Applying iptables NAT rules
580 views
Skip to first unread message
Sebastien Wains
Nov 4, 2013, 10:50:55 AM11/4/13
to salt-...@googlegroups.com
I want to apply those iptables rules with Salt:
iptables -t nat -A PREROUTING -p tcp --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A PREROUTING -p tcp --dport 25 -j REDIRECT --to-port 1025
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -p udp --dport 137 -j REDIRECT --to-port 1137
iptables -t nat -A PREROUTING -p udp --dport 138 -j REDIRECT --to-port 1138
iptables -t nat -A PREROUTING -p tcp --dport 139 -j REDIRECT --to-port 1139
iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 1445
I have the following state:
alfresco-iptables:
iptables.append:
- table: nat
- chain: PREROUTING
- proto: tcp
- dport: 21
- jump: REDIRECT
- to-port: 2121
It fails with this output:
[DEBUG ] Results of YAML rendering:
OrderedDict([('alfresco-iptables', OrderedDict([('iptables.append', [OrderedDict([('table', 'nat')]), OrderedDict([('chain', 'PREROUTING')]), OrderedDict([('proto', 'tcp')]), OrderedDict([('dport', 21)]), OrderedDict([('jump', 'REDIRECT')]), OrderedDict([('to-port', 2121)])])]))])
[INFO ] Executing state iptables.append for alfresco-iptables
[INFO ] Executing command 'iptables -t nat -C PREROUTING --proto tcp --to-port 2121 --jump REDIRECT --dport 21 --__env__ sandbox --__sls__ sged01 --order 10000 ' in directory '/root'
[DEBUG ] output: iptables v1.3.5: Unknown arg `-C'
Try `iptables -h' or 'iptables --help' for more information.
[INFO ] Executing command 'iptables -t nat -A PREROUTING --proto tcp --to-port 2121 --jump REDIRECT --dport 21 --__env__ sandbox --__sls__ sged01 --order 10000 ' in directory '/root'
[DEBUG ] output: iptables v1.3.5: Unknown arg `--to-port'
Try `iptables -h' or 'iptables --help' for more information.
First thing.. "save: True" (from the doc) failed.
Then, Unkown arg -C ?
Any clue ?
Thanks !
David Anderson
Nov 4, 2013, 12:19:47 PM11/4/13
to salt-...@googlegroups.com
What distro and version are you using? iptables 1.3.5 is almost 8 years
old.
--
Dave
> --
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
old.
--
Dave
> You received this message because you are subscribed to the Google
> Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to salt-users+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Markus Falb
Nov 4, 2013, 12:34:51 PM11/4/13
to salt-...@googlegroups.com
On 04.Nov.2013, at 18:19, David Anderson wrote:
> What distro and version are you using? iptables 1.3.5 is almost 8 years old.
--
Markus
David Anderson
Nov 4, 2013, 1:26:07 PM11/4/13
to salt-...@googlegroups.com
This might be fixed in this commit:
https://github.com/saltstack/salt/commit/58fd1b5594d022705ba971bf95043e084dedb29c
Although there's also some strangeness going on in your debug output:
[INFO ] Executing command 'iptables -t nat -C PREROUTING --proto tcp
--to-port 2121 --jump REDIRECT --dport 21 --__env__ sandbox --__sls__
sged01 --order 10000 ' in directory '/root'
I have no idea why "--__env__ sandbox --__sls__ sged01 --order 10000" is
being passed to iptables.
--
Dave
https://github.com/saltstack/salt/commit/58fd1b5594d022705ba971bf95043e084dedb29c
Although there's also some strangeness going on in your debug output:
[INFO ] Executing command 'iptables -t nat -C PREROUTING --proto tcp
--to-port 2121 --jump REDIRECT --dport 21 --__env__ sandbox --__sls__
sged01 --order 10000 ' in directory '/root'
being passed to iptables.
