PageRenderTime 32ms CodeModel.GetById 22ms RepoModel.GetById 0ms app.codeStats 0ms

/recipes/default.rb

https://gitlab.com/gitlab-cookbooks/gitlab-iptables
Ruby | 99 lines | 75 code | 10 blank | 14 comment | 10 complexity | 9a0085a354660412cf88efb494552248 MD5 | raw file
    

  1. #
    2. 

  2. # Cookbook:: gitlab-iptables
    3. 

  3. # Recipe:: default
    4. 

  4. # License:: MIT
    5. 

  5. #
    6. 

  6. # Copyright:: (C) 2016 GitLab Inc.
    7. 

  7. #
    8. 

  8. def normalize(text)
    9. 

  9.   text_dup = text.dup
    10. 

  10.   text_dup.downcase!
    11. 

  11.   text_dup.tr(' ', '_')
    12. 

  12. end
    13. 

  13. 

  14. # If we are on AWS, don't bother with iptables/ufw. This behavior can
    15. 

  15. # be overruled if node['gitlab-iptables']['enable'] == true
    16. 

  16. enable_iptables = node['gitlab-iptables']['enable'] ||
    17. 

  17.                   !AwsHelper.aws?
    18. 

  18. 

  19. unless enable_iptables
    20. 

  20.   include_recipe 'ufw::disable' if platform_family?('debian')
    21. 

  21.   return
    22. 

  22. end
    23. 

  23. 

  24. if platform_family?('rhel') && node['platform_version'] =~ /^7\./
    25. 

  25.   include_recipe 'gitlab-iptables::iptables-instead-of-firewalld'
    26. 

  26. end
    27. 

  27. 

  28. # IPv4 rules
    29. 

  29. iptables_ng_rule '1-ssh-allow' do
    30. 

  30.   rule '--protocol tcp --dport 22 -j ACCEPT'
    31. 

  31.   ip_version 4
    32. 

  32. end
    33. 

  33. 

  34. # Allow rule for specific src/dest then reject rule for any
    35. 

  35. rule_nr = 10
    36. 

  36. firewall_rules = nil
    37. 

  37. firewall_rules = node['firewall']['rules'] if node['firewall']
    38. 

  38. firewall_rules ||= []
    39. 

  39. firewall_rules.each do |rule|
    40. 

  40.   rule.each do |rule_name, rule_spec|
    41. 

  41.     source = "--source #{rule_spec['source']}" if rule_spec['source']
    42. 

  42.     destination = "--destination #{rule_spec['destination']}" if rule_spec['destination']
    43. 

  43.     protocols = rule_spec['protocol'] ? [rule_spec['protocol']] : %w(tcp udp)
    44. 

  44.     protocols.each do |protocol|
    45. 

  45.       iptables_ng_rule "#{rule_nr}-#{normalize(rule_name)}-#{protocol}-allow" do
    46. 

  46.         rule "--protocol #{protocol} #{source} #{destination} --dport #{rule_spec['port']} -j ACCEPT"
    47. 

  47.         ip_version 4
    48. 

  48.       end
    49. 

  49.       rule_nr += 1
    50. 

  50.     end
    51. 

  51.   end
    52. 

  52. end
    53. 

  53. 

  54. iptables_ng_rule '998-log-before-reject' do
    55. 

  55.   rule '-j LOG --log-level debug --log-prefix "Reject unmatched packet " -m limit --limit 1/second --limit-burst 10'
    56. 

  56.   ip_version 4
    57. 

  57. end
    58. 

  58. 

  59. # If not on Azure drop all traffic by default
    60. 

  60. azure = false
    61. 

  61. azure = true if node['kernel']['modules'].include?('hid_hyperv')
    62. 

  62. 

  63. unless azure
    64. 

  64.   iptables_ng_rule '1-lo-allow' do
    65. 

  65.     rule '-i lo -j ACCEPT'
    66. 

  66.     ip_version 4
    67. 

  67.   end
    68. 

  68.   iptables_ng_rule '1-icmp-allow' do
    69. 

  69.     rule '-p icmp -j ACCEPT'
    70. 

  70.     ip_version 4
    71. 

  71.   end
    72. 

  72.   iptables_ng_rule '1-state-rel-est-allow' do
    73. 

  73.     rule '-m state --state RELATED,ESTABLISHED -j ACCEPT'
    74. 

  74.     ip_version 4
    75. 

  75.   end
    76. 

  76.   iptables_ng_rule '999-all-drop' do
    77. 

  77.     rule '-j REJECT'
    78. 

  78.     ip_version 4
    79. 

  79.   end
    80. 

  80. end
    81. 

  81. 

  82. # IPv6 rules
    83. 

  83. iptables_ng_rule '999-all-drop-ip6' do
    84. 

  84.   rule '-j REJECT'
    85. 

  85.   ip_version 6
    86. 

  86. end
    87. 

  87. 

  88. # Restart docker service which uses own iptables chains
    89. 

  89. if File.exist?('/etc/init.d/docker') || File.exist?('/usr/lib/systemd/system/docker.service')
    90. 

  90.   service 'docker' do
    91. 

  91.     if platform?('ubuntu')
    92. 

  92.       if node['platform_version'].to_f >= 9.10 && node['platform_version'].to_f < 16.04
    93. 

  93.         provider Chef::Provider::Service::Upstart
    94. 

  94.       end
    95. 

  95.     end
    96. 

  96.     action :restart
    97. 

  97.     not_if 'iptables -L DOCKER'
    98. 

  98.   end
    99. 

  99. end
    100. 

  100.