From 26284900eec80f83289e27cc10de37aa901e097a Mon Sep 17 00:00:00 2001
From: Aleksey Tsalolikhin <aleksey.tsalolikhin@gmail.com>
Date: Fri, 3 Dec 2010 19:16:57 -0500
Subject: [PATCH] adding to git

---
 ...ptables__allow_ntp_from_backend_servers.cf | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100755 files__iptables__allow_ntp_from_backend_servers.cf

diff --git a/files__iptables__allow_ntp_from_backend_servers.cf b/files__iptables__allow_ntp_from_backend_servers.cf
new file mode 100755
index 0000000..e689062
--- /dev/null
+++ b/files__iptables__allow_ntp_from_backend_servers.cf
@@ -0,0 +1,59 @@
+#!/var/cfengine/bin/cf-agent -f
+
+# Author: Aleksey Tsalolikhin <aleksey.tsalolikhin@verticalsysadmin.com>
+# Date: 3 Dec 2010
+# Based on material by Mark Burgess.
+#
+# Purpose: Make sure my Linux host firewall is configured to allow
+# NTP (UDP port 123) packets from backend servers on an internal
+# network (192.168.1.1/24 in this example).
+#
+# This could be useful for a multi-tier Web app that does not have a
+# time source on the private network.
+#
+# Diagram:
+#
+# Web server in the DMZ (gets time from public NTP servers)
+#     |
+# Database server on a private network (gets time from Web server)
+#
+#
+#
+# Comments welcome!
+#--Aleksey
+
+
+body common control
+{
+bundlesequence  => { "files__iptables__allow_ntp_from_backend_servers" };
+}
+
+
+bundle agent files__iptables__allow_ntp_from_backend_servers
+{
+files:
+  redhat::  # tested on RHEL only, file location may vary based on Linux distro or OS
+      "/etc/sysconfig/iptables"
+       edit_line => insert_NTP_allow_rule_before_the_drop_rule,
+       comment => "insert NTP allow rule into /etc/sysconfig/iptables before the drop rule to allow time service to the back end";
+}
+
+
+  bundle edit_line insert_NTP_allow_rule_before_the_drop_rule
+  {
+    vars:
+        "ntp_rule" string => "-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -s 192.168.1.1/24 -j ACCEPT -m comment --comment \"allow connections from backend servers for time service\""; # this is the text we'll want to insert into /etc/sysconfig/iptables to allow NTP from the backend
+
+
+  insert_lines: "$(ntp_rule)",
+        location => before_the_drop_rule;
+  }
+
+        body location before_the_drop_rule
+
+        {
+        before_after => "before";
+        first_last => "first";
+        select_line_matching => "^-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited.*";
+        }
+