mirror of
https://github.com/rapid7/metasploitable3.git
synced 2024-07-02 01:35:50 +02:00
Land #423, Iptables idempotent
This commit is contained in:
commit
6f699c7a83
171
chef/cookbooks/iptables/CHANGELOG.md
Normal file
171
chef/cookbooks/iptables/CHANGELOG.md
Normal file
|
@ -0,0 +1,171 @@
|
||||||
|
# iptables Cookbook CHANGELOG
|
||||||
|
This file is used to list changes made in each version of the iptables cookbook.
|
||||||
|
|
||||||
|
## 4.5.0 (2018-11-24)
|
||||||
|
|
||||||
|
- Add sensitive option to resources
|
||||||
|
- Added filemode property to generated rule files
|
||||||
|
|
||||||
|
## 4.4.1 (2018-09-11)
|
||||||
|
|
||||||
|
- Remove mention of matchers in the readme
|
||||||
|
- Add back support for RHEL 6 + fix Amazon Linux 2 support
|
||||||
|
- Add additional specs for the package installs so we don't break this in the future
|
||||||
|
|
||||||
|
## 4.4.0 (2018-09-10)
|
||||||
|
|
||||||
|
- Use persistent iptables package for Debian config
|
||||||
|
- Add IPv6 support to iptables_rule and Add iptables_rule6
|
||||||
|
- Extend disabled recipe for Fedora and Amazon distros
|
||||||
|
|
||||||
|
## 4.3.4 (2018-02-15)
|
||||||
|
|
||||||
|
- Fix converge failures in the custom resource introduced in 4.3.3
|
||||||
|
- Remove stove and tomlrb from the Gemfile
|
||||||
|
- use apt_update not apt cookbook in testing
|
||||||
|
- Add Amazon Linux to test kitchen
|
||||||
|
- Simplify the platform family check using our helpers
|
||||||
|
|
||||||
|
## 4.3.3 (2018-02-15)
|
||||||
|
|
||||||
|
- Don't use kind_of in the custom resource (FC117)
|
||||||
|
|
||||||
|
## 4.3.2 (2018-02-07)
|
||||||
|
|
||||||
|
- Fix FC108 to resolve test failures
|
||||||
|
- Switch from ServerSpec to InSpec
|
||||||
|
- Resolve ChefSpec warnings
|
||||||
|
- Remove ChefSpec matchers that are no longer needed since ChefSpec autogenerates these
|
||||||
|
|
||||||
|
## 4.3.1 (2017-11-06)
|
||||||
|
|
||||||
|
- Updating namespace for attribute-based rules in the readme
|
||||||
|
|
||||||
|
## 4.3.0 (2017-10-28)
|
||||||
|
|
||||||
|
- Add Amazon Linux support on Chef 13
|
||||||
|
|
||||||
|
## 4.2.1 (2017-09-08)
|
||||||
|
|
||||||
|
- Resolve deprecation warning
|
||||||
|
|
||||||
|
## 4.2.0 (2017-04-14)
|
||||||
|
|
||||||
|
- [GH-69] - Clearing out iptables rule files on RHEL with the iptables::disabled recipe
|
||||||
|
|
||||||
|
## 4.1.0 (2017-04-11)
|
||||||
|
|
||||||
|
- specify optional table property for use with lines
|
||||||
|
|
||||||
|
## 4.0.1 (2017-03-29)
|
||||||
|
- Update metadata to require Chef 12.10+ due to use of with_run_context
|
||||||
|
|
||||||
|
## 4.0.0 (2017-02-27)
|
||||||
|
|
||||||
|
- Remove EOL platforms from testing
|
||||||
|
- Require Chef 12.5 and remove compat_resource dependency
|
||||||
|
|
||||||
|
## 3.1.0 (2017-01-16)
|
||||||
|
|
||||||
|
- Update readme to include new attribute
|
||||||
|
- Check subcmd exit codes in rebuild-iptables script
|
||||||
|
- fixed iptables disabled recipe to flush iptables after disabling the service
|
||||||
|
|
||||||
|
## 3.0.1 (2016-10-10)
|
||||||
|
- Fix rules resource so rebuild-iptables only runs once
|
||||||
|
- Add tests for nested resources
|
||||||
|
- Add system ruby attribute so that it can be overridden
|
||||||
|
|
||||||
|
## 3.0.0 (2016-09-16)
|
||||||
|
- Remove kitchen cloud config
|
||||||
|
- Fix default specs to work properly on RHEL and other general spec cleanup
|
||||||
|
- Simplify testing and fix failing tests on RHEL
|
||||||
|
- allow using a file provider instead of a template
|
||||||
|
- rename 'content' to 'lines' and add documentation
|
||||||
|
- make the attributes example a bit more useful
|
||||||
|
- using iptables-restore logic for rhel - same as debian
|
||||||
|
- copy new config to default location in case of iptables restart
|
||||||
|
- refactored rebuild-iptables script
|
||||||
|
- Update supported os
|
||||||
|
- Use compat_resource to restore Chef 12.1 - 12.4 compatibility
|
||||||
|
|
||||||
|
## v2.2.0 (2016-02-17)
|
||||||
|
- Remove the dependency on compat_resource cookbook. This fixes RHEL systems, but increases the required Chef version to 12.5 or later
|
||||||
|
|
||||||
|
## v2.1.1 (2016-01-26)
|
||||||
|
- Fixed failures on RHEL in the disabled recipe
|
||||||
|
|
||||||
|
## v2.1.0 (2016-01-25)
|
||||||
|
- Improved compatbility with Fedora
|
||||||
|
- Added management of the iptables sysconfig files using 2 new attributes. See the readme for more information
|
||||||
|
|
||||||
|
## v2.0.2 (2016-01-15)
|
||||||
|
- Fixed rules not being rebuilt when using the disable action in the custom resource
|
||||||
|
|
||||||
|
## v2.0.1 (2015-11-16)
|
||||||
|
- Added Chefspec matchers
|
||||||
|
|
||||||
|
## v2.0.0 (2015-10-21)
|
||||||
|
- Migrated LWRP to Chef 12.5 custom resources format with backwards compatibility provided via compat_resource cookbook to 12.X family
|
||||||
|
- Added Start / enable of iptables service in the default recipe when on RHEL based systems and the management of /etc/sysconfig/iptables so the service can start
|
||||||
|
