merging iptables rules with puppet

[Geoff Galitz]

I'm still a bit noobish with puppet...

In short what I want to do is merge puppet managed iptables with dynamically added rules added by some scripts.  We have a basic config setup with a template (iptables.erb) and we can add rules to that in manifests.  But of course puppet will wipe any changes made from the OS.  Any advice on how to get puppet to respect the dynamically loaded rules?  

Thanks.

-G

--
-----------------------------------------------
Geoff Galitz, gga...@shutterstock.com
WebOps
Shutterstock Images

[Matt Zagrabelny]

Perhaps put them in a chain of their own?

I am not sure if puppet with delete chains.

-mz

> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.

[Luke Baker]

By dynamically loading rules do you mean executing iptables <rule> or are you editing your iptables-save file and then reloading?

[Geoff Galitz]

We are executing iptables <rule>, not editing the backend files, though we could do that if that were the only option.

-G

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/VX2Sj8i2-ssJ.

To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Peter Brown]

Hi,

I manage my iptables setup with the concat module and nail together a
rules file and then reload it if it's changed
I also have a define setup so other classes can define rules and my
firewall class pulls them all in.
works well for me because when i remove a class the firewall rull
associated with it goes away too.

I am intending on putting my modules in githib but have been super
busy and haven't had a chance yet.

[Justin Ellison]

I can't say enough good about the puppetlabs-firewall module.  They've put a lot of work into it, and it works perfectly.

https://github.com/puppetlabs/puppetlabs-firewall

No need for concat here.

Justin

[Dan White]

I have an open issue against it, but otherwise I agree.

http://projects.puppetlabs.com/issues/14413

If I could come up with a workaround for this, I would be a very happy camper.

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

---

From: "Justin Ellison" <jus...@techadvise.com>
To: puppet...@googlegroups.com
Sent: Thursday, August 16, 2012 3:27:52 PM
Subject: Re: [Puppet Users] Re: merging iptables rules with puppet

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2RiSuyvxkAwJ.

[Peter Brown]

I have been meaning to have a look at that one and see if it will work
for what I need.
I have likely put it off because I am always too busy and my firewall
module works.
I also like having the rules go away automagically if they aren't
needed any more.

> https://groups.google.com/d/msg/puppet-users/-/2RiSuyvxkAwJ.