]> git.friedersdorff.com Git - max/saltfiles.git/commitdiff
projects / max / saltfiles.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: baf82ee)
Install glocker
authorMaximilian Friedersdorff <max@friedersdorff.com>
Tue, 23 Jul 2019 13:47:09 +0000 (14:47 +0100)
committerMaximilian Friedersdorff <max@friedersdorff.com>
Tue, 23 Jul 2019 13:47:09 +0000 (14:47 +0100)
states/glocker/files/cronjob [new file with mode: 0755] patch | blob
states/glocker/init.sls [new file with mode: 0644] patch | blob
states/setup.sls patch | blob | history

diff --git a/states/glocker/files/cronjob b/states/glocker/files/cronjob
new file mode 100755 (executable)
index 0000000..2ee2da4
--- /dev/null
+++ b/states/glocker/files/cronjob
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Get list of nefarious IP addresses from www.friedersdorff.com/.banned
+
+BANNED_HOSTS=$(curl -s https://www.friedersdorff.com/.banned | 
+  grep -o -E '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/[[:digit:]]{1,2}')
+ALLOWED_HOSTS=$(cat /etc/glocker/allowed_hosts)
+
+ipset create glocker-tmp hash:net --hashsize 64
+for host in $(echo $BANNED_HOSTS); do
+  ipset add glocker-tmp $host
+done
+
+ipset create -exist glocker hash:net --hashsize 64
+ipset swap glocker-tmp glocker
+ipset destroy glocker-tmp
+echo "IPSet: glocker updated"
+
+# Use local list of explicitly allowed IP addresses from the local machine
+ipset create glocker-tmp hash:net --hashsize 64
+for host in $(echo $ALLOWED_HOSTS); do
+  ip=$(nslookup $host | tail -n2 | head -n1 | sed 's/Address: //') 
+  ipset add glocker-tmp $host
+done
+
+ipset create -exist glocker-except hash:net --hashsize 64
+ipset swap glocker-tmp glocker-except
+ipset destroy glocker-tmp
+echo "IPSet: glocker-except updated"
diff --git a/states/glocker/init.sls b/states/glocker/init.sls
new file mode 100644 (file)
index 0000000..a507491
--- /dev/null
+++ b/states/glocker/init.sls
@@ -0,0 +1,50 @@
+glocker chain:
+  iptables.chain_present:
+    - name: glocker
+    - table: filter
+
+accept glocker-except:
+  iptables.insert:
+    - table: filter
+    - chain: glocker
+    - jump: ACCEPT
+    - match-set: glocker-except dst
+    - position: 1
+
+allow uid 40000-50000:
+  iptables.insert:
+    - table: filter
+    - chain: glocker
+    - jump: ACCEPT
+    - match: owner
+    - uid-owner: 40000-50000
+    - position: 2
+
+reject glocker:
+  iptables.insert:
+    - table: filter
+    - chain: glocker
+    - jump: REJECT
+    - reject-with: icmp-port-unreachable
+    - match-set: glocker dst
+    - position: 3
+
+jump to glocker:
+  iptables.insert:
+    - table: filter
+    - chain: OUTPUT
+    - jump: glocker
+    - position: 1
+
+glocker cron job:
+  file.managed:
+    - name: /etc/cron.hourly/glocker
+    - source: salt://glocker/files/cronjob
+    - user: root
+    - group: root
+    - mode: 750
+
+ensure allowed_hosts file exists:
+  file.touch:
+    - name: /etc/glocker/allowed_hosts
+    - makedirs: True
diff --git a/states/setup.sls b/states/setup.sls
index 6745a1c99cdb7109861ca0baf76fbe4d86a08517..4c3b2f2d761214172974d62bf429c2d965c2c2bc 100644 (file)
--- a/states/setup.sls
+++ b/states/setup.sls
@@ -3,3 +3,4 @@ include:
   - ntp
   - pass
   - firefox
+  - glocker
Unnamed repository; edit this file 'description' to name the repository.