9001 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -j DROP" }
end
Loading…
Cancel
Save