Class iptables::iptables
In: /tmp/puppet/modules/iptables/manifests/init.pp
Parent:

Module: iptables

Class: iptables

Description:

      This class configures the iptables firewall.

Defines:

      None

LinuxGuide:

      2.5.5.1
        2.5.5.3.1

CCERef#:

      CCE-4189-7

Resources

Resources

File["/etc/puppet/post.iptables"]
   content => "-A INPUT -j DROP\n-A FORWARD -j DROP"
   mode => 0600

pre.iptables and post.iptable files This overcomes the sorting problem for the final drop rule

Iptables["0 allow loopback"]
   iniface => "lo"
   jump => "ACCEPT"

Explicitly allow/drop certain incoming connections

Iptables["000 allow established states"]
   state => "ESTABLISHED"
   jump => "ACCEPT"

Dont think we need this now. iptables {

        "000 drop avahi":
                proto => "udp",
                dport => "5353",
                destination => "224.0.0.251",
                jump => "DROP",

}

Iptables["000 allow icmp destination unreachable"]
   proto => "icmp"
   icmp => 3
   jump => "ACCEPT"
Iptables["000 allow icmp echo reply"]
   proto => "icmp"
   icmp => 0
   jump => "ACCEPT"

ICMP Rules

        iptables {
                "000 drop icmp ping":
                        proto => "icmp",
                        icmp  => "echo-request",
                        jump  => "DROP",
        }
Iptables["000 allow icmp time exceeded"]
   proto => "icmp"
   icmp => 11
   jump => "ACCEPT"
Iptables["000 allow related states"]
   state => "RELATED"
   jump => "ACCEPT"
Iptables["800 log class A spoofing attempt"]
   iniface => "eth0"
   source => "10.0.0.0/8"
   jump => "LOG"
   log_prefix => "IP DROP SPOOF A: "

Logging

Iptables["800 log class B spoofing attempt"]
   iniface => "eth0"
   source => "172.16.0.0/12"
   jump => "LOG"
   log_prefix => "IP DROP SPOOF B: "
Iptables["800 log class C spoofing attempt"]
   iniface => "eth0"
   source => "192.168.0.0/16"
   jump => "LOG"
   log_prefix => "IP DROP SPOOF C: "
Iptables["800 log loopback spoofing attempt"]
   iniface => "eth0"
   destination => "127.0.0.0/8"
   jump => "LOG"
   log_prefix => "IP DROP LOOPBACK: "
Iptables["800 log multicast spoofing attempt"]
   iniface => "eth0"
   source => "224.0.0.0/4"
   jump => "LOG"
   log_prefix => "IP DROP MULTICAST D: "
Iptables["800 log spoofing E attempt"]
   iniface => "eth0"
   source => "240.0.0.0/5"
   jump => "LOG"
   log_prefix => "IP DROP SPOOF E: "
Iptables["801 log all other incoming packets before they get dropped"]
   jump => "LOG"
   log_prefix => "IP INPUT DROP: "

[Validate]