- Added removal of /etc/iptables.d/ to the disabled recipe to allow for reenabling later on
|
||||||
|
- Modified the iptables service disable in the disable recipe to only run when on RHEL based systems
|
||||||
|
- Expanded the serverspec tests and test kitchen suites to better test rules custom resource and disable recipe
|
||||||
|
|
||||||
|
## v1.1.0 (2015-10-05)
|
||||||
|
- Fixed metadata description of the default recipe
|
||||||
|
- Added Kitchen CI config
|
||||||
|
- Added Chefspec unit tests
|
||||||
|
- Updated to our standard Rubocop config and resolve all warnings
|
||||||
|
- Added Travis CI config for lint / unit testing on Ruby 2/2.1/2.2
|
||||||
|
- Updated Contributing and Testing docs
|
||||||
|
- Added a maintainers doc
|
||||||
|
- Added a Gemfile with development and testing dependencies
|
||||||
|
- Added cookbook version and Travis CI badges to the readme
|
||||||
|
- Clarified in the readme that the minimum supported Chef release is 11.0
|
||||||
|
- Added a Rakefile easier testing
|
||||||
|
- Added a chefignore file to limit files that are uploaded to the Chef server
|
||||||
|
- Update to modern notification format to resolve Foodcritic warnings
|
||||||
|
- Added source_url and issues_url to the metadata for Supermarket
|
||||||
|
- Removed pre-Ruby 1.9 hash rockets
|
||||||
|
|
||||||
|
## v1.0.0 (2015-04-29)
|
||||||
|
NOTE: This release includes breaking changes to the behavior of this cookbook. The iptables_rule definition was converted to a LWRP. This changes the behavior of disabling iptables rules. Previously a rule could be disabled by specifying `enable false`. You must now specify `action :disable`. Additionally the cookbook no longer installs the out of the box iptables rules. These were rules made assumptions about the operating environment and should not have been installed out of the box. This makes this recipe a library cookbook that can be better wrapped to meet the needs or your particular environment.
|
||||||
|
- Definition converted to a LWRP to providing why-run support and
|
||||||
|
- The out of the box iptables rules are no longer installed. If you need these rules you'll need to wrap the cookbook and use the LWRP to define these same rules.
|
||||||
|
- Removed all references to the roadmap and deprecation of the cookbook. It's not going anywhere any time soon
|
||||||
|
- Use platform_family to better support Debian derivatives
|
||||||
|
- Converted file / directory modes to strings to preserve the leading 0
|
||||||
|
- Added additional RHEL derivitive distributions to the metadata
|
||||||
|
- Expanded excluded files in the gitignore and chefignore files
|
||||||
|
- Included the latest contributing documentation to match the current process
|
||||||
|
|
||||||
|
## v0.14.1 (2015-01-01)
|
||||||
|
- Fixing File.exists is deprecated for File.exist
|
||||||
|
|
||||||
|
## v0.14.0 (2014-08-31)
|
||||||
|
- [#14] Adds basic testing suite including Berksfile
|
||||||
|
- [#14] Adds basic integration/post-converge tests
|
||||||
|
- [#14] Adds default prefix and postfix rules to disalow traffic
|
||||||
|
|
||||||
|
## v0.13.2 (2014-04-09)
|
||||||
|
- [COOK-4496] Added Amazon Linux support
|
||||||
|
|
||||||
|
## v0.13.0 (2014-03-19)
|
||||||
|
- [COOK-3927] Substitute Perl version of rebuild-iptables with Ruby version
|
||||||
|
|
||||||
|
## v0.12.2 (2014-03-18)
|
||||||
|
- [COOK-4411] - Add newling to iptables.snat
|
||||||
|
|
||||||
|
## v0.12.0
|
||||||
|
- [COOK-2213] - iptables disabled recipe
|
||||||
|
|
||||||
|
## v0.11.0
|
||||||
|
- [COOK-1883] - add perl package so rebuild script works
|
||||||
|
|
||||||
|
## v0.10.0
|
||||||
|
- [COOK-641] - be able to save output on rhel-family
|
||||||
|
- [COOK-655] - use a template from other cookbooks
|
||||||
|
|
||||||
|
## v0.9.3
|
||||||
|
- Current public release.
|
156
chef/cookbooks/iptables/README.md
Normal file
156
chef/cookbooks/iptables/README.md
Normal file
|
@ -0,0 +1,156 @@
|
||||||
|
# iptables Cookbook
|
||||||
|
|
||||||
|
[![Build Status](https://travis-ci.org/chef-cookbooks/iptables.svg?branch=master)](https://travis-ci.org/chef-cookbooks/iptables) [![Cookbook Version](https://img.shields.io/cookbook/v/iptables.svg)](https://supermarket.chef.io/cookbooks/iptables)
|
||||||
|
|
||||||
|
Installs iptables and provides a custom resource for adding and removing iptables rules
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
### Platforms
|
||||||
|
|
||||||
|
- Ubuntu/Debian
|
||||||
|
- RHEL/CentOS and derivatives
|
||||||
|
- Amazon Linux
|
||||||
|
|
||||||
|
### Chef
|
||||||
|
|
||||||
|
- Chef 12.10+
|
||||||
|
|
||||||
|
### Cookbooks
|
||||||
|
|
||||||
|
- none
|
||||||
|
|
||||||
|
## Recipes
|
||||||
|
|
||||||
|
### default
|
||||||
|
|
||||||
|
The default recipe will install iptables and provides a ruby script (installed in `/usr/sbin/rebuild-iptables`) to manage rebuilding firewall rules from files dropped off in `/etc/iptables.d`.
|
||||||
|
|
||||||
|
### disabled
|
||||||
|
|
||||||
|
The disabled recipe will install iptables, disable the `iptables` service (on RHEL platforms), and delete the rules directory `/etc/iptables.d`.
