Merge pull request #40 from Freeaqingme/devel

Reinstating $failsafe_ssh

Author: alvagante

manifests/init.pp

@@ -51,6 +51,12 @@
 # [*enable_v6*]
 #   Use this module with IPv6. Defaults to false.
 #
+# [*failsafe_ssh*]
+#   Bool. Insert a rule allowing iptables at all cost. This is to prevent accidental
+#   lockouts when implementing this module. You may want to disable this, and add
+#   the desired rules yourself (allowing to implement specific white- and blacklists,
+#   as well as blocking bruteforce attacks).
+#
 # [*template*]
 #   The template file to use when config=file
 #
@@ -149,6 +155,7 @@
   $default_order            = 5000,
   $enable_v4                = $iptables::params::enable_v4,
   $enable_v6                = $iptables::params::enable_v6,
+  $failsafe_ssh             = true,
   $template                 = '',
   $mode                     = 'concat',
   $version                  = 'present',
@@ -266,8 +273,11 @@
 
   include iptables::ruleset::default_action
   include iptables::ruleset::loopback
+  
+  if any2bool($failsafe_ssh) {
+    include iptables::ruleset::failsafe_ssh
+  }
 
-  # Todo: For now this always evaluates to false, no service is getting restarted
   if ! $bool_service_override_restart {
     service { 'iptables':
       ensure     => $iptables::manage_service_ensure,

manifests/ruleset/failsafe_ssh.pp

@@ -0,0 +1,54 @@
+
+class iptables::ruleset::failsafe_ssh (
+  $chains                  = [ 'INPUT', 'OUTPUT' ],
+  $target                  = 'ACCEPT',
+  $order                   = 11,
+  $port                    = 22,
+  $log                     = false,
+  $lookup_alternative_port = true,
+  $log_prefix              = $iptables::log_prefix,
+  $log_limit_burst         = $iptables::log_limit_burst,
+  $log_limit               = $iptables::log_limit,
+  $log_level               = $iptables::log_level,
+) {
+  
+  $discard = iptables_declare_multiple('iptables::rule',
+    $chains, 'example42-failsafe-ssh-###name###',
+  {
+    table           => 'filter',
+    chain           => '###name###',
+    target          => $target,
+    protocol        => 'tcp',
+    port            => $port,
+    order           => $order,
+    log             => $log,
+    log_prefix      => $log_prefix,
+    log_limit_burst => $log_limit_burst,
+    log_limit       => $log_limit,
+    log_level       => $log_level
+  })
+
+  # If openssh has been configured to use a different class we'll
+  # usee that too.
+  # We could combine the two rule statements into one by using a
+  # multiport match, but not all kernels support this, so for a
+  # failsafe we're not taking any chances.
+  if any2bool($lookup_alternative_port) and defined(Class['openssh']) and $openssh::port != $port {
+      $discard_1 = iptables_declare_multiple('iptables::rule',
+        $chains, 'example42-failsafe-ssh-###name###-otherPort',
+    {
+      table           => 'filter',
+      chain           => '###name###',
+      target          => $target,
+      protocol        => 'tcp',
+      port            => $openssh::port,
+      order           => $order,
+      log             => $log,
+      log_prefix      => $log_prefix,
+      log_limit_burst => $log_limit_burst,
+      log_limit       => $log_limit,
+      log_level       => $log_level
+    })
+  }
+
+}