From 5cd1e37f26d65c20b86ecb231119354f65e2db22 Mon Sep 17 00:00:00 2001 From: Maximilian Friedersdorff Date: Tue, 23 Jul 2019 14:47:09 +0100 Subject: [PATCH] Install glocker --- states/glocker/files/cronjob | 29 +++++++++++++++++++++ states/glocker/init.sls | 50 ++++++++++++++++++++++++++++++++++++ states/setup.sls | 1 + 3 files changed, 80 insertions(+) create mode 100755 states/glocker/files/cronjob create mode 100644 states/glocker/init.sls diff --git a/states/glocker/files/cronjob b/states/glocker/files/cronjob new file mode 100755 index 0000000..2ee2da4 --- /dev/null +++ b/states/glocker/files/cronjob @@ -0,0 +1,29 @@ +#!/bin/sh + +# Get list of nefarious IP addresses from www.friedersdorff.com/.banned + +BANNED_HOSTS=$(curl -s https://www.friedersdorff.com/.banned | + grep -o -E '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/[[:digit:]]{1,2}') +ALLOWED_HOSTS=$(cat /etc/glocker/allowed_hosts) + +ipset create glocker-tmp hash:net --hashsize 64 +for host in $(echo $BANNED_HOSTS); do + ipset add glocker-tmp $host +done + +ipset create -exist glocker hash:net --hashsize 64 +ipset swap glocker-tmp glocker +ipset destroy glocker-tmp +echo "IPSet: glocker updated" + +# Use local list of explicitly allowed IP addresses from the local machine +ipset create glocker-tmp hash:net --hashsize 64 +for host in $(echo $ALLOWED_HOSTS); do + ip=$(nslookup $host | tail -n2 | head -n1 | sed 's/Address: //') + ipset add glocker-tmp $host +done + +ipset create -exist glocker-except hash:net --hashsize 64 +ipset swap glocker-tmp glocker-except +ipset destroy glocker-tmp +echo "IPSet: glocker-except updated" diff --git a/states/glocker/init.sls b/states/glocker/init.sls new file mode 100644 index 0000000..a507491 --- /dev/null +++ b/states/glocker/init.sls @@ -0,0 +1,50 @@ +glocker chain: + iptables.chain_present: + - name: glocker + - table: filter + +accept glocker-except: + iptables.insert: + - table: filter + - chain: glocker + - jump: ACCEPT + - match-set: glocker-except dst + - position: 1 + +allow uid 40000-50000: + iptables.insert: + - table: filter + - chain: glocker + - jump: ACCEPT + - match: owner + - uid-owner: 40000-50000 + - position: 2 + +reject glocker: + iptables.insert: + - table: filter + - chain: glocker + - jump: REJECT + - reject-with: icmp-port-unreachable + - match-set: glocker dst + - position: 3 + +jump to glocker: + iptables.insert: + - table: filter + - chain: OUTPUT + - jump: glocker + - position: 1 + +glocker cron job: + file.managed: + - name: /etc/cron.hourly/glocker + - source: salt://glocker/files/cronjob + - user: root + - group: root + - mode: 750 + +ensure allowed_hosts file exists: + file.touch: + - name: /etc/glocker/allowed_hosts + - makedirs: True diff --git a/states/setup.sls b/states/setup.sls index 6745a1c..4c3b2f2 100644 --- a/states/setup.sls +++ b/states/setup.sls @@ -3,3 +3,4 @@ include: - ntp - pass - firefox + - glocker -- 2.46.2