|
||||||
|
|
||||||
|
## Attributes
|
||||||
|
|
||||||
|
`default['iptables']['iptables_sysconfig']` and `default['iptables']['ip6tables_sysconfig']` are hashes that are used to template /etc/sysconfig/iptables-config and /etc/sysconfig/ip6tables-config. The keys must be upper case and any key / value pair included will be added to the config file.
|
||||||
|
|
||||||
|
`default['iptables']['system_ruby']` allows users to override the system ruby path if ruby is installed into a non standard location and Chef has been installed without an embedded ruby (eg. from the Gem).
|
||||||
|
|
||||||
|
## Custom Resource
|
||||||
|
|
||||||
|
### rule
|
||||||
|
|
||||||
|
The custom resource drops off a template in `/etc/iptables.d` after the `name` parameter. The rule will get added to the local system firewall through notifying the `rebuild-iptables` script. See **Examples** below.
|
||||||
|
|
||||||
|
NOTE: In the 1.0 release of this cookbook the iptables_rule definition was converted to a custom resource. This changes the behavior of disabling iptables rules. Previously a rule could be disabled by specifying `enable false`. You must now specify `action :disable`
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Add `recipe[iptables]` to your runlist to ensure iptables is installed / running and to ensure that the `rebuild-iptables` script is on the system. Then create use iptables_rule to add individual rules. See **Examples**.
|
||||||
|
|
||||||
|
Since certain chains can be used with multiple tables (e.g., _PREROUTING_), you might have to include the name of the table explicitly (i.e., _*nat_, _*mangle_, etc.), so that the `/usr/sbin/rebuild-iptables` script can infer how to assemble final ruleset file that is going to be loaded. Please note, that unless specified otherwise, rules will be added under the **filter** table by default.
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
To enable port 80, e.g. in an `my_httpd` cookbook, create the following template:
|
||||||
|
|
||||||
|
```text
|
||||||
|
# Port 80 for http
|
||||||
|
-A FWR -p tcp -m tcp --dport 80 -j ACCEPT
|
||||||
|
```
|
||||||
|
|
||||||
|
This template would be located at: `my_httpd/templates/default/http.erb`. Then within your recipe call:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
iptables_rule 'http' do
|
||||||
|
action :enable
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
To redirect port 80 to local port 8080, e.g., in the aforementioned `my_httpd` cookbook, create the following template:
|
||||||
|
|
||||||
|
```text
|
||||||
|
*nat
|
||||||
|
# Redirect anything on eth0 coming to port 80 to local port 8080
|
||||||
|
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
|
||||||
|
```
|
||||||
|
|
||||||
|
Please note, that we explicitly add name of the table (being _*nat_ in this example above) where the rules should be added.
|
||||||
|
|
||||||
|
This would most likely go in the cookbook, `my_httpd/templates/default/http_8080.erb`. Then to use it in `recipe[httpd]`:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
iptables_rule 'http_8080' do
|
||||||
|
action :enable
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
To create a rule without using a template resource use the `lines` property (you can optionally specify `table` when using `lines`):
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
iptables_rule 'http_8080' do
|
||||||
|
lines '-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080'
|
||||||
|
table :nat
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
Additionally, a rule can be marked as sensitive so it's contents does not get output to the the console or logged with the sensitive property set to `true`. The mode of the generated rule file can be set with the filemode property:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
iptables_rule 'http_8080' do
|
||||||
|
lines '-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080'
|
||||||
|
table :nat
|
||||||
|
sensitive true
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
iptables_rule 'http_8080' do
|
||||||
|
lines '-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080'
|
||||||
|
table :nat
|
||||||
|
sensitive true
|
||||||
|
filemode '0600'
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
To get attribute-driven rules you can (for example) feed a hash of attributes into named iptables.d files like this:
|
||||||
|
|
||||||
|
```ruby
|
||||||
|
node.default['iptables']['rules']['http_80'] = '-A FWR -p tcp -m tcp --dport 80 -j ACCEPT'
|
||||||
|
node.default['iptables']['rules']['http_443'] = [
|
||||||
|
'# an example with multiple lines',
|
||||||
|
'-A FWR -p tcp -m tcp --dport 443 -j ACCEPT',
|
||||||
|
]
|
||||||
|
|
||||||
|
node['iptables']['rules'].map do |rule_name, rule_body|
|
||||||
|
iptables_rule rule_name do
|
||||||
|
lines [ rule_body ].flatten.join("\n")
|
||||||
|
end
|
||||||
|
end
|
||||||
|
```
|
||||||
|
|
||||||
|
## IPv6 supports
|
||||||
|
|
||||||
|
The `iptables_rule6` provides IPv6 support with the same behavior as the original `iptable_rule`.
|
||||||
|
|
||||||
|
A `/usr/sbin/rebuild-ip6tables` script perform iptables configuration and the IPv6 rules are stored in `/etc/ip6tables.d`
