Files @ 736e06e7ffd6
Branch filter:

Location: majic-ansible-roles/roles/common/templates/00-base.conf.j2

736e06e7ffd6 4.4 KiB text/plain Show Annotation Show as Raw Download as Raw
branko
MAR-194: Use IP addresses instead names for maintenance allowed connections:

- Less ambigious. Solves problems around names being resolvable to
different IPs depending on what DNS server is used.
- Parameter renamed to better represent what is specified.
- Updated requirements to allow execution of ipv4/ipv6 filters.
- Pin the rich requirement to a lower version for compatibility
reasons.
- Implement tests for IPv6 connectivity tests.
- Improve rendering of base rules (indentation).
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
#jinja2:trim_blocks:True,lstrip_blocks:True
# IPv4
domain ip {
    table filter {
        chain INPUT {
            policy DROP;
            interface lo ACCEPT;
            # Make sure not to allow flooding via ICMP ping packages by sending them
            # to flood chain before state module kicks in.
            proto icmp icmp-type echo-request jump flood;
            mod state state (ESTABLISHED RELATED) ACCEPT;
            # For TCP packages we perform floods checks after state module took care
            # of established and related connections.
            proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
            # Accept some common incoming connections.
            proto icmp icmp-type echo-request ACCEPT;
            proto tcp dport 22 ACCEPT;
{% if maintenance %}
            # Validate source IP against list of allowed source addresses in maintenance mode.
            jump allowed_sources;
{% endif %}
        }

        # The flood chain is used for controlling the rate of the incoming connections.
        chain flood {
            # Rate-limit the ping requests.
            proto icmp icmp-type echo-request {
                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                    hashlimit-mode srcip hashlimit-name icmp RETURN;
                DROP;
            }
            # Rate-limit the TCP connections.
            proto tcp tcp-flags (FIN SYN RST ACK) SYN {
                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                    hashlimit-mode srcip hashlimit-name icmp RETURN;
                LOG;
                DROP;
            }
        }
{% if maintenance %}
        # Resume processing for allowed source addresses, otherwise drop packets.
        chain allowed_sources {
            {% for source in maintenance_allowed_sources %}
                {% if source | ipv4 %}
            saddr {{ source }} RETURN;
                {% endif %}
            {% endfor %}
            DROP;
        }
{% endif %}
    }
}

# IPv6, same as IPv4 config, with addition of a couple of ICMP packets.
domain ip6 {
    table filter {
        chain INPUT {
            policy DROP;
            interface lo ACCEPT;
            # Make sure not to allow flooding via ICMP ping packages by sending them
            # to flood chain before state module kicks in.
            proto icmp icmp-type echo-request jump flood;
            mod state state (ESTABLISHED RELATED) ACCEPT;
            # For TCP packages we perform floods checks after state module took care
            # of established and related connections.
            proto tcp tcp-flags (FIN SYN RST ACK) SYN jump flood;
            # ICMPv6 packets required for proper functioning of IPv6.
            proto icmp icmp-type router-advertisement ACCEPT;
            proto icmp icmp-type neighbor-solicitation ACCEPT;
            proto icmp icmp-type neighbor-advertisement ACCEPT;
            # Accept some common incoming connections.
            proto icmp icmp-type echo-request ACCEPT;
            proto tcp dport 22 ACCEPT;
{% if maintenance %}
            # Validate source IP against list of allowed source addresses in maintenance mode.
            jump allowed_sources;
{% endif %}
        }

        # The flood chain is used for controlling the rate of the incoming connections.
        chain flood {
            # Rate-limit the ping requests.
            proto icmp icmp-type echo-request {
                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                    hashlimit-mode srcip hashlimit-name icmp RETURN;
                DROP;
            }
            # Rate-limit the TCP connections.
            proto tcp tcp-flags (FIN SYN RST ACK) SYN {
                mod hashlimit hashlimit {{ incoming_connection_limit }} hashlimit-burst {{ incoming_connection_limit_burst }}
                    hashlimit-mode srcip hashlimit-name icmp RETURN;
                LOG;
                DROP;
            }
        }
{% if maintenance %}
        # Resume processing for allowed source addresses, otherwise drop packets.
        chain allowed_sources {
            {% for source in maintenance_allowed_sources %}
                {% if source | ipv6 %}
            saddr {{ source }} RETURN;
                {% endif %}
            {% endfor %}
            DROP;
        }
{% endif %}
    }
}
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.