How to make P.Property.Firewall.rule persistent

propellor/ forum/ How to make P.Property.Firewall.rule persistent

Edit
RecentChanges
History
Preferences
Branchable
4 comments

The following seems to more or less work (at least the output from "iptables -L -v" looks plausible. But it's not persistent. It doesn't seem sensible to wait for propellor to run again to set up a firewall after reboot. Any ideas for how to make this persistent?

module Propellor.Property.SiteSpecific.Tethera.Firewall (
  ipFirewall,
  ) where

import Propellor.Base
import Propellor.Property.Firewall

ipFirewall :: [Port] -> [Port] -> Property DebianLike
ipFirewall tcpPorts udpPorts = propertyList "IPTables based firewall" $ props
  & installed
  & rule INPUT Filter DROP (Ctstate [INVALID])
  & rule INPUT Filter ACCEPT (InIFace "lo")
  & rule OUTPUT Filter ACCEPT (OutIFace "lo")
  & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
  & rule INPUT Filter ACCEPT (Proto ICMP)
  & openPorts TCP tcpPorts
  & openPorts UDP udpPorts
  & rule OUTPUT Filter ACCEPT Everything
  & rule INPUT Filter DROP Everything
  & rule FORWARD Filter DROP Everything
  where
    openPorts proto lst = combineProperties "open TCP ports" $
                   toProps (map
                             (\p -> (rule INPUT Filter ACCEPT 
                                     ((Proto proto) :- (DPort p)) ))
                             lst)

RSS

A first attempt

Here's what I came up with. I don't know if I'm missing some more obvious way. Thanks to Stefan Gronke on github for answering "what's a simple way to make an iptables systemd service"

module Propellor.Property.SiteSpecific.Tethera.Firewall (
    iptablesRules
  , iptablesUnits
  , saved
  ) where

import Propellor.Base
import Propellor.Property.Firewall
-- import qualified Propellor.Property.Cmd as Cmd
import qualified Propellor.Property.File as File

iptablesRules :: [Port] -> [Port] -> Property DebianLike
iptablesRules tcpPorts udpPorts = propertyList "IPTables based firewall" $ props
  & installed
  & rule INPUT Filter DROP (Ctstate [INVALID])
  & rule INPUT Filter ACCEPT (InIFace "lo")
  & rule OUTPUT Filter ACCEPT (OutIFace "lo")
  & rule INPUT Filter ACCEPT (Ctstate [ESTABLISHED, RELATED])
  & rule INPUT Filter ACCEPT (Proto ICMP)
  & openPorts TCP tcpPorts
  & openPorts UDP udpPorts
  & rule OUTPUT Filter ACCEPT Everything
  & rule INPUT Filter DROP Everything
  & rule FORWARD Filter DROP Everything
  where
    openPorts proto lst = combineProperties "open TCP ports" $
                   toProps (map
                             (\p -> (rule INPUT Filter ACCEPT 
                                     ((Proto proto) :- (DPort p)) ))
                             lst)

saved :: Property UnixLike
saved = combineProperties "iptables rules saved" $ props
  & cmdProperty "iptables-save" ["-f", rulesFile ]
        `changesFile` rulesFile
    `requires` File.dirExists rulesDir
  & cmdProperty "ip6tables-save" ["-f", rules6File ]
        `changesFile` rules6File
    `requires` File.dirExists rulesDir
  where
    rulesDir = "/etc/iptables"
    rulesFile = rulesDir ++ "/iptables.rules"
    rules6File = rulesDir ++ "/ip6tables.rules"

iptablesUnits :: Property UnixLike  
iptablesUnits = combineProperties "systemd units for iptables" $ props
                & unitFile "iptables"
                & unitFile "ip6tables"                
  where
    unitDir = "/etc/systemd/system"
    unitFile baseName = combineProperties ("systemd units for " ++ baseName) $ props
                & File.hasContent (unitDir ++ "/"++baseName++".service")
                [
                  "[Unit]"
                , "Description=Packet Filtering Framework"
                , "DefaultDependencies=no"
                , "After=systemd-sysctl.service"
                , "Before=sysinit.target"
                , "[Service]"
                , "Type=oneshot"
                , "ExecStart=/sbin/"++baseName++"-restore /etc/iptables/"++baseName++".rules"
                , "ExecReload=/sbin/"++baseName++"-restore /etc/iptables/"++baseName++".rules"
                , "ExecStop=/usr/local/bin/flush-"++baseName++".sh"
                , "RemainAfterExit=yes"
                , "[Install]"
                , "WantedBy=multi-user.target"
                ]
                & File.hasContent fipSh
                [
                  "#!/bin/sh"
                , "iptables -F"
                , "iptables -X"
                , "iptables -t nat -F"
                , "iptables -t nat -X"
                , "iptables -t mangle -F"
                , "iptables -t mangle -X"
                , "iptables -P INPUT ACCEPT"
                , "iptables -P FORWARD ACCEPT"
                , "iptables -P OUTPUT ACCEPT"
                ]
                & File.mode fipSh 0755
      where
            fipSh = "/usr/local/bin/flush-"++baseName++".sh"

Comment by david — Thu Jul 18 23:30:44 2019

Remove comment

comment 2

Funny, I never considered that the Firewall properties don't do anything persistent.