|
||||||
|
|
||||||
|
## License & Authors
|
||||||
|
|
||||||
|
**Author:** Cookbook Engineering Team ([cookbooks@chef.io](mailto:cookbooks@chef.io))
|
||||||
|
|
||||||
|
**Copyright:** 2008-2018, Chef Software, Inc.
|
||||||
|
|
||||||
|
```
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
```
|
41
chef/cookbooks/iptables/attributes/default.rb
Normal file
41
chef/cookbooks/iptables/attributes/default.rb
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
#
|
||||||
|
# Cookbook:: iptables
|
||||||
|
# Attribute:: default
|
||||||
|
#
|
||||||
|
# Copyright:: 2016, Chef Software, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
default['iptables']['iptables_sysconfig'] = {
|
||||||
|
'IPTABLES_MODULES' => '',
|
||||||
|
'IPTABLES_MODULES_UNLOAD' => 'yes',
|
||||||
|
'IPTABLES_SAVE_ON_STOP' => 'no',
|
||||||
|
'IPTABLES_SAVE_ON_RESTART' => 'no',
|
||||||
|
'IPTABLES_SAVE_COUNTER' => 'no',
|
||||||
|
'IPTABLES_STATUS_NUMERIC' => 'yes',
|
||||||
|
'IPTABLES_STATUS_VERBOSE' => 'no',
|
||||||
|
'IPTABLES_STATUS_LINENUMBERS' => 'yes',
|
||||||
|
}
|
||||||
|
default['iptables']['ip6tables_sysconfig'] = {
|
||||||
|
'IP6TABLES_MODULES' => '',
|
||||||
|
'IP6TABLES_MODULES_UNLOAD' => 'yes',
|
||||||
|
'IP6TABLES_SAVE_ON_STOP' => 'no',
|
||||||
|
'IP6TABLES_SAVE_ON_RESTART' => 'no',
|
||||||
|
'IP6TABLES_SAVE_COUNTER' => 'no',
|
||||||
|
'IP6TABLES_STATUS_NUMERIC' => 'yes',
|
||||||
|
'IP6TABLES_STATUS_VERBOSE' => 'no',
|
||||||
|
'IP6TABLES_STATUS_LINENUMBERS' => 'yes',
|
||||||
|
}
|
||||||
|
|
||||||
|
default['iptables']['system_ruby'] = '/usr/bin/ruby'
|
1
chef/cookbooks/iptables/metadata.json
Normal file
1
chef/cookbooks/iptables/metadata.json
Normal file
File diff suppressed because one or more lines are too long
31
chef/cookbooks/iptables/recipes/_package.rb
Normal file
31
chef/cookbooks/iptables/recipes/_package.rb
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
#
|
||||||
|
# Cookbook:: iptables
|
||||||
|
# Recipe:: _package
|
||||||
|
#
|
||||||
|
# Copyright:: 2008-2016, Chef Software, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
# amazon linux, any fedora, and amazon linux 2
|
||||||
|
if (platform_family?('rhel') && node['platform_version'].to_i == 7) ||
|
||||||
|
(platform_family?('amazon') && node['platform_version'].to_i < 2013) ||
|
||||||
|
platform_family?('fedora')
|
||||||
|
package 'iptables-services'
|
||||||
|
else
|
||||||
|
package 'iptables'
|
||||||
|
if platform_family?('debian')
|
||||||
|
# Since Ubuntu 10.04LTS and Debian6, this package takes over the automatic loading of the saved iptables rules
|
||||||
|
package 'iptables-persistent'
|
||||||
|
end
|
||||||
|
end
|
83
chef/cookbooks/iptables/recipes/default.rb
Normal file
83
chef/cookbooks/iptables/recipes/default.rb
Normal file
|
@ -0,0 +1,83 @@
|
||||||
|
#
|
||||||
|
# Cookbook:: iptables
|
||||||
|
# Recipe:: default
|
||||||
|
#
|
||||||
|
# Copyright:: 2008-2016, Chef Software, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
system_ruby = node['iptables']['system_ruby']
|
||||||
|
|
||||||
|
case node['platform_family']
|
||||||
|
when 'rhel', 'fedora', 'amazon'
|
||||||
|
node.default['iptables']['persisted_rules_iptables'] =
|
||||||
|
'/etc/sysconfig/iptables'
|
||||||
|
node.default['iptables']['persisted_rules_ip6tables'] =
|
||||||
|
'/etc/sysconfig/ip6tables'
|
||||||
|
when 'debian'
|
||||||
|
node.default['iptables']['persisted_rules_iptables'] =
|
||||||
|
'/etc/iptables/rules.v4'
|
||||||
|
node.default['iptables']['persisted_rules_ip6tables'] =
|
||||||
|
'/etc/iptables/rules.v6'
|
||||||
|
end
|
||||||
|
|
||||||
|
include_recipe 'iptables::_package'
|
||||||
|
|
||||||
|
%w(iptables ip6tables).each do |ipt|
|
||||||
|
execute "rebuild-#{ipt}" do
|
||||||
|
command "/usr/sbin/rebuild-#{ipt}"
|
||||||
|
action :nothing
|
||||||
|
end
|
||||||
|
|
||||||
|
directory "/etc/#{ipt}.d" do
|
||||||
|
action :create
|
||||||
|
end
|
||||||
|
|
||||||
|
template "/usr/sbin/rebuild-#{ipt}" do
|
||||||
|
source 'rebuild-iptables.erb'
|
||||||
|
mode '0755'
|
||||||
|
variables(
|
||||||
|
ipt: ipt,
|
||||||
|
hashbang: ::File.exist?(system_ruby) ? system_ruby : '/opt/chef/embedded/bin/ruby',
|
||||||
|
persisted_file: node['iptables']["persisted_rules_#{ipt}"]
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
if platform_family?('debian')
|
||||||
|
# debian based systems load iptables during the interface activation
|
||||||
|
template "/etc/network/if-pre-up.d/#{ipt}_load" do
|
||||||
|
source 'iptables_load.erb'
|
||||||
|
mode '0755'
|
||||||
|
variables iptables_save_file: "/etc/#{ipt}/general",
|
||||||
|
iptables_restore_binary: "/sbin/#{ipt}-restore"
|
||||||
|
end
|
||||||
|
