From ac521117b0adbce1a6bac96412b95d791fd02275 Mon Sep 17 00:00:00 2001 From: Marek Isalski Date: Sat, 18 May 2019 09:38:36 +0100 Subject: [PATCH] taking over iptables/ip6tables and ipset --- bcp38.ipset.j2 | 3 +++ bcp38.iptables.v4 | 26 ++++++++++++++++++++++++++ bcp38.iptables.v6 | 26 ++++++++++++++++++++++++++ hphr.sls | 30 ++++++++++++++++++++++++++++++ postconfig.sh | 7 +++++++ 5 files changed, 92 insertions(+) create mode 100644 bcp38.ipset.j2 create mode 100644 bcp38.iptables.v4 create mode 100644 bcp38.iptables.v6 create mode 100644 postconfig.sh diff --git a/bcp38.ipset.j2 b/bcp38.ipset.j2 new file mode 100644 index 0000000..0adfd5e --- /dev/null +++ b/bcp38.ipset.j2 @@ -0,0 +1,3 @@ +create foo hash:net,iface family inet hashsize 1024 maxelem 65536 +add foo 0.0.0.0/0,eth0 +add foo 0.0.0.0/0,lo diff --git a/bcp38.iptables.v4 b/bcp38.iptables.v4 new file mode 100644 index 0000000..e161430 --- /dev/null +++ b/bcp38.iptables.v4 @@ -0,0 +1,26 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT + +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A PREROUTING -j NOTRACK +COMMIT + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT + +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/bcp38.iptables.v6 b/bcp38.iptables.v6 new file mode 100644 index 0000000..e161430 --- /dev/null +++ b/bcp38.iptables.v6 @@ -0,0 +1,26 @@ +*filter +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT + +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +-A PREROUTING -j NOTRACK +COMMIT + +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT + +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT diff --git a/hphr.sls b/hphr.sls index 2bbe65a..f2026de 100644 --- a/hphr.sls +++ b/hphr.sls @@ -23,3 +23,33 @@ configure: - runas: minion - require: - file: /config/config.new + +/config/hphr.rules.v4: + file.managed: + - template: jinja + - source: salt://bcp38.iptables.v4 + +/config/hphr.rules.v6: + file.managed: + - template: jinja + - source: salt://bcp38.iptables.v6 + +/config/hphr.ipset: + file.managed: + - template: jinja + - source: salt://bcp38.ipset.j2 + +/config/scripts/vyos-postconfig-bootup.script: + file.managed: + - template: jinja + - source: salt://postconfig.sh + - mode: 760 + - require: + - file: /config/hphr.rules.v4 + - file: /config/hphr.rules.v6 + - file: /config/hphr.ipset + cmd.run: + - name: sudo /config/scripts/vyos-postconfig-bootup.script + - require: + - file: /config/scripts/vyos-postconfig-bootup.script + - cmd: configure diff --git a/postconfig.sh b/postconfig.sh new file mode 100644 index 0000000..9fe0f72 --- /dev/null +++ b/postconfig.sh @@ -0,0 +1,7 @@ +#!/bin/sh + +ipset restore < /config/hphr.ipset +iptables-restore /config/hphr.rules.v4 +ip6tables-restore /config/hphr.rules.v6 +echo 2 > /proc/sys/net/ipv4/conf/default/rp_filter +echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter