is there a way to make the puppetlabs/firewall module implement the iptables -P flag?

[Chris O'Donnell]

With our current iptables rules, we implement the following in a script:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

Then the script continues on and does the rest of the rules. some custom policies, etc.Now we're moving to Puppet and trying to replace all of our scripts. From what I can tell, the puppetlabs/firewall module doesn't allow a way to set the default policy for a default chain. By default, the puppetlabs/firewall module sets it as:

INPUT ACCEPT

FORWARD ACCEPT

OUTPUT ACCEPT

I've tried going through the module to implement this, but my Ruby skills aren't there yet. As this would be the default in all of our rules, I don't need a full implementation (i.e. able to set this from a pp file), I just need to be able to set it as the default for all iptables settings. Anyone have a hack (ugly or not) to implement this? I'm looking at other firewall modules, but this one is pretty slick, and would like to use this one (albeit with this modification) if possible.

Additional info (in case it matters)

Server:

- Debian squeeze (stable)

- Puppetmaster: 2.7.6 (from squeeze-backports)

- puppetlabs/firewall version 0.0.4 (current version on Puppetforge)

Clients:

- Debian squeeze (stable)

- puppet client version 2.6.2

[Krzysztof Wilczynski]

Hi,

[...]

Anyone have a hack (ugly or not) to implement this?

 
A hack? Um.

http://projects.puppetlabs.com/issues/10162
http://projects.puppetlabs.com/issues/10958

https://github.com/puppetlabs/puppetlabs-firewall/pull/59

It will probably be there in the near future.

 KW

[Dan Carley]

On 15 March 2012 22:39, Chris O'Donnell <chod...@gmail.com> wrote:

With our current iptables rules, we implement the following in a script:

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

Then the script continues on and does the rest of the rules. some custom policies, etc.Now we're moving to Puppet and trying to replace all of our scripts. From what I can tell, the puppetlabs/firewall module doesn't allow a way to set the default policy for a default chain. By default, the puppetlabs/firewall module sets it as:

INPUT ACCEPT

FORWARD ACCEPT

OUTPUT ACCEPT

I've tried going through the module to implement this, but my Ruby skills aren't there yet. As this would be the default in all of our rules, I don't need a full implementation (i.e. able to set this from a pp file), I just need to be able to set it as the default for all iptables settings. Anyone have a hack (ugly or not) to implement this? I'm looking at other firewall modules, but this one is pretty slick, and would like to use this one (albeit with this modification) if possible.

You can achieve the same effect with a default DROP/DENY rule at the end of your chain. I have some fondness for this approach, being one of the many hapless sysadmins that has once locked themselves out of a machine by running "iptables -F" without paying attention to the policy defaults.

[Chris O'Donnell]

FYI, I downloaded the following branch this morning:

git clone -b ticket/10162-firewallchain_support_for_merge git://github.com/kbarber/puppetlabs-firewall.git

and found a bug where the args for iptables were being fed to it in the wrong order. I made the following patch, and emailed it to Ken:

--- iptables_chain.rb.orig      2012-03-16 17:14:29.000000000 -0400

+++ iptables_chain.rb   2012-03-16 16:31:40.000000000 -0400

@@ -73,7 +73,7 @@

   def policy=(value)

     return if value == :empty

-    allvalidchains do |t, table, chain|

+    allvalidchains do |t, chain, table|

        p = ['-t',table,'-P',chain,value.to_s.upcase]

        debug "[set policy] #{t} #{p}"

       t.call p

[Krzysztof Wilczynski]

HI Chris,

Awesome, +1 :)

KW

[Andy McDougall]

Hi,

I have used the following to set default policy.

  firewallchain { 'FORWARD:filter:IPv4':
    ensure => present,
    policy => drop,
  }

  firewallchain { 'INPUT:filter:IPv4':
    ensure => present,
    policy => drop,
  }

Andy