elsif platform_family?('rhel', 'fedora', 'amazon')
|
||||||
|
# iptables service exists only on RHEL based systems
|
||||||
|
file "/etc/sysconfig/#{ipt}" do
|
||||||
|
content '# Chef managed placeholder to allow iptables service to start'
|
||||||
|
action :create_if_missing
|
||||||
|
end
|
||||||
|
|
||||||
|
template "/etc/sysconfig/#{ipt}-config" do
|
||||||
|
source 'iptables-config.erb'
|
||||||
|
mode '600'
|
||||||
|
variables config: node['iptables']["#{ipt}_sysconfig"]
|
||||||
|
end
|
||||||
|
|
||||||
|
service ipt do
|
||||||
|
action [:enable, :start]
|
||||||
|
supports status: true, start: true, stop: true, restart: true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
51
chef/cookbooks/iptables/recipes/disabled.rb
Normal file
51
chef/cookbooks/iptables/recipes/disabled.rb
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
#
|
||||||
|
# Cookbook:: iptables
|
||||||
|
# Recipe:: default
|
||||||
|
#
|
||||||
|
# Copyright:: 2008-2016, Chef Software, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
#
|
||||||
|
|
||||||
|
include_recipe 'iptables::_package'
|
||||||
|
|
||||||
|
%w(iptables ip6tables).each do |ipt|
|
||||||
|
service ipt do
|
||||||
|
action [:disable, :stop]
|
||||||
|
delayed_action :stop
|
||||||
|
supports status: true, start: true, stop: true, restart: true
|
||||||
|
only_if { %w(rhel fedora amazon).include?(node['platform_family']) }
|
||||||
|
end
|
||||||
|
|
||||||
|
# Necessary so that if iptables::disable is used and then later
|
||||||
|
# it is re-enabled without any rules changes, the templates will run the rebuilt script
|
||||||
|
directory "/etc/#{ipt}.d" do
|
||||||
|
action :delete
|
||||||
|
recursive true
|
||||||
|
notifies :run, "execute[#{ipt}Flush]", :immediately
|
||||||
|
end
|
||||||
|
|
||||||
|
["/etc/sysconfig/#{ipt}", "/etc/sysconfig/#{ipt}.fallback"].each do |f|
|
||||||
|
file f do
|
||||||
|
content '# iptables rules files cleared by chef via iptables::disabled'
|
||||||
|
only_if { %w(rhel fedora amazon).include?(node['platform_family']) }
|
||||||
|
notifies :run, "execute[#{ipt}Flush]", :immediately
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Flush and delete iptables rules
|
||||||
|
execute "#{ipt}Flush" do
|
||||||
|
command "#{ipt} -F"
|
||||||
|
action :nothing
|
||||||
|
end
|
||||||
|
end
|
79
chef/cookbooks/iptables/resources/rule.rb
Normal file
79
chef/cookbooks/iptables/resources/rule.rb
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# Author:: Tim Smith <tsmith84@gmail.com>
|
||||||
|
# Cookbook:: iptables
|
||||||
|
# Resource:: rule
|
||||||
|
#
|
||||||
|
# Copyright:: 2015-2018, Tim Smith
|
||||||
|
# Copyright:: 2017-2018, Chef Software, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
property :source, String
|
||||||
|
property :cookbook, String
|
||||||
|
property :variables, Hash, default: {}
|
||||||
|
property :lines, String
|
||||||
|
property :table, Symbol
|
||||||
|
property :ipv6, [TrueClass, FalseClass], default: false
|
||||||
|
property :filemode, [String, Integer], default: '0644'
|
||||||
|
|
||||||
|
action :enable do
|
||||||
|
ipt = new_resource.ipv6 ? 'ip6tables' : 'iptables'
|
||||||
|
|
||||||
|
# ensure we have execute[rebuild-iptables] in the outer run_context
|
||||||
|
with_run_context :root do
|
||||||
|
find_resource(:execute, "rebuild-#{ipt}") do
|
||||||
|
command "/usr/sbin/rebuild-#{ipt}"
|
||||||
|
action :nothing
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
if new_resource.lines.nil?
|
||||||
|
template "/etc/#{ipt}.d/#{new_resource.name}" do
|
||||||
|
source new_resource.source ? new_resource.source : "#{new_resource.name}.erb"
|
||||||
|
mode new_resource.filemode
|
||||||
|
cookbook new_resource.cookbook if new_resource.cookbook
|
||||||
|
variables new_resource.variables
|
||||||
|
backup false
|
||||||
|
sensitive new_resource.sensitive
|
||||||
|
notifies :run, "execute[rebuild-#{ipt}]", :delayed
|
||||||
|
end
|
||||||
|
else
|
||||||
|
new_resource.lines = "*#{new_resource.table}\n" + new_resource.lines if new_resource.table
|
||||||
|
file "/etc/#{ipt}.d/#{new_resource.name}" do
|
||||||
|
content new_resource.lines
|
||||||
|
mode new_resource.filemode
|
||||||
|
backup false
|
||||||
|
sensitive new_resource.sensitive
|
||||||
|
notifies :run, "execute[rebuild-#{ipt}]", :delayed
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
action :disable do
|
||||||
|
ipt = new_resource.ipv6 ? 'ip6tables' : 'iptables'
|
||||||
|
|
||||||
|
# ensure we have execute[rebuild-iptables] in the outer run_context
|
||||||
|
with_run_context :root do
|
||||||
|
find_resource(:execute, "rebuild-#{ipt}") do
|
||||||
|
command "/usr/sbin/rebuild-#{ipt}"