--
Dave
Colton Myers
Nov 4, 2013, 1:51:34 PM11/4/13
to salt-...@googlegroups.com
There was a bug with the ordering of iptables commands, which I think has since been fixed. If you could test on the `develop` branch, that would be helpful.
--
Colton Myers
--
You received this message because you are subscribed to the Google Groups "Salt-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+unsubscribe@googlegroups.com.
Sebastien Wains
Nov 5, 2013, 3:20:18 AM11/5/13
to salt-...@googlegroups.com
Thanks guys. I'm indeed facing this on RHEL5.
I'm going to test the develop branch today.
--Colton Myers
To unsubscribe from this group and stop receiving emails from it, send an email to salt-users+...@googlegroups.com.
Sebastien Wains
Nov 5, 2013, 5:03:42 AM11/5/13
to salt-...@googlegroups.com
I'm trying to set up an environment so I can test the develop branch.
Can you point me to the doc explaining how to achieve that ?
Thanks
Tim O'Guin
Nov 5, 2013, 9:52:20 AM11/5/13
to salt-...@googlegroups.com
The salt-bootstrap script is your best bet: https://github.com/saltstack/salt-bootstrap
To bootstrap just a master from git develop:
# curl -L http://bootstrap.saltstack.org | sudo sh -s -- -M -N git developAnd I *think* removing that -N will give you a master and minion on the same machine.
And to bootstrap a minion:
# curl -L http://bootstrap.saltstack.org | sudo sh -s -- git developSebastien Wains
Nov 6, 2013, 6:10:10 AM11/6/13
to salt-...@googlegroups.com
I proceeded as advised.. Still facing the same issue :
# Completed on Wed Nov 6 14:09:21 2013
[INFO ] Executing command 'iptables -t nat -C PREROUTING -p tcp -m tcp --dport 21 --to-port 2121 -j REDIRECT ' in directory '/root'
[DEBUG ] output: iptables v1.3.5: Unknown arg `-C'
Try `iptables -h' or 'iptables --help' for more information.
[INFO ] Executing command 'iptables -t nat -A PREROUTING -p tcp -m tcp --dport 21 --to-port 2121 -j REDIRECT ' in directory '/root'
[DEBUG ] output: iptables v1.3.5: Unknown arg `--to-port'
Try `iptables -h' or 'iptables --help' for more information.
[ERROR ] Failed to set iptables rule for alfresco-iptables
[root@salt-develop salt]# salt '*' state.highstate
----------
State: - iptables
Name: alfresco-iptables
Function: append
Result: False
Comment: Failed to set iptables rule for alfresco-iptables
Changes:
David Anderson
Nov 6, 2013, 11:59:15 AM11/6/13
to salt-...@googlegroups.com
Are you sure you're running the version from git? You shouldn't be
hitting the code path with the 'iptables -C' switch at all. Can you
check "salt 'minion_id' grains.get os_family" and "salt 'minion_id'
test.version"?
--
Dave
> # curl -Lhttp://bootstrap.saltstack.org | sudo sh -s -- -M -N git develop
> <https://groups.google.com/groups/opt_out>.
> <https://groups.google.com/groups/opt_out>.
hitting the code path with the 'iptables -C' switch at all. Can you
check "salt 'minion_id' grains.get os_family" and "salt 'minion_id'
test.version"?
--
Dave
>
> And I *think* removing that -N will give you a master and minion
> on the same machine.
>
> And to bootstrap a minion:
>
> # curl -Lhttp://bootstrap.saltstack.org | sudo sh -s -- git develop
> And I *think* removing that -N will give you a master and minion
> on the same machine.
>
> And to bootstrap a minion:
>
>
>
> --
> You received this message because you are subscribed to the
> Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to salt-users+...@googlegroups.com
> <javascript:>.
>
> --
> You received this message because you are subscribed to the
> Google Groups "Salt-users" group.
> To unsubscribe from this group and stop receiving emails from
> it, send an email to salt-users+...@googlegroups.com
> <https://groups.google.com/groups/opt_out>.
Reply all
Reply to author
Forward
0 new messages