I don't think we want to get propellor involved in booting the system, either..

Using iptables-save seems to have a problem: If there are other iptables rules that were not set by this run of propellor, it will save those as well. So it could save rules that were set up by something else that was intended to be temporary, or perhaps rules that were set by a earlier propellor config and that then got deleted out of the propellor config.

Another way to do it could be to have Firewall.rule add its configuration to Info and then Firewall.save could see the collected Info from all the rules and use it to generate the boot script itself.

Comment by joey — Fri Jul 19 14:09:01 2019

Remove comment

Firewall.flush needed?

A simple(-minded) solution to the problem with ip-tables-save is to provide a way to invoke "iptables -F". It seems like this is needed in general, just to have a known starting point. At least most examples of setting up a firewall with iptables start by flushing the existing rules.

Comment by david — Sat Aug 3 15:38:21 2019

Remove comment

giving up on Firewall persistence

I ran out of time/motivation to do this "right", so I just hardcoded all the things, and made a new module called IPTables

module Propellor.Property.SiteSpecific.Tethera.IPTables (
  systemdUnits
  , rules
  ) where

import Propellor.Base
import qualified Propellor.Property.File as File


systemdUnits :: Property UnixLike  
systemdUnits = combineProperties "systemd units for iptables" $ props
                & unitFile "iptables"
                & unitFile "ip6tables"                
  where
    unitDir = "/etc/systemd/system"
    unitFile baseName = combineProperties ("systemd units for " ++ baseName) $ props
                & File.hasContent (unitDir ++ "/"++baseName++".service")
                [
                  "[Unit]"
                , "Description=Packet Filtering Framework"
                , "DefaultDependencies=no"
                , "After=systemd-sysctl.service"
                , "Before=sysinit.target"
                , "[Service]"
                , "Type=oneshot"
                , "ExecStart=/sbin/"++baseName++"-restore -n /etc/iptables/"++baseName++".rules"
                , "ExecReload=/sbin/"++baseName++"-restore -n /etc/iptables/"++baseName++".rules"
                , "ExecStop=/usr/local/bin/flush-"++baseName++".sh"
                , "RemainAfterExit=yes"
                , "[Install]"
                , "WantedBy=multi-user.target"
                ]
                & File.hasContent fipSh
                [
                  "#!/bin/sh"
                , baseName ++ " -F INPUT"
                , baseName ++ " -F FORWARD"
                , baseName ++ " -F OUTPUT"
                , baseName ++ " -P INPUT ACCEPT"
                , baseName ++ " -P FORWARD ACCEPT"
                , baseName ++ " -P OUTPUT ACCEPT"
                ]
                & File.mode fipSh 0o0755
      where
            fipSh = "/usr/local/bin/flush-"++baseName++".sh"


-- this currently makes the possibly bad assumption that the same rule
-- file will work for both v4 and v6
rules :: Property UnixLike
rules  = combineProperties "systemd units for iptables" $ props
         & ruleFile "iptables"
         & ruleFile "ip6tables"                
  where
    ruleDir = "/etc/iptables"
    ruleFile baseName = combineProperties (baseName ++ " rules") $ props
                        & File.hasContent (ruleDir ++ "/"++baseName++".rules")

                        [ "*filter"
                        , ":INPUT ACCEPT [0:0]"
                        , ":FORWARD ACCEPT [0:0]"
                        , ":OUTPUT ACCEPT [0:0]"
                        , "-A INPUT -m conntrack --ctstate INVALID -j DROP"
                        , "-A INPUT -i lo -j ACCEPT"
                        , "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT"
                        , "-A INPUT -p icmp -j ACCEPT"
                        , "-6 -A INPUT -p ipv6-icmp -j ACCEPT"
                        , "-6 -A INPUT -m state --state NEW -m udp -p udp -s fe80::/10 --dport 546 -j ACCEPT"
                        , "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT"
                        , "-A INPUT -j DROP"
                        , "-A FORWARD -j DROP"
                        , "-A OUTPUT -o lo -j ACCEPT"
                        , "-A OUTPUT -j ACCEPT"
                        , "COMMIT"
                        ]
                        `requires` File.dirExists ruleDir

Comment by david — Sun Aug 11 11:29:07 2019

Remove comment

Add a comment

Last edited Thu Jul 18 20:28:03 2019