|
||||||
|
action :nothing
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
file "/etc/#{ipt}.d/#{new_resource.name}" do
|
||||||
|
action :delete
|
||||||
|
backup false
|
||||||
|
sensitive new_resource.sensitive
|
||||||
|
notifies :run, "execute[rebuild-#{ipt}]", :delayed
|
||||||
|
end
|
||||||
|
end
|
53
chef/cookbooks/iptables/resources/rule6.rb
Normal file
53
chef/cookbooks/iptables/resources/rule6.rb
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
#
|
||||||
|
# Author:: Julien 'Lta' BALLET <contact@lta.io>
|
||||||
|
# Cookbook:: iptables
|
||||||
|
# Resource:: rule6
|
||||||
|
#
|
||||||
|
# Copyright:: 2018, Chef Software, Inc.
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
property :source, String
|
||||||
|
property :cookbook, String
|
||||||
|
property :variables, Hash, default: {}
|
||||||
|
property :lines, String
|
||||||
|
property :table, Symbol
|
||||||
|
property :filemode, [String, Integer], default: '0644'
|
||||||
|
|
||||||
|
action :enable do
|
||||||
|
iptables_rule new_resource.name do
|
||||||
|
ipv6 true
|
||||||
|
source new_resource.source
|
||||||
|
cookbook new_resource.cookbook
|
||||||
|
variables new_resource.variables
|
||||||
|
lines new_resource.lines
|
||||||
|
table new_resource.table
|
||||||
|
sensitive new_resource.sensitive
|
||||||
|
filemode new_resource.filemode
|
||||||
|
action :enable
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
action :disable do
|
||||||
|
iptables_rule new_resource.name do
|
||||||
|
ipv6 true
|
||||||
|
source new_resource.source
|
||||||
|
cookbook new_resource.cookbook
|
||||||
|
variables new_resource.variables
|
||||||
|
lines new_resource.lines
|
||||||
|
table new_resource.table
|
||||||
|
sensitive new_resource.sensitive
|
||||||
|
filemode new_resource.filemode
|
||||||
|
action :disable
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,4 @@
|
||||||
|
# This file managed by Chef. Do not hand edit
|
||||||
|
<% @config.each do |k,v| -%>
|
||||||
|
<%= k %>="<%= v %>"
|
||||||
|
<% end -%>
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/sh
|
||||||
|
<%= @iptables_restore_binary %> < <%= @iptables_save_file %>
|
||||||
|
exit 0
|
139
chef/cookbooks/iptables/templates/default/rebuild-iptables.erb
Normal file
139
chef/cookbooks/iptables/templates/default/rebuild-iptables.erb
Normal file
|
@ -0,0 +1,139 @@
|
||||||
|
#!<%= @hashbang %> -w
|
||||||
|
|
||||||
|
#
|
||||||
|
# rebuild-<%= @ipt %>.rb -- Construct an iptables rules file from fragments.
|
||||||
|
#
|
||||||
|
# Written by Phil Cohen <github@phlippers.net>
|
||||||
|
# Copyright 2011, Phil Cohen
|
||||||
|
#
|
||||||
|
# Constructs an iptables rules file from the prefix, standard, and suffix
|
||||||
|
# files in the iptables configuration area, adding any additional modules
|
||||||
|
# specified in the command line, and prints the resulting iptables rules to
|
||||||
|
# standard output (suitable for saving into /var/lib/iptables or some other
|
||||||
|
# appropriate location on the system).
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Modules and declarations
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Path to the iptables template area.
|
||||||
|
TEMPLATE_PATH = "/etc/<%= @ipt %>.d"
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Installation
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
# Read in a file, processing includes as required.
|
||||||
|
def read_iptables(file, table = :filter)
|
||||||
|
file = File.join(TEMPLATE_PATH, file) unless File.dirname(file).include?("<%= @ipt %>.d")
|
||||||
|
rule = File.readlines(file).map{ |line| line.chomp }
|
||||||
|
rule.each do |line|
|
||||||
|
if line =~ /^\s*include\s+(\S+)$/
|
||||||
|
read_iptables($1, table)
|
||||||
|
elsif line =~ /^\s*\*([a-z]+)\s*$/
|
||||||
|
table = $1.to_sym
|
||||||
|
elsif line =~ /^\s*:([-a-zA-Z0-9_]+)(?:\s+([A-Z]+(?:\s*\[.*?\])))?$/
|
||||||
|
@data[table][:chains][$1] = $2 || '-'
|
||||||
|
elsif line !~ /^\s*COMMIT\s*$/
|
||||||
|
#detect new chains
|
||||||
|
if chain = line.match(/\-[ADRILFZN]\s+([-a-zA-Z0-9_]+)\s/)
|
||||||
|
@data[table][:chains][chain[1]] ||= '-'
|
||||||
|
end
|
||||||
|
@data[table][:rules].push line
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
# Write a file carefully.
|
||||||
|
def write_iptables(file, data)
|
||||||
|
File.open("#{file}.new", "w") { |f| f.write(data) }
|
||||||
|
File.rename("#{file}.new", file)
|
||||||
|
end
|
||||||
|
|
||||||
|
# Install iptables on a Red Hat or Debian system. Takes the new iptables data.
|
||||||
|
def install_rules(data)
|
||||||
|
Dir.mkdir('/etc/<%= @ipt %>') unless File.directory?('/etc/<%= @ipt %>')
|
||||||
|
write_iptables("<%= @persisted_file %>", data)
|
||||||
|
return false unless system("/sbin/<%= @ipt %>-restore < <%= @persisted_file %>")
|
||||||
|
true
|
||||||
|
end
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# Main routine
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
@data = {
|
||||||
|
:filter => {
|
||||||
|
:chains => {
|
||||||
|
'INPUT' => 'ACCEPT [0,0]',
|
||||||
|
'FORWARD' => 'ACCEPT [0,0]',
|
||||||
|
'OUTPUT' => 'ACCEPT [0,0]'
|
||||||
|
},
|
||||||
|
:rules => []
|
||||||
|
},
|
||||||
|
:mangle => {
|
||||||
|
:chains => {
|
||||||
|
'PREROUTING' => 'ACCEPT [0,0]',
|
||||||
|
'INPUT' => 'ACCEPT [0,0]',
|
||||||
|
'FORWARD' => 'ACCEPT [0,0]',
|
||||||
|
'OUTPUT' => 'ACCEPT [0,0]',
|
||||||
|
'POSTROUTING' => 'ACCEPT [0,0]'
|
||||||
|
},
|
||||||
|
:rules => []
|
||||||
|
},
|
||||||
|
:nat => {
|
||||||
|
:chains => {
|
||||||
|
'PREROUTING' => 'ACCEPT [0,0]',
|
||||||
|
'POSTROUTING' => 'ACCEPT [0,0]',
|
||||||
|
'OUTPUT' => 'ACCEPT [0,0]'
|
||||||
|
},
|
||||||
|
:rules => [],
|
||||||
|
},
|
||||||
|
:raw => {
|
||||||
|
:chains => {
|
||||||
|
'PREROUTING' => 'ACCEPT [0,0]',
|
||||||
|
'OUTPUT' => 'ACCEPT [0,0]'
|
||||||
|
},
|
||||||
|
:rules => [],
|
||||||
|
},
|
||||||
|
:security => {
|
||||||
|
:chains => {
|
||||||
|
'INPUT' => 'ACCEPT [0,0]',
|
||||||
|
'FORWARD' => 'ACCEPT [0,0]',
|
||||||
|
'OUTPUT' => 'ACCEPT [0,0]'
|
||||||
|
},
|
||||||
|
:rules => []
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
templates = Dir["#{TEMPLATE_PATH}/*"].sort.delete_if do |template|
|
||||||
|
%w[prefix suffix postfix].include?(File.basename(template))
|
||||||
|
end
|
||||||
|
|
||||||
|
templates.unshift 'prefix' if File.exist? "#{TEMPLATE_PATH}/prefix"
|
||||||
|
templates.push 'suffix' if File.exist? "#{TEMPLATE_PATH}/suffix"
|
||||||
|
templates.push 'postfix' if File.exist? "#{TEMPLATE_PATH}/postfix"
|
||||||
|
|
||||||
|
templates.each { |template| read_iptables(template) }
|
||||||
|
|
||||||
|
iptables_rules = ""
|
||||||
|
@data.each do |table, table_data|
|
||||||
|
if table_data[:rules].any?
