Your iptables rules are wrong, that is why you lose SSH connection. I'd look into those before worrying about Puppet.
On Wed, Dec 28, 2011 at 3:02 AM, Jure Pečar <[email protected]> wrote: > On Tue, 27 Dec 2011 04:32:03 -0800 (PST) > bel <[email protected]> wrote: > > > You could use stages as described in documentation: > > > > http://forge.puppetlabs.com/puppetlabs/firewall > > Now I've implemented stages and indeed output of puppet agent makes me > think they are in place: > > notice: /Firewall[002 allow icmp on eth0]/ensure: created > notice: /Firewall[001 allow packets with valid state]/ensure: created > notice: /Firewall[000 allow lo in]/ensure: created > notice: /Firewall[003 allow ssh]/ensure: created > notice: /File[/etc/sysconfig/iptables]/ensure: created > notice: /Firewall[100 allow nrpe]/ensure: created > notice: /Firewall[100 allow snmp]/ensure: created > notice: /Firewall[999 reject everything else on forward]/ensure: created > notice: /Firewall[998 reject everything else]/ensure: created > > But then I lose ssh connection. Looking at local console it is obvious why: > > Chain INPUT (policy ACCEPT) > /* 998 reject everything else */ > /* 100 allow nrpe */ > /* 100 allow snmp */ > /* 003 allow ssh */ > /* 000 allow lo in */ > /* 001 allow icmp on eth0 */ > /* 002 allow packets with valid state */ > > Chain FORWARD (policy ACCEPT) > /* 999 reject everything else on forward */ reject-with > icmp-admin-prohibited > > So again it looks like number in the rule name have no meaning whatsoever. > Rules are inserted according to stages, but without rule position (iptables > -I chain rulenum) so each one ends on top, since for iptables rulenum > parameter is optional and set to 1 (=top of the table) if not specified. > > > -- > > Jure Pečar > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
