Shared Iptables Blacklist with Puppet
Modified on 2011-02-10 by Yannick Vaucher
Created on 2011-02-08 by Yannick Vaucher
1 Introduction
In this document, is explained how we use puppet to share an iptables Blacklist. The aim is to be able to add an IP in that list and it will be automatically sent to all registered servers.
In order to protect us against some cyber attacks (sip frauds, sip or ssh brute force, etc) one thing to build is to deny access to intruders identified by their IP address.
2 Blacklist
The principle of making a list of bad IP that we want to deny is called Blacklist.
By sending the blacklist to our servers the firewalls can do their job.
2.1 Firewall - Iptables
On Unix systems, it is possible to set a firewall using iptables. By simple rules, it permits to allow or deny some to any kind of access on a server.
3 Puppet
This is a configuration manager that we use here to share our blacklist on all our servers.
To know more about puppet you can follow this link: Introduction on Puppet
3.1 Schema
Here is a little schema to describe the process.
1) A list of IP addresses from unwanted hosts is defined on the puppet master server.
2) Each X time puppet client that are registered to the puppet master will ask if anything changed.
3) In case the blacklist was modified, the server gets the new blacklist. And will automatically update its firewall.
4) From now, the malicious host is blocked on all servers.
4 Puppet module iptables
4.1 Version 001
This little module is composed with 2 files: manifest/init.pp and files/blacklist.rules.
4.1.1 init.pp
What is needed for our blacklist to work is:
# /modules/iptables/init.pp
#
# Written on 110207 by yannick.vaucher@switzernet.com
#
# This module is intended for debian only
#
# Copyright (c) Switzernet
#
class iptables {
package{ "iptables":
ensure => installed
}
file { "/etc/init.d/blacklist.rules":
owner => "root",
group => "root",
mode => 750,
source => "puppet:///iptables/blacklist.rules",
require => Package["iptables"],
notify => Exec["update iptables"]
}
exec { "update iptables":
refreshonly => true,
command => "sh /etc/init.d/blacklist.rules",
}
}
Iptables is restarted only if the file blacklist.rules is modified.
4.1.2 blacklist.rules
This file is the script that will update the firewall. It also include the list of ip to block.
#!/bin/bash
# Flush iptables
/sbin/iptables -F
# Blalisted IPs
# To add an IP add
# /sbin/iptables -A INPUT -s <ip_to_blacklist> -j DROP
/sbin/iptables -A INPUT -s 74.63.232.197 -j DROP
/sbin/iptables -A INPUT -s 91.206.226.210 -j DROP
/sbin/iptables -A INPUT -s 99.133.130.158 -j DROP
/sbin/iptables -A INPUT -s 188.165.227.176 -j DROP
exit 0
|
Version |
iptables v 001 |
|
File |
|
|
Size |
1290 B |
|
MD5 |
f9089acb36d0551414c1de41dd1d421a |
4.2 Version 002
In this version, the script file blacklist.rules has been splited in 2 separate files:
The script file: firewall.rules
#!/bin/bash
# Delete existing rules
/sbin/iptables -F
/sbin/iptables -X
# Drop all blacklisted IPs
cat /root/files/black.lst | while read ip ; do
# Strip comments, if any.
ip=$(echo $ip | sed "s/#.*//g")
# If non-blank
if [ "x$ip" != "x" ]; then
/sbin/iptables -A INPUT -s $ip -j DROP
fi
done
exit 0
The IP list file: black.lst
# List of Blacklisted IPs
# Thoses IPs are not allowed to access any service of our SIP servers
74.63.232.197 # SIP brute force on astrad7 100201 21:39
91.206.226.210 # SIP brute force on astrad7 100204 08:25
99.133.130.158 # SIP brute force on astrad8 100203 19:20
188.165.227.176 # SIP brute force on astrad 100204 03:42
This implies as well some changes in init.pp to ensure those files are present on the puppet client.
# /modules/iptables/init.pp
#
# Written on 110207 by yannick.vaucher@switzernet.com
#
# This module is intended for debian only
#
# Copyright (c) Switzernet
#
class iptables {
package{ "iptables":
ensure => installed
}
file {"/root/files":
ensure => directory;
"/root/files/black.lst":
owner => "root",
group => "root",
mode => 750,
source => "puppet:///iptables/black.lst",
require => [Package["iptables"],File["/root/files"]],
notify => Exec["update iptables"];
"/etc/init.d/firewall.rules":
owner => "root",
group => "root",
mode => 750,
source => "puppet:///iptables/firewall.rules"
}
exec { "update iptables":
refreshonly => true,
command => "sh /etc/init.d/firewall.rules",
require => [File["/etc/init.d/firewall.rules"], File["/root/files/black.lst"]]
}
}
|
Version |
iptables v 002 |
|
File |
|
|
Size |
1756 B |
|
MD5 |
19abd0a025fdd879d4eb77796032a53d |
5 References
Introduction on Puppet
http://switzernet.com/3/public/110127-puppet-introduction/
puppet iptables module
http://missadmin.blogspot.com/2009/08/puppet-iptables-module.html
bobsh / puppet-iptables
https://github.com/bobsh/puppet-iptables
IPTables Module & Alternative
http://projects.puppetlabs.com/projects/puppet/wiki/Module_Iptables_Patterns
Blacklister une IP avec iptables
http://www.benjaminbaudouin.com/blacklister-une-ip-avec-iptables/
HOWTO: Building IPTables rules
http://wiki.vpslink.com/HOWTO:_Building_IPTables_rules
IPTablesHowTo
https://help.ubuntu.com/community/IptablesHowTo
How do I save iptables rules or settings?
http://www.cyberciti.biz/faq/how-do-i-save-iptables-rules-or-settings/