move firewall rules into respective recipes

chef/cookbooks/metasploitable/attributes/default.rb

@@ -7,17 +7,4 @@ default[:metasploitable][:docker_users] = ['boba_fett',
                                            'greedo',
                                            'chewbacca',]
 
-default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/'
+default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/'
-
-default[:metasploitable][:ports] = { :cups => 631,
-                                     :apache => 80,
-                                     :unrealircd => 6697,
-                                     :proftpd => 21,
-                                     :mysql => 3306,
-                                     :chatbot_ui => 80,
-                                     :chatbot_nodejs => 3000,
-                                     :readme_app => 3500,
-                                     :sinatra => 8181,
-                                     :samba => 445,
-                                     :ssh => 22
-}

chef/cookbooks/metasploitable/recipes/apache.rb

@@ -4,6 +4,12 @@
 #
 # Copyright:: 2017, Rapid7, All Rights Reserved.
 
+include_recipe 'iptables::default'
+
+iptables_rule '1_apache' do
+  lines "-A INPUT -p tcp --dport 80 -j ACCEPT"
+end
+
 package 'apache2' do
   action :install
 end

chef/cookbooks/metasploitable/recipes/chatbot.rb

@@ -8,6 +8,15 @@
 
 include_recipe 'metasploitable::ruby23'
 include_recipe 'metasploitable::nodejs'
+include_recipe 'iptables::default'
+
+iptables_rule '1_chatbot_ui' do
+  lines "-A INPUT -p tcp --dport 80 -j ACCEPT"
+end
+
+iptables_rule '1_chatbot_nodejs' do
+  lines "-A INPUT -p tcp --dport 3000 -j ACCEPT"
+end
 
 package 'unzip'
 

chef/cookbooks/metasploitable/recipes/cups.rb

@@ -4,6 +4,8 @@
 #
 # Copyright:: 2017, Rapid7, All Rights Reserved.
 
+include_recipe 'iptables::default'
+
 package 'cups' do
   action :install
 end
@@ -13,6 +15,10 @@ cookbook_file '/etc/cups/cupsd.conf' do
   mode '0644'
 end
 
+iptables_rule '1_cups' do
+  lines "-A INPUT -p tcp --dport 631 -j ACCEPT"
+end
+
 service 'cups' do
   action [:enable, :restart]
 end

chef/cookbooks/metasploitable/recipes/iptables.rb

@@ -4,17 +4,17 @@
 #
 # Copyright:: 2017, Rapid7, All Rights Reserved.
 
-iptables_rule 'established' do
+include_recipe 'iptables::default'
-  lines '-I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
+
+iptables_rule '00_established' do
+  lines '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
 end
 
-node[:metasploitable][:ports].keys.each do |service|
+iptables_rule '01_ssh' do
-  iptables_rule service do
+  lines "-A INPUT -p tcp --dport 22 -j ACCEPT"
-    lines "-I INPUT -p tcp --dport #{node[:metasploitable][:ports][service.to_sym]} -j ACCEPT"
-  end
 end
 
-iptables_rule 'drop_all' do
+iptables_rule '999_drop_all' do
   lines '-A INPUT -j DROP'
 end
 

chef/cookbooks/metasploitable/recipes/knockd.rb

@@ -22,7 +22,7 @@ execute 'remove_carriage_returns' do
     command "sed -i -e 's/\r//g' /etc/default/knockd"
 end
 
-iptables_rule 'knockd' do
+iptables_rule '1_knockd' do
   lines "-I FORWARD 1 -p tcp -m tcp --dport #{node[:flags][:five_of_diamonds][:vuln_port]} -j DROP"
 end
 

chef/cookbooks/metasploitable/recipes/mysql.rb

@@ -4,6 +4,12 @@
 #
 # Copyright:: 2017, Rapid7, All Rights Reserved.
 
+include_recipe 'iptables::default'
+
+iptables_rule '1_mysql' do
+  lines "-A INPUT -p tcp --dport 3306 -j ACCEPT"
+end
+
 mysql_service 'default' do
   initial_root_password "#{node[:mysql][:root_password]}"
   bind_address '0.0.0.0'

chef/cookbooks/metasploitable/recipes/proftpd.rb

@@ -6,6 +6,12 @@
 
 # Install steps taken from https://github.com/rapid7/metasploit-framework/pull/5224
 
+include_recipe 'iptables::default'
+
+iptables_rule '1_proftpd' do
+  lines "-A INPUT -p tcp --dport 21 -j ACCEPT"
+end
+
 include_recipe 'metasploitable::apache'
 
 proftpd_tar = 'proftpd-1.3.5.tar.gz'

chef/cookbooks/metasploitable/recipes/readme_app.rb

@@ -8,6 +8,13 @@
 
 include_recipe 'metasploitable::ruby23'
 include_recipe 'metasploitable::nodejs'
+include_recipe 'iptables::default'
+
+recipe_port = 3500
+
+iptables_rule '1_readme_app' do
+  lines "-A INPUT -p tcp --dport #{recipe_port} -j ACCEPT"
+end
 
 package 'git'
 
@@ -23,6 +30,7 @@ directory '/opt/readme_app' do
 end
 
 template '/opt/readme_app/start.sh' do
+  variables( readme_app_port: recipe_port )
   source 'readme_app/start.sh.erb'
 end
 

chef/cookbooks/metasploitable/recipes/samba.rb

@@ -5,6 +5,11 @@
 # Copyright:: 2017, Rapid7, All Rights Reserved.
 #
 #
+include_recipe 'iptables::default'
+
+iptables_rule '1_samba' do
+  lines "-A INPUT -p tcp --dport 445 -j ACCEPT"
+end
 
 package 'samba'
 

chef/cookbooks/metasploitable/recipes/sinatra.rb

@@ -8,6 +8,11 @@
 
 include_recipe 'metasploitable::sinatra'
 include_recipe 'metasploitable::ruby23'
+include_recipe 'iptables::default'
+
+iptables_rule '1_sinatra' do
+  lines "-A INPUT -p tcp --dport 8181 -j ACCEPT"
+end
 
 server_path = node['ec2'] ? 'aws' : 'virtualbox'
 

chef/cookbooks/metasploitable/recipes/unrealircd.rb

@@ -7,6 +7,12 @@
 # Downloaded from https://www.exploit-db.com/exploits/13853/
 # Install steps taken from https://wiki.swiftirc.net/wiki/Installing_and_Configuring_UnrealIRCd_on_Linux
 
+include_recipe 'iptables::default'
+
+iptables_rule '1_unrealircd' do
+  lines "-A INPUT -p tcp --dport 6697 -j ACCEPT"
+end
+
 unreal_tar = 'Unreal3.2.8.1_backdoor.tar.gz'
 
 remote_file "#{Chef::Config[:file_cache_path]}/#{unreal_tar}" do

chef/cookbooks/metasploitable/templates/readme_app/start.sh.erb

@@ -2,4 +2,4 @@
 
 cd /opt/readme_app
 bundle install --path vendor/bundle
-bundle exec rails s -b 0.0.0.0 -p <%= node[:metasploitable][:ports][:readme_app] %>
+bundle exec rails s -b 0.0.0.0 -p <%= @readme_app_port %>