|
||||||
|
iptables_rules << "*#{table.to_s}\n"
|
||||||
|
table_data[:chains].each do |chain, rule|
|
||||||
|
iptables_rules << ":#{chain} #{rule}\n"
|
||||||
|
end
|
||||||
|
iptables_rules << table_data[:rules].join("\n")
|
||||||
|
iptables_rules << "\nCOMMIT\n"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
system_files = %w(/etc/debian_version /etc/redhat-release /etc/system-release)
|
||||||
|
if system_files.any? { |file| File.exist?(file) }
|
||||||
|
success = install_rules(iptables_rules)
|
||||||
|
raise "#{$0}: failed to install iptables rules" unless success
|
||||||
|
else
|
||||||
|
raise "#{$0}: cannot figure out whether this is Red Hat or Debian\n";
|
||||||
|
end
|
||||||
|
|
||||||
|
exit 0
|
|
@ -8,15 +8,3 @@ default[:metasploitable][:docker_users] = ['boba_fett',
|
||||||
'chewbacca',]
|
'chewbacca',]
|
||||||
|
|
||||||
default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/'
|
default[:metasploitable][:files_path] = '/vagrant/chef/cookbooks/metasploitable/files/'
|
||||||
|
|
||||||
default[:metasploitable][:ports] = { :cups => 631,
|
|
||||||
:apache => 80,
|
|
||||||
:unrealircd => 6697,
|
|
||||||
:proftpd => 21,
|
|
||||||
:mysql => 3306,
|
|
||||||
:chatbot_ui => 80,
|
|
||||||
:chatbot_nodejs => 3000,
|
|
||||||
:readme_app => 3500,
|
|
||||||
:sinatra => 8181,
|
|
||||||
:samba => 445
|
|
||||||
}
|
|
||||||
|
|
|
@ -21,3 +21,4 @@ version '0.1.0'
|
||||||
depends 'apt', '~> 7.2'
|
depends 'apt', '~> 7.2'
|
||||||
depends 'docker', '~> 4.9'
|
depends 'docker', '~> 4.9'
|
||||||
depends 'mysql', '~> 8.3'
|
depends 'mysql', '~> 8.3'
|
||||||
|
depends 'iptables', '~> 4.5'
|
|
@ -4,6 +4,12 @@
|
||||||
#
|
#
|
||||||
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
||||||
|
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_apache' do
|
||||||
|
lines "-A INPUT -p tcp --dport 80 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
package 'apache2' do
|
package 'apache2' do
|
||||||
action :install
|
action :install
|
||||||
end
|
end
|
||||||
|
|
|
@ -8,6 +8,15 @@
|
||||||
|
|
||||||
include_recipe 'metasploitable::ruby23'
|
include_recipe 'metasploitable::ruby23'
|
||||||
include_recipe 'metasploitable::nodejs'
|
include_recipe 'metasploitable::nodejs'
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_chatbot_ui' do
|
||||||
|
lines "-A INPUT -p tcp --dport 80 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
|
iptables_rule '1_chatbot_nodejs' do
|
||||||
|
lines "-A INPUT -p tcp --dport 3000 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
package 'unzip'
|
package 'unzip'
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,8 @@
|
||||||
#
|
#
|
||||||
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
||||||
|
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
package 'cups' do
|
package 'cups' do
|
||||||
action :install
|
action :install
|
||||||
end
|
end
|
||||||
|
@ -13,6 +15,10 @@ cookbook_file '/etc/cups/cupsd.conf' do
|
||||||
mode '0644'
|
mode '0644'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
iptables_rule '1_cups' do
|
||||||
|
lines "-A INPUT -p tcp --dport 631 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
service 'cups' do
|
service 'cups' do
|
||||||
action [:enable, :restart]
|
action [:enable, :restart]
|
||||||
end
|
end
|
||||||
|
|
|
@ -4,23 +4,19 @@
|
||||||
#
|
#
|
||||||
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
||||||
|
|
||||||
bash 'setup for knockd, used for flag' do
|
include_recipe 'iptables::default'
|
||||||
code_to_execute = ""
|
|
||||||
code_to_execute << "iptables -A FORWARD 1 -p tcp -m tcp --dport 8989 -j DROP\n"
|
iptables_rule '00_established' do
|
||||||
code_to_execute << "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n"
|
lines '-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT'
|
||||||
node[:metasploitable][:ports].keys.each do |service|
|
|
||||||
code_to_execute << "iptables -A INPUT -p tcp --dport #{node[:metasploitable][:ports][service.to_sym]} -j ACCEPT\n"
|
|
||||||
end
|
|
||||||
code_to_execute << "iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n"
|
|
||||||
code_to_execute << "iptables -A INPUT -j DROP\n"
|
|
||||||
code code_to_execute
|
|
||||||
end
|
end
|
||||||
|
|
||||||
package 'iptables-persistent' do
|
iptables_rule '01_ssh' do
|
||||||
action :install
|
lines "-A INPUT -p tcp --dport 22 -j ACCEPT"
|
||||||
end
|
end
|
||||||
|
|
||||||
service 'iptables-persistent' do
|
iptables_rule '999_drop_all' do
|
||||||
action [:enable, :start]
|
lines '-A INPUT -j DROP'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,10 @@ execute 'remove_carriage_returns' do
|
||||||
command "sed -i -e 's/\r//g' /etc/default/knockd"
|
command "sed -i -e 's/\r//g' /etc/default/knockd"
|
||||||
end
|
end
|
||||||
|
|
||||||
|
iptables_rule '1_knockd' do
|
||||||
|
lines "-I FORWARD 1 -p tcp -m tcp --dport #{node[:flags][:five_of_diamonds][:vuln_port]} -j DROP"
