iptables

Safely manages IPTables firewall rules

Project URL RSS Feed Report issues

Module Stats

27,444 downloads

179 latest version

4.7 quality score

Version information

released Jan 17th 2024

This version is compatible with:

Puppet Enterprise 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
Puppet >= 7.0.0 < 9.0.0
, , , , ,

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'simp-iptables', '6.13.1'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add simp-iptables

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install simp-iptables --version 6.13.1

Tags: iptables, firewall, compliance, stig, nist, simp, disa-stig, nist-800-53

Documentation

simp/iptables — version 6.13.1 Jan 17th 2024

Overview
This is a SIMP module
Module Description
Setup
- What iptables affects
- Beginning with iptables
  - I want a basic secure iptables setup
Usage
Reference
Limitations
Development
- Acceptance tests

Overview

This module provides native types for managing the system IPTables and IP6Tables as well as convenience defines and general system configuration capabilities.

The ability to use this module to automatically shim through to firewalld is optionally supported for legacy systems and modules that are working on migrating to firewalld support.

This is a SIMP module

This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.

Most SIMP modules actively take advantage of this module when used within the SIMP ecosystem.

Module Description

The iptables module manages all IPTables and IP6Tables rules in an atomic fashion. All rules are applied only once per puppet agent run during the application of the last executed iptables resource.

Applying the rules in this manner ensures that avoid situations where you have a partially applied IPTables rule set during a failure in your run of puppet (someone hits ^C, your system runs out of memory, etc...).

The module also takes additional safety measures to attempt to keep your firewall rules in a consistent state over time to include:

Rolling back to the last configuration if the application of the new configuration fails
Rolling back to an 'ssh-only' mode if application of all configurations fail

The goal is to remain in a state where you can be sure that your system is tightly restricted but also able to be recovered.

Finally, the module works to ensure that services such as OpenStack, Docker, VirtualBox, etc... can apply their rules without being affected by this module. The module provides mechanisms to preserve these rules as managed by external systems based on regular expression matches.

Setup

What iptables affects

The module manages the iptables package, service, and rules.

On systems containing the firewalld service, it is ensured to be stopped unless iptables::use_firewalld is set to true.

Beginning with iptables

I want a basic secure iptables setup

A basic setup with iptables will allow the following:

ICMP
Loopback
SSH
Established and Related traffic (Return Traffic)

# Set up iptables with the default settings

include 'iptables'

Output (to /etc/sysconfig/iptables)

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT

Usage

I want to open a specific port or allow access

The iptables module has a set of defined types for adding in new firewall rules.

#open TCP port 443 (HTTPS) and a custom 8443 from any IP Address

iptables::listen::tcp_stateful { 'webserver':
  trusted_nets => ['any'],
  dports => [ 443 , 8443 ]
}

#open UDP port 53 (DNS) from two specific IP addresses

iptables::listen::udp {'DNS':
  trusted_nets => ['192.168.56.55','192.168.56.147'],
  dports      => [ 53 ]
}

#Allow a specific machine full access to this node

iptables::listen::all { 'Central Management':
  trusted_nets => ['10.10.35.100'],
}

#Allow a range of ports to be accessible from a specific IP
iptables::listen::tcp_stateful { 'myapp':
  trusted_nets => ['10.10.45.100'],
  dports => ['1024:60000']
}

This module doesn't cover my specific iptables rule

In the case you need a rule not covered properly by the module, you can use the iptables::add_rules type to place the exact rule into /etc/sysconfig/iptables.

# Inserts a custom rule into IPtables

iptables::rule { 'example':
  content => '-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp\
  -s 1.2.3.4 --dport 1024:65535 -j ACCEPT'
}

Firewalld Mode

This module has preliminary support for acting as a pass-through to various firewalld capabilities using the simp/simp_firewalld module.

