Hello all,
I'm trying to implement iptables management via puppet. My goal is to have a
set of default rules that get inherited by every node and then a set of modules
defining services, where each service definition brings its own additional
iptables rules and they should be properly merged together.
But I'm stuck at the first steps of implementing firewall module. As I
understand the documentation, the number in te name of the rule is used to
properly order the rules in the iptables table. However this is not what I
observe.
Consider the following rules:
class iptables {
service { 'iptables':
enable => true,
subscribe => File['/etc/sysconfig/iptables'],
}
firewall { '000 allow lo in':
iniface => 'lo',
action => accept,
}
firewall { '002 allow packets with valid state':
state => ['RELATED', 'ESTABLISHED'],
iniface => 'eth0',
action => accept,
}
firewall { '032 allow icmp on eth0':
proto => 'icmp',
iniface => 'eth0',
action => accept,
}
firewall { '100 allow ssh':
destination => $ipaddress_eth0,
proto => 'tcp',
dport => '22',
state => 'NEW',
action => accept,
ensure => 'present',
}
firewall { '100 allow nrpe':
destination => $ipaddress_eth0,
proto => 'tcp',
dport => '5666',
state => 'NEW',
action => accept,
}
firewall { '100 allow snmp':
destination => $ipaddress_eth0,
proto => 'udp',
dport => '161',
action => accept,
}
firewall { '999 reject everything else':
action => reject,
reject => 'icmp-admin-prohibited',
}
firewall { '999 reject everything else on forward':
chain => 'FORWARD',
action => reject,
reject => 'icmp-admin-prohibited',
}
resources { 'firewall':
purge => true,
}
exec { "persist-firewall":
command => '/sbin/service iptables save',
refreshonly => true,
}
Firewall {
notify => Exec["persist-firewall"]
}
}
When I run puppetd -t on a node, I get something like this in iptables -nL
output (cut to just comment field):
Chain INPUT (policy ACCEPT)
/* 100 allow snmp */
/* 100 allow ssh */ state NEW
/* 032 allow icmp on eth0 */
/* 002 allow packets with valid state */
/* 999 reject everything else */
/* 000 allow lo in */
/* 100 allow nrpe */ state NEW
Chain FORWARD (policy ACCEPT)
/* 999 reject everything else on forward */ reject-with icmp-admin-prohibited
Order of the rules appears random, sometimes the reject everything rule is
applied first and I lose connection to the server.
My observation is that either the number in the rule name has no meaning or I'm
doing something wrong. Since I'm relatively new to the puppet (but was working
with cfengine 7-8 years ago), I'm asking this group for suggestions before I
file a bug report.
Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client.
--
Jure Pečar
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