|
||||||
|
end
|
||||||
|
|
||||||
service 'knockd' do
|
service 'knockd' do
|
||||||
action [:enable, :start]
|
action [:enable, :start]
|
||||||
end
|
end
|
||||||
|
|
|
@ -4,6 +4,12 @@
|
||||||
#
|
#
|
||||||
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
||||||
|
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_mysql' do
|
||||||
|
lines "-A INPUT -p tcp --dport 3306 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
mysql_service 'default' do
|
mysql_service 'default' do
|
||||||
initial_root_password "#{node[:mysql][:root_password]}"
|
initial_root_password "#{node[:mysql][:root_password]}"
|
||||||
bind_address '0.0.0.0'
|
bind_address '0.0.0.0'
|
||||||
|
|
|
@ -6,6 +6,12 @@
|
||||||
|
|
||||||
# Install steps taken from https://github.com/rapid7/metasploit-framework/pull/5224
|
# Install steps taken from https://github.com/rapid7/metasploit-framework/pull/5224
|
||||||
|
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_proftpd' do
|
||||||
|
lines "-A INPUT -p tcp --dport 21 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
include_recipe 'metasploitable::apache'
|
include_recipe 'metasploitable::apache'
|
||||||
|
|
||||||
proftpd_tar = 'proftpd-1.3.5.tar.gz'
|
proftpd_tar = 'proftpd-1.3.5.tar.gz'
|
||||||
|
|
|
@ -8,6 +8,13 @@
|
||||||
|
|
||||||
include_recipe 'metasploitable::ruby23'
|
include_recipe 'metasploitable::ruby23'
|
||||||
include_recipe 'metasploitable::nodejs'
|
include_recipe 'metasploitable::nodejs'
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
recipe_port = 3500
|
||||||
|
|
||||||
|
iptables_rule '1_readme_app' do
|
||||||
|
lines "-A INPUT -p tcp --dport #{recipe_port} -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
package 'git'
|
package 'git'
|
||||||
|
|
||||||
|
@ -23,6 +30,7 @@ directory '/opt/readme_app' do
|
||||||
end
|
end
|
||||||
|
|
||||||
template '/opt/readme_app/start.sh' do
|
template '/opt/readme_app/start.sh' do
|
||||||
|
variables( readme_app_port: recipe_port )
|
||||||
source 'readme_app/start.sh.erb'
|
source 'readme_app/start.sh.erb'
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -5,6 +5,11 @@
|
||||||
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
# Copyright:: 2017, Rapid7, All Rights Reserved.
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_samba' do
|
||||||
|
lines "-A INPUT -p tcp --dport 445 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
package 'samba'
|
package 'samba'
|
||||||
|
|
||||||
|
|
|
@ -8,6 +8,11 @@
|
||||||
|
|
||||||
include_recipe 'metasploitable::sinatra'
|
include_recipe 'metasploitable::sinatra'
|
||||||
include_recipe 'metasploitable::ruby23'
|
include_recipe 'metasploitable::ruby23'
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_sinatra' do
|
||||||
|
lines "-A INPUT -p tcp --dport 8181 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
server_path = node['ec2'] ? 'aws' : 'virtualbox'
|
server_path = node['ec2'] ? 'aws' : 'virtualbox'
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,12 @@
|
||||||
# Downloaded from https://www.exploit-db.com/exploits/13853/
|
# Downloaded from https://www.exploit-db.com/exploits/13853/
|
||||||
# Install steps taken from https://wiki.swiftirc.net/wiki/Installing_and_Configuring_UnrealIRCd_on_Linux
|
# Install steps taken from https://wiki.swiftirc.net/wiki/Installing_and_Configuring_UnrealIRCd_on_Linux
|
||||||
|
|
||||||
|
include_recipe 'iptables::default'
|
||||||
|
|
||||||
|
iptables_rule '1_unrealircd' do
|
||||||
|
lines "-A INPUT -p tcp --dport 6697 -j ACCEPT"
|
||||||
|
end
|
||||||
|
|
||||||
unreal_tar = 'Unreal3.2.8.1_backdoor.tar.gz'
|
unreal_tar = 'Unreal3.2.8.1_backdoor.tar.gz'
|
||||||
|
|
||||||
remote_file "#{Chef::Config[:file_cache_path]}/#{unreal_tar}" do
|
remote_file "#{Chef::Config[:file_cache_path]}/#{unreal_tar}" do
|
||||||
|
|
|
@ -2,4 +2,4 @@
|
||||||
|
|
||||||
cd /opt/readme_app
|
cd /opt/readme_app
|
||||||
bundle install --path vendor/bundle
|
bundle install --path vendor/bundle
|
||||||
bundle exec rails s -b 0.0.0.0 -p <%= node[:metasploitable][:ports][:readme_app] %>
|
bundle exec rails s -b 0.0.0.0 -p <%= @readme_app_port %>
|
||||||
|
|
1
chef/dev/ub1404/Vagrantfile
vendored
1
chef/dev/ub1404/Vagrantfile
vendored
|
@ -19,6 +19,7 @@ Vagrant.configure("2") do |config|
|
||||||
chef.cookbooks_path = [ '../../cookbooks' ]
|
chef.cookbooks_path = [ '../../cookbooks' ]
|
||||||
|
|
||||||
chef.add_recipe "apt::default"
|
chef.add_recipe "apt::default"
|
||||||
|
chef.add_recipe "iptables::default"
|
||||||
chef.add_recipe "metasploitable::users"
|
chef.add_recipe "metasploitable::users"
|
||||||
chef.add_recipe "metasploitable::mysql"
|
chef.add_recipe "metasploitable::mysql"
|
||||||
chef.add_recipe "metasploitable::apache_continuum"
|
chef.add_recipe "metasploitable::apache_continuum"
|
||||||
|
|
Loading…
Reference in New Issue
Block a user