iptables

yesezra · Mar 28, 2011 · e271887 · e271887
1 parent a97be30
commit e271887
Show file tree

Hide file tree

Showing 5 changed files with 72 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ Continuous Sprinkles is a [Sprinkle](https://github.com/crafterm/sprinkle) recip
 * Postgres
 * Redis
 * Ruby
+* IPtables rules
 
 Usage
 -----

diff --git a/assets/iptables b/assets/iptables
@@ -0,0 +1,41 @@
+*filter
+
+
+#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
+-A INPUT -i lo -j ACCEPT
+-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
+
+
+#  Accepts all established inbound connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+
+#  Allows all outbound traffic
+#  You can modify this to only allow certain traffic
+-A OUTPUT -j ACCEPT
+
+
+# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
+-A INPUT -p tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp --dport 443 -j ACCEPT
+
+
+#  Allows SSH connections
+#
+-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
+
+
+# Allow ping
+-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
+
+
+# log iptables denied calls
+-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
+
+
+# Reject all other inbound - default deny unless explicitly allowed policy
+-A INPUT -j REJECT
+-A FORWARD -j REJECT
+
+COMMIT
+
diff --git a/assets/iptables_ifup b/assets/iptables_ifup
@@ -0,0 +1,2 @@
+#!/bin/sh
+/sbin/iptables-restore < /etc/iptables.up.rules
diff --git a/main.rb b/main.rb
@@ -5,6 +5,7 @@
 require 'packages/mysql'
 require 'packages/postgres'
 require 'packages/redis'
+require 'packages/iptables'
 
 deployment do
   delivery :capistrano do
@@ -25,5 +26,6 @@
   requires :mysql
   requires :postgres
   requires :redis
+  requires :iptables
 end
 
diff --git a/packages/iptables.rb b/packages/iptables.rb
@@ -0,0 +1,26 @@
+package :iptables do
+  description "Firewall"
+  runner %{/etc/network/if-pre-up.d/iptables}
+  requires :iptables_rules, :iptables_ifconfig
+end
+
+package :iptables_rules do
+  description "Firewall rules"
+  transfer "assets/iptables", "/tmp" do
+    post :install, %{mv /tmp/iptables /etc/iptables.up.rules}
+  end
+  verify do
+    has_file "/etc/iptables.up.rules"
+  end
+end
+
+package :iptables_ifconfig do
+  description "Setup firewall with network"
+  transfer "assets/iptables_ifup", "/tmp" do
+    post :install, %{mv /tmp/iptables_ifup /etc/network/if-pre-up.d/iptables}
+    post :install, %{chmod +x /etc/network/if-pre-up.d/iptables}
+  end
+  verify do
+    has_executable "/etc/network/if-pre-up.d/iptables"
+  end
+end