awsfirewall

A module to set up a basic firewall on an AWS instance

RailsDog LLC

railsdog

8,659 downloads

8,659 latest version

3.2 quality score

Version information

  • 0.0.1 (latest)
released Dec 16th 2014

Start using this module

Documentation

railsdog/awsfirewall — version 0.0.1 Dec 16th 2014

#awsfirewall

##Usage

Place the following into your site.pp or top-level manifest

Firewall {
  before  => Class['awsfirewall::post'],
  require => Class['awsfirewall::pre'],
}

class { ['awsfirewall::pre', 'awsfirewall::post']: }

The following rules are set up with this module in the following order:

  • filter chain allowing all input, forward and output connections
  • accept related and established traffic
  • accept traffic to localhost interface
  • accept all icmp traffic
  • accept new ssh connections
  • deny all other input traffic
  • deny all other forward traffic

The exact rules are

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:172]
-A INPUT -m comment --comment "000 accept related established rules" -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j ACCEPT
-A INPUT -p icmp -m comment --comment "002 accept all icmp" -j ACCEPT
-A INPUT -p tcp -m multiport --dports 22 -m comment --comment "003 accept ssh" -m state --state NEW -j ACCEPT
-A INPUT -m comment --comment "900 drop all" -j DROP
-A FORWARD -m comment --comment "900 drop forward" -j DROP
COMMIT

Additional firewall rules can be added anywhere in your manifests as described in the puppetlabs-firewall README.md