public
Description: Iptables setup and configuration through your Moonshine manifest
Homepage:
Clone URL: git://github.com/railsmachine/moonshine_iptables.git
name age message
file README.rdoc Fri May 01 08:56:36 -0700 2009 updating docs [roblingle]
directory lib/ Fri May 15 13:53:34 -0700 2009 closes #1. default DROP for FORWARD chain. [roblingle]
directory moonshine/ Tue Apr 28 08:14:24 -0700 2009 initial commit [roblingle]
directory spec/ Fri May 01 08:56:26 -0700 2009 simpler shadow_puppet tests [roblingle]
README.rdoc

Moonshine_Iptables

A plugin for Moonshine

This plugin installs and configues iptables for your server. Just include the plugin and recipe, deploy, and you’ll have a nice secure system. By default, the firewall will:

  - Allow inbound ESTABLISHED and RELATED traffic
  - Allow inbound icmp, smtp, ssh, http, https
  - Allow inbound connections to unprivileged ports in the 8000-10000 range
  - Allow outbound connections to anywhere
  - Block everything else

Instructions

  • script/plugin install git://github.com/railsmachine/moonshine_iptables.git
  • To customize rules, use the configure method, passing the entire ruleset.
      configure (:iptables => { :rules => [
        '-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT',
        '-A INPUT -p icmp -j ACCEPT',
        '-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT',  # <-- Custom: Allowing DNS
        '-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT',
        '-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT',
        '-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT',
        '-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT',
        '-A INPUT -s 127.0.0.1 -j ACCEPT',
        '-A INPUT -p tcp -m tcp --dport 8000:10000 -j ACCEPT',
        '-A INPUT -p udp -m udp --dport 8000:10000 -j ACCEPT'
      ]}}
    
  • Include the plugin and recipe in your Moonshine manifest.
      plugin :iptables
      recipe :iptables