Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 101 lines (74 sloc) 3.133 kb
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
1 ====================
2 Puppet iptables type
3 ====================
1a7831e8 »
2008-12-04 Initial import from bzr revno 169 into github.
4
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
5 This is a simple wrapper around the "iptables" command used on Linux. It is
6610b49a »
2010-06-25 Spelling mistake.
6 meant to be used to define half a dozen rules on the host running puppet. For
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
7 more serious needs, you might want to have a look at this `shorewall module`_
8 for puppet.
32117d2c »
2009-04-22 updated README
9
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
10 .. _`shorewall module`: http://github.com/camptocamp/puppet-shorewall/tree
32117d2c »
2009-04-22 updated README
11
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
12 Introduction
13 ------------
14
15 The way it works differs slightly from the usual puppet resource types.
16
17 The state of a firewall can be seen as the sum of all the rules that compose it
18 and the order in which they appear. We could define a firewall as one unique
19 puppet resource, but this doesn't offer much flexibility. It's much more
20 convenient to define each iptable rule as a separate resource. But then,
21 ensuring they always get called in the same exact order can be difficult,
22 especially once they are dispatched in different classes, definitions, and so
23 on.
24
25 Furthermore, it can be tricky to handle only part of the firewall rules using
26 puppet, and let something/someone else do the rest.
27
28 So the idea is to have the "iptables type":
29
30 * find the current state of the firewall by parsing the output of
31 "iptables-save"
32 * collect every "iptables resource" found in the manifests
33 * sort them (currently using the resource name)
34 * purge any rule it doesn't know about
35 * run the commands to insert the rules in the right order.
36
37 Usage
38 -----
39
40 Example::
41
42 iptables { "001 allow icmp":
43 proto => "icmp",
44 icmp => "any",
45 jump => "ACCEPT",
46 }
47 iptables { "another iptables rule":
48 proto => "tcp",
49 dport => "80",
50 source => "192.168.0.0/16",
51 destination => "192.168.1.11/32",
52 jump => "ACCEPT",
53 }
54 iptables { "my iptables rule":
55 proto => "tcp",
56 dport => "80",
57 jump => "DROP",
58 }
59
60
61 file { "/etc/puppet/iptables/pre.iptables":
62 content => "-A INPUT -s 10.0.0.1 -p tcp -m tcp --dport 22 -j ACCEPT",
63 mode => 0600,
64 }
65 file { "/etc/puppet/iptables/post.iptables":
66 content => "-A INPUT -j REJECT --reject-with icmp-port-unreachable",
67 mode => 0600,
68 }
69
70
71
72 This will run the following commands, in this exact order::
73
74 iptables -t filter -D INPUT ...whatever is returned by iptables-save and doesn't match puppet resources...
75 iptables -t filter -A INPUT -s 10.0.0.1 -p tcp -m tcp --dport 22 -j ACCEPT
76 iptables -t filter -A INPUT -i lo -j ACCEPT
77 iptables -t filter -A INPUT -s 192.168.0.0/16 -d 192.168.1.11/32 -p tcp --dport 80 -j ACCEPT
78 iptables -t filter -A INPUT -p tcp --dport 80 -j DROP
79 iptables -t filter -A INPUT -j REJECT --reject-with icmp-port-unreachable
80
81 Reference
82 ---------
83
fab0dfdd »
2010-06-23 Added tests; Stop persisting in noop mode; Cleanup docs.
84 Have a look at lib/puppet/type/iptables.rb for the complete list of
32117d2c »
2009-04-22 updated README
85 parameters.
86
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
87
88 Installation
89 ------------
90
57562d7d »
2011-01-04 Mistakes in markdown for README.
91 If you are using standard path locations, then just clone this git repository in your $modulepath on the puppetmaster, for example::
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
92
01265d1e »
2011-01-04 Fix up module installation instructions to be a bit more relevant.
93 cd /etc/puppet/modules
94 git clone git://github.com/bobsh/puppet-iptables.git iptables
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
95
57562d7d »
2011-01-04 Mistakes in markdown for README.
96 Also ensure you have the following in your puppet.conf on the client and master side::
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
97
01265d1e »
2011-01-04 Fix up module installation instructions to be a bit more relevant.
98 [agent]
99 pluginsync=true
b47a414e »
2009-08-03 Added comments & improved doc; no functional change.
100
Something went wrong with that request. Please try again.