puppetlabs firewall module
Jure Pečar
Hello all,
I'm trying to implement iptables management via puppet. My goal is to have a set of default rules that get inherited by every node and then a set of modules defining services, where each service definition brings its own additional iptables rules and they should be properly merged together.
But I'm stuck at the first steps of implementing firewall module. As I understand the documentation, the number in te name of the rule is used to properly order the rules in the iptables table. However this is not what I observe.
Consider the following rules:
class iptables {
service { 'iptables':
enable => true,
subscribe => File['/etc/sysconfig/iptables'],
}
firewall { '000 allow lo in':
iniface => 'lo',
action => accept,
}
firewall { '002 allow packets with valid state':
state => ['RELATED', 'ESTABLISHED'],
iniface => 'eth0',
action => accept,
}
firewall { '032 allow icmp on eth0':
proto => 'icmp',
iniface => 'eth0',
action => accept,
}
firewall { '100 allow ssh':
destination => $ipaddress_eth0,
proto => 'tcp',
dport => '22',
state => 'NEW',
action => accept,
ensure => 'present',
}
firewall { '100 allow nrpe':
destination => $ipaddress_eth0,
proto => 'tcp',
dport => '5666',
state => 'NEW',
action => accept,
}
firewall { '100 allow snmp':
destination => $ipaddress_eth0,
proto => 'udp',
dport => '161',
action => accept,
}
firewall { '999 reject everything else':
action => reject,
reject => 'icmp-admin-prohibited',
}
firewall { '999 reject everything else on forward':
chain => 'FORWARD',
action => reject,
reject => 'icmp-admin-prohibited',
}
resources { 'firewall':
purge => true,
}
exec { "persist-firewall":
command => '/sbin/service iptables save',
refreshonly => true,
}
Firewall {
notify => Exec["persist-firewall"]
}
}
When I run puppetd -t on a node, I get something like this in iptables -nL output (cut to just comment field):
Chain INPUT (policy ACCEPT)
/* 100 allow snmp */
/* 100 allow ssh */ state NEW
/* 032 allow icmp on eth0 */
/* 002 allow packets with valid state */
/* 999 reject everything else */
/* 000 allow lo in */
/* 100 allow nrpe */ state NEW
Chain FORWARD (policy ACCEPT)
/* 999 reject everything else on forward */ reject-with icmp-admin-prohibited
Order of the rules appears random, sometimes the reject everything rule is applied first and I lose connection to the server.
My observation is that either the number in the rule name has no meaning or I'm doing something wrong. Since I'm relatively new to the puppet (but was working with cfengine 7-8 years ago), I'm asking this group for suggestions before I file a bug report.
Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client.
--
Jure Pečar
Mark Walkom
You might be able to get around this by using a template.
--
Jure Pečar
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
bel
http://forge.puppetlabs.com/puppetlabs/firewall
On Dec 27, 1:48 am, Mark Walkom <markwal...@gmail.com> wrote:
> It's because puppet doesn't read sequentially but randomly accesses the
> module/class.
> You might be able to get around this by using a template.
>
Jure Pečar
Mark Walkom <markw...@gmail.com> wrote:
> It's because puppet doesn't read sequentially but randomly accesses the
> module/class.
> You might be able to get around this by using a template.
Well the documentation clearly states:
Parameters
name
The canonical name of the rule. This name is also used for ordering
so make sure you prefix the rule with a number
What I want to achieve is exactly what's described in this blog post:
http://geek.jasonhancock.com/2011/10/11/managing-iptables-firewalls-with-puppet/
However, it doesn't work for me. How can I figure out why not?
--
Jure Pečar
Dan White
I used the line:
firewall { '100 allow http':
proto => 'tcp',
dport => '80',
jump => 'ACCEPT',
}
and got :
Parameter jump failed: Jump destination should not be one of ACCEPT, REJECT or DENY. Use the action property instead.
Are these things tested before checking them into the repository ?
“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
Jure Pečar
bel <bel...@gmail.com> wrote:
> You could use stages as described in documentation:
>
> http://forge.puppetlabs.com/puppetlabs/firewall
Now I've implemented stages and indeed output of puppet agent makes me think they are in place:
notice: /Firewall[002 allow icmp on eth0]/ensure: created
notice: /Firewall[001 allow packets with valid state]/ensure: created
notice: /Firewall[000 allow lo in]/ensure: created
notice: /Firewall[003 allow ssh]/ensure: created
notice: /File[/etc/sysconfig/iptables]/ensure: created
notice: /Firewall[100 allow nrpe]/ensure: created
notice: /Firewall[100 allow snmp]/ensure: created
notice: /Firewall[999 reject everything else on forward]/ensure: created
notice: /Firewall[998 reject everything else]/ensure: created
But then I lose ssh connection. Looking at local console it is obvious why:
Chain INPUT (policy ACCEPT)
/* 998 reject everything else */
/* 100 allow nrpe */
/* 100 allow snmp */
/* 003 allow ssh */
/* 000 allow lo in */
/* 001 allow icmp on eth0 */
/* 002 allow packets with valid state */
Chain FORWARD (policy ACCEPT)
/* 999 reject everything else on forward */ reject-with icmp-admin-prohibited
So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified.
--
Jure Pečar
Dan White
How do I get the "--syn" option onto the command that Puppet runs ?
Dan White
I need to duplicate this command (that does work):
# allow (udp) dns from IP range
/sbin/iptables -A INPUT -p udp -s 10.0.0.0/8 --sport domain --dport 1025:65535 -j ACCEPT
So I tried:
firewall { "011 a allow DNS":
proto => 'udp',
sport => 'domain',
dport => '1025-65535',
source => ['10.0.0.0/8'],
action => 'accept',
}
And it says:
err: /Firewall[011 a allow DNS]: Could not evaluate: Execution of '/sbin/iptables -R INPUT 16 -t filter -s 10.0.0.0/8 -p udp -m multiport --sports 53 -m multiport --dports 1025:65535 -m comment --comment 011 a allow DNS -j ACCEPT' returned 2: Try `iptables -h' or 'iptables --help' for more information.
So I pull from the log:
/sbin/iptables -I INPUT 4 -t filter -s 10.0.0.0/8 -p udp -m multiport --sports 53 -m multiport --dports 1025:65535 -m comment --comment 011 a allow DNS -j ACCEPT
and it says :
Bad argument `1025:65535'
Try `iptables -h' or 'iptables --help' for more information.
firewall { "011 a allow DNS": proto => 'udp', sport => '53', source => ['10.0.0.0/8'], action => 'accept', }
-A INPUT -s 10.0.0.0/255.0.0.0 -p udp -m multiport --sports 53 -m comment --comment "011 a allow DNS" -j ACCEPT
firewall { "011 a allow DNS": proto => 'udp', sport => '53', dport => '1025', source => ['10.0.0.0/8'], action => 'accept', }
err: /Firewall[011 a allow DNS]: Could not evaluate: Execution of '/sbin/iptables -R INPUT 13 -t filter -s 10.0.0.0/8 -p udp -m multiport --sports 53 -m multiport --dports 1025 -m comment --comment 011 a allow DNS -j ACCEPT' returned 2: Try `iptables -h' or 'iptables --help' for more information.
Simon KP
--
Jure Pečar
bel
On Dec 27 2011, 11:02 am, Jure Pečar <jure.pe...@gmail.com> wrote:
> On Tue, 27 Dec 2011 04:32:03 -0800 (PST)
>
Grant Byers
Perhaps try using a collection. Define all new firewall resources as virtual, then in the iptables module, realize them. ie.
class nagios::nrpe::config {
...
@firewall { '100 allow nrpe':
destination => $ipaddress_eth0,
proto => 'tcp',
dport => '5666',
state => 'NEW',
action => accept,
}
}
...
@firewall { '000 allow lo in':
iniface => 'lo',
action => accept,
}
Firewall <| |> { notify => Exec["persist-firewall"], }
}
Cheers,
Grant