demonccc/chef-shorewall_reloaded

shorewall_reloaded Cookbook

Description

This cookbook is based on the original in the Chef Supermarket by charles-dyfis-net for CentOS.

Shorewall is a rather comprehensive and easy-to-use abstraction layer on top of iptables.

This cookbook installs, configures and manages Shorewall.

Requirements

Chef

Tested on 11.12.8 but newer and older version should work just fine.

Platform

The following platforms have been tested with this cookbook, meaning that the recipes run on these platforms without error:

• Ubuntu
• Debian

Capabilities

Creates pretty Shorewall configuration files intended to be aesthetically comparable to hand-written ones.

The following is a typical example of output (in this case, for a rules file):

#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
############################################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK
#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW

# Allow all from VM host
ACCEPT          net:10.0.2.2    fw              -       -       -               -               -               -       -

# Incoming SSH to firewall
ACCEPT          all             fw              tcp     22      -               -               -               -       -

# Allow database load-balancer db1.vguest access to repmgr monitor
ACCEPT          lan:192.168.123.10 \
                                fw              tcp     5480    -               -               -               -       -

Note how line continuations are added as necessary to keep column alignment in place.

Attributes

shorewall_reloaded::default

Key	Type	Description	Default
['shorewall']['enabled']	Boolean	Enable o disable Shorewall	false
['shorewall']['default']['options']	String	Global start/restart/stop options
['shorewall']['default']['wait_interface']	String	If your Shorewall configuration requires detection of the ip address of a ppp interface, you must list such interfaces in this attribute to get Shorewall to wait until the interface is configured	false
['shorewall']['default']['startoptions']	String	Start options
['shorewall']['default']['restartoptions']	String	Restart options
['shorewall']['default']['initlog']	String	Init Log. If it is /dev/null, will be used the STARTUP_LOG value defined in shorewall.conf	/dev/null
['shorewall']['default']['safestop']	Numeric	Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in a safe state rather than to open it	0
['shorewall']['zones']	Array	This is an array of hashes that contain the zones settings. Each item could have the following keys: zone, type, options, in_options, out_options	[]
['shorewall']['policy']	Array	This is an array of hashes that contain the polices settings. Each item could have the following keys: source, dest, policy, log_level, limit	[]
['shorewall']['interfaces']	Array	This is an array of hashes that contain the interfaces settings. Each item could have the following keys: zone, interface, broadcast, options	[]
['shorewall']['hosts']	Array	This is an array of hashes that contain the hosts settings. Each item could have the following keys: zone, hosts, options	[]
['shorewall']['rules']	Array	This is an array of hashes that contain the rules settings. Each item could have the following keys: action, source, dest, proto, dest_port, source_port, original_dest, rate_limit, user, fwmark	[]
['shorewall']['tunnels']	Array	This is an array of hashes that contain the tunnels settings. Each item could have the following keys: type, zone, gateway, gateway_zones	[]
['shorewall']['masq']	Array	This is an array of hashes that contain the masq/SNAT settings. Each item could have the following keys: interface, source, address, proto, ports, ipsec, mark, user, switch	[]

For more details, see the attributes/default.rb file.

Recipes

shorewall_reloaded::default

This cookbook installs and configures Shorewall in the node.

Usage

Just include shorewall_reloaded in your node's run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[shorewall_reloaded]"
  ]
}

You need to set the zones, policies, rules, zones, interfaces in order to manage Shorewall by using this cookbook.

Examples:

• Setting zones:

"shorewall": {
  "zones": [
    { "zone": "fw", "type": "firewall" },
    { "zone": "lan", "type": "ipv4" },
    { "zone": "net", "type": "ipv4" }
  ]
}

• Setting policies:

"shorewall": {
  "policy": [
    { "source": "fw", "dest": "all", "policy": "ACCEPT" },
    { "source": "lan", "dest": "fw", "policy": "REJECT", "log": "DEBUG" },
    { "source": "all", "dest": "all", "policy": "REJECT" }
  ]
}

• Setting interfaces

"shorewall": {
  "interfaces": [
    { "zone": "net", "interface": "eth0", "broadcast": "detect", "options": "tcpflags,nosmurfs,routefilter,logmartians" },
    { "zone": "lan", "interface": "eth1", "broadcast": "detect", "options": "tcpflags,nosmurfs,routefilter,logmartians" }
  ]
}

• Setting rules

"shorewall": {
  "rules": [
    {
      "description": "Don't allow connection pickup from the net",
      "action": "Invalid(DROP)", "source": "net", "dest": "all"
    },
    {
      "description": "Accept DNS connections from the firewall to the network",
      "action": "DNS(ACCEPT)", "source": "fw", "dest": "net"
    },
    {
      "description": "Accept NTP connections from the firewall to the network",
      "action": "NTP(ACCEPT)", "source": "fw", "dest": "net"
    },
    { 
      "description": "Incoming SSH to firewall", 
      "source": "all", "dest": "fw", "proto": "tcp", "dest_port": 22, "action": "ACCEPT" 
    },
    {
      "description": "Accept HTTP/HTTPS connections to internet",
      "action": "Web(ACCEPT)", "source": "fw", "dest": "net"
    },
    {
      "description": "Allow Ping from the local network",
      "action": "Ping(ACCEPT)", "source": "loc", "dest": "fw"
    },
    {
      "description": "Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..",
      "action": "Ping(DROP)", "source": "net", "dest": "fw"
    },
    {
      "description": "Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..",
      "action": "ACCEPT", "source": "fw", "dest": "loc", "proto": "icmp"
    },
    {
      "description": "Drop Ping from the \"bad\" net zone.. and prevent your log from being flooded..",
      "action": "ACCEPT", "source": "fw", "dest": "net", "proto": "icmp"
    }
  ]
}

• Setting tunnels:

"shorewall": {
  "tunnels": [
    { "type": "ipsec", "zone": "net", "gateway": "0.0.0.0/0", "gateway_zones": "vpn" }
  ]
}  

• Setting Masquerade

"shorewall": {
  "masq": [
    { "interface": "eth0", "source": "192.168.0.0/24" }
  ]
}

• Setting SNAT

"shorewall": {
  "masq": [
    { "interface": "eth0", "source": "192.168.0.0/24", "address": "1.2.3.4" }
  ]
}

Development

• Source hosted at GitHub
• Report issues/Questions/Feature requests on GitHub Issues

Contributing

1. Fork the repository on Github
2. Write your change
3. Write tests for your change (if applicable)
4. Run the tests, ensuring they all pass
5. Submit a Pull Request using Github

License and Authors

Author:: Claudio Cesar Sanchez Tejeda demonccc@gmail.com

Copyright:: 2014, Claudio Cesar Sanchez Tejeda

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.