Using any of the iptables::listen::* defined types will work seamlessly in firewalld mode but direct calls to iptables::rule will emit a warning letting the user know that they must switch over to simp_firewalld::rule.

Additionally, calls to any of the native types included in this module will result in undefined behavior and is not advised.

Enabling Firewalld Mode

To enable firewalld mode on supported operating systems, simply set iptables::use_firewalld to true via Hiera.

NOTE: EL 8 systems enable firewalld mode by default.

Reference

See REFERENCE.md

Limitations

IPv6 support has not been fully tested, use with caution
firewalld must be disabled if using iptables. The module will disable firewalld if it is present and the module is not in firewalld compatibility mode.
This module is intended to be used on a Red Hat Enterprise Linux-compatible distribution such as EL6 and EL7. However, any distribution that uses the /etc/sysconfig/iptables configuration should function properly (let us know!).

Development

Please read our Contribution Guide.

Acceptance tests

To run the system tests, you need Vagrant installed. Then, run:

bundle exec rake beaker:suites

Some environment variables may be useful:

BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes

BEAKER_debug: show the commands being run on the STU and their output.
BEAKER_destroy=no: prevent the machine destruction after the tests finish so you can inspect the state.
BEAKER_provision=no: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.
BEAKER_use_fixtures_dir_for_modules=yes: cause all module dependencies to be loaded from the spec/fixtures/modules directory, based on the contents of .fixtures.yml. The contents of this directory are usually populated by bundle exec rake spec_prep. This can be used to run acceptance tests to run on isolated networks.

Reference

Classes

iptables: Manage iptables with default rule optimization and a failsafe fallback mode
iptables::install: Install the IPTables and IP6Tables components
iptables::rules::base: NOTE: THIS IS A PRIVATE CLASS Set up the basic iptables rules pertinen
iptables::rules::default_drop: NOTE: THIS IS A PRIVATE CLASS Manage the default policy settings of th
iptables::rules::mod_recent: A wrapper for managing the xt_recent portion of iptables settings It is mainly meant to be a helper class but can be used alone if required.
iptables::rules::prevent_localhost_spoofing: Add rules that prevent external parties from being able to send spoofed packets to your system from ::1 The sysctl setting for rp_filter han
iptables::rules::scanblock: Provide a method for setting up an iptables electric fence Any host that makes it past all of your allow rules will be added to the ban list
iptables::service: Manage the IPTables and IP6Tables services This also installs fallback startup scripts that come into play should the regular processes fail

Defined types

iptables::listen::all: Allow all protocols to all ports from a select set of networks
iptables::listen::icmp: This provides a simple way to allow ICMP ports into the system.
iptables::listen::tcp_stateful: Allow access to specific ports from specific hosts or networks
iptables::listen::udp: Expose UDP ports to a set of hosts
iptables::ports: A define to allow for the standardization of the iptables::ports syntax across modules
iptables::rule: Add rules to the IPTables configuration file ### Result: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOCAL-IN

Resource types

ip6tables_optimize: A name variable, doesn't really do anything
iptables_default_policy: Manage the default policy on iptables tables built-in chains
iptables_optimize: The path to the target file to be optimized. Mainly used for ensuring that the file comes after the optimization.
iptables_rule: Authoritatively manage iptables rules. This type is atomic, either all rules work, or the old rules are preserved.
xt_recent: Sets the various options on the running xt_recent kernel module. If the module needs to be loaded, attempts to load the module.

Functions

iptables::slice_ports: Split a stringified Iptables::DestPort into an Array that contain groupings of max_length size.
iptables::use_firewalld: Returns true if the client can/should use firewalld

Data types

Iptables::ApplyTo: Valid families to which rules should apply
Iptables::DestPort: An iptables_rule compatible port range or Array
Iptables::PortRange: An iptables-compatible Port Range

Classes

`iptables`

It is highly recommended that you place this module in firewalld mode if the underlying system supports it.

You can do this by setting iptables::use_firewalld: true in Hiera

This class will detect conflicts with the SIMP option simp_options::firewall and, if necessary, cease management of IPTables in the case of a conflict.

In particular, this means that if simp_options::firewall is false, but you have included this class, it will refuse to manage IPTables and will instead raise a warning.

If the simp_options::firewall variable is not present, the module will manage IPTables as expected.

Parameters

The following parameters are available in the iptables class:

enable
use_firewalld
ensure
ipv6
class_debug
optimize_rules
precise_match
ignore
default_rules
scanblock
prevent_localhost_spoofing
ports

`enable`

Data type: Variant[Enum['ignore','firewalld'],Boolean]

Enable IPTables

If set to true will enable management of IPTables
If set to false will disable IPTables completely
If set to ignore will stop managing IPTables

Default value: simplib::lookup('simp_options::firewall', { 'default_value' => true })

`use_firewalld`

Data type: Boolean

Explicitly enable management via simp_firewalld

Systems that do not have firewalld installed will fall back to iptables

Default value: iptables::use_firewalld($enable)

`ensure`

Data type: String

The state that the package resources should target

May take any value acceptable to the native package resource ensure parameter

Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })

`ipv6`

Data type: Boolean

Also manage IP6Tables

Default value: true

`class_debug`

Data type: Boolean

Print messages regarding rule comparisons

Default value: false

`optimize_rules`

Data type: Boolean

Run the inbuilt iptables rule optimizer to collapse the rules down to as small as is reasonably possible without reordering

IPSets have been incorporated via the firewalld module

Default value: true

`precise_match`

Data type: Boolean

Instead of matching rule counts, perform a more precise match against the running and to-be-applied rules. You may find that minor changes, such as a simple netmask change will not be enforced without enabling this option.

NOTE: You MUST use the exact same syntax that will be returned by iptables-save and ip6tables-save if you use this option!
For example, you cannot write echo-request for an ICMP echo match, you must instead use 8.

Default value: false

`ignore`

Data type: Array[String[1]]

Regular expressions that you would like to match in order to preserve running rules

This modifies the behavior of the iptables_optimize Type.
Do not include the beginning and ending / but do include an end or beginning of word marker (^ and/or $) if appropriate

Default value: []

`default_rules`

Data type: Boolean

Enable the usual set of default deny rules that you would expect to see on most systems

Uses the following expectations of rule ordering (not enforced):
- 1 -> ESTABLISHED and RELATED rules
- 2-5 -> Standard ACCEPT and DENY rules
- 6-10 -> JUMP to other rule sets
- 11-20 -> Pure ACCEPT rules
- 22-30 -> LOG and REJECT rules

Default value: true

`scanblock`

Data type: Boolean

Enable a technique for setting up port-based triggers that will block anyone connecting to the system for an hour after connection to a forbidden port

Default value: false

`prevent_localhost_spoofing`

Data type: Boolean

Add rules to PREROUTING that will prevent spoofed packets from localhost addresses from reaching your system

Default value: true

`ports`

Data type: Optional[Hash]

A hash with structure as defined below that will open ports based on the structure of the hash. @example An example section of hieradata: iptables::ports: defaults: apply_to: ipv4 80: 53: proto: udp 443: apply_to: ipv6

Default value: undef

`iptables::install`

Install the IPTables and IP6Tables components

Parameters

The following parameters are available in the iptables::install class:

ipv4_package
ipv6_package

`ipv4_package`

Data type: String[1]

The package used to manage ipv4 rules

Default from module data

`ipv6_package`

Data type: String[1]

The package used to manage ipv6 rules

Default from module data

`iptables::rules::base`

NOTE: THIS IS A PRIVATE CLASS

Set up the basic iptables rules pertinent to system security

The rules defined in here follow the following suggestion:

1 -> ESTABLISHED,RELATED rules.
2-5 -> Standard ACCEPT/DENY rules.
6-10 -> Jumps to other rule sets.
11-20 -> Pure accept rules.
22-30 -> Logging and rejection rules.

Parameters

The following parameters are available in the iptables::rules::base class:

allow_ping
drop_broadcast
drop_loopback
drop_multicast
force_local_input

`allow_ping`

Data type: Boolean

Allow ICMP type 8 (ping) packets into the host

This is enabled by default for RFC 1122 compliance

@see https://tools.ietf.org/html/rfc1122#page-42 RFC 1122 Section 3.2.2.6

Default value: true

`drop_broadcast`

Data type: Boolean

Drop all broadcast traffic to this host

Default value: true

`drop_loopback`

Data type: Boolean

Drop all loopback traffic to this host

@see https://tools.ietf.org/html/rfc1122#page-31 RFC 1122 Section 3.2.1.3(g)

Default value: true

`drop_multicast`

Data type: Boolean

Drop all multicast traffic to this host

Default value: true

`force_local_input`

Data type: Boolean

Require that all traffic traverse the LOCAL-INPUT chain

If set to false, will put LOCAL-INPUT at the bottom of the INPUT traversal stack so that other chains may easily be added above.

Default value: true

`iptables::rules::default_drop`

NOTE: THIS IS A PRIVATE CLASS

Manage the default policy settings of the built in chains.

Given that there is a well-defined, and limited, set of built-in chains this class fully enumerates the combinations to maximize readability.

Setting any parameter to true will activate the DROP condition.
Setting any parameter to false will activate the ACCEPT condition.
Leaving a parameter unset will not change the state of the system.

NOTE: If you need different settings for IPv6 and IPv4 then you will need to create your own resources

Parameters

The following parameters are available in the iptables::rules::default_drop class:

filter_input
filter_forward
filter_output

`filter_input`

Data type: Optional[Boolean]

Default value: undef

`filter_forward`

Data type: Optional[Boolean]

Default value: undef

`filter_output`

Data type: Optional[Boolean]

Default value: undef

`iptables::rules::mod_recent`

A wrapper for managing the xt_recent portion of iptables settings

It is mainly meant to be a helper class but can be used alone if required.

Parameters

The following parameters are available in the iptables::rules::mod_recent class:

notify_iptables
ip_list_tot
ip_pkt_list_tot
ip_list_hash_size
ip_list_perms
ip_list_uid
ip_list_gid

`notify_iptables`

Data type: Boolean

Notify the IPTables service when complete

Default value: true

`ip_list_tot`

Data type: Integer[0]

The number of addresses remembered per table

*This effectively becomes the maximum size of your ban list

Be aware that more addresses means more load on your system

Default value: 200

`ip_pkt_list_tot`

Data type: Integer[0]

The number of packets per address remembered

Default value: 20

`ip_list_hash_size`

Data type: Integer[0]

Hash table size

0 means to calculate it based on ip_list_tot

Default value: 0

`ip_list_perms`

Data type: String

Permissions for /proc/net/xt_recent/* files

Default value: '0640'

`ip_list_uid`

Data type: Integer[0]

Numerical UID for ownership of /proc/net/xt_recent/* files

Default value: 0

`ip_list_gid`

Data type: Integer[0]

Numerical GID for ownership of /proc/net/xt_recent/* files

Default value: 0

`iptables::rules::prevent_localhost_spoofing`

Add rules that prevent external parties from being able to send spoofed packets to your system from ::1

The sysctl setting for rp_filter handles this for IPv4

`iptables::rules::scanblock`

Provide a method for setting up an iptables electric fence

Any host that makes it past all of your allow rules will be added to the ban list.

WARNING

If you enable this, be sure to enable your IPTables rules prior to connecting with a client or you're likely to completely deny your internal hosts.

WARNING

NOTE: Changing any of the ip_* variables will cause the iptables service to be triggered. This is because the variables cannot take effect until the iptables rules are reset.

Management

Details on managing xt_recent can be found in iptables(8). The following are just some useful commands.

Add address to list echo +addr >/proc/net/xt_recent/LIST_NAME
Remove address from list echo -addr >/proc/net/xt_recent/LIST_NAME
Remove all address from list echo / >/proc/net/xt_recent/LIST_NAME
See also
- http://www.thatsgeeky.com/2011/01/limiting-brute-force-attacks-with-iptables/
  - Limiting Brute Force Attacks with IPTables

Parameters

The following parameters are available in the iptables::rules::scanblock class:

enable
seconds
hitcount
set_rttl
update_interval
logs_per_minute
ip_list_tot
ip_pkt_list_tot
ip_list_hash_size
ip_list_perms
ip_list_uid
ip_list_gid

`enable`

Data type: Boolean

Enable or disable scan blocking

Default value: true

`seconds`

Data type: Integer[0]

Connections from attackers must happen within this number of seconds to be considered an attack

Directly relates to hitcount to log and block attackers

Default value: 60

`hitcount`

Data type: Integer[0]

The number of hits that must happen within 'seconds' to be considered an attack

Default value: 2

`set_rttl`

Data type: Boolean

Set this if you worry about having external parties DoS your system by spoofing their IP addresses

Default value: false

`update_interval`

Data type: Integer[0]

Block attackers for this long (in seconds)

Connecting systems must not connect for at least this long prior to being allowed to reconnect

Default value: 3600

`logs_per_minute`

Data type: Integer[0]

How many logs to send given logs_per_minute connections per minute

This is mainly so that you don't end up overrunning your log services

Default value: 5

`ip_list_tot`

Data type: Integer[0]

The number of addresses remembered per table

This effectively becomes the maximum size of your block list
NOTE: Be aware that more addresses means more load on your system

Default value: 200

`ip_pkt_list_tot`

Data type: Integer[0]

The number of packets per address remembered

Default value: 20

`ip_list_hash_size`

Data type: Integer[0]

Hash table size

0 means to calculate it based on ip_list_tot

Default value: 0

`ip_list_perms`

Data type: String

Permissions for /proc/net/xt_recent/* files

Default value: '0640'

`ip_list_uid`

Data type: Integer[0]

Numerical UID for ownership of /proc/net/xt_recent/* files

Default value: 0

`ip_list_gid`

Data type: Integer[0]

Numerical GID for ownership of /proc/net/xt_recent/* files

Default value: 0

`iptables::service`

Manage the IPTables and IP6Tables services

This also installs fallback startup scripts that come into play should the regular processes fail to start due to a race condition with DNS.

Parameters

The following parameters are available in the iptables::service class:

enable
ipv6

`enable`

Data type: Any

Enable IPTables

If set to false with disable IPTables completely
If set to ignore will stop managing IPTables

Default value: pick(getvar('iptables::enable'),true)

`ipv6`

Data type: Any

Also manage IP6Tables

Default value: pick(getvar('iptables::ipv6'),true)

Defined types

`iptables::listen::all`

Allow all protocols to all ports from a select set of networks

Examples

Open Access to Hosts ``1.2.3.4` and `5.6.7.8`

iptables::listen::all { 'example':
  trusted_nets => [ '1.2.3.4', '5.6.7.8' ],
}

### Result

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -s 1.2.3.4 -j ACCEPT
-A LOCAL-INPUT -s 5.6.7.8 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT

Parameters

The following parameters are available in the iptables::listen::all defined type:

first
absolute
order
apply_to
trusted_nets

`first`

Data type: Boolean

Prepend this rule to the rule set

Default value: false

`absolute`

Data type: Boolean

Make sure that this rule is absolutely first, or last, depending on the setting of first

If first is true, this rule will be at the top of the list
If first is false, this rule will be at the bottom of the list
For all absolute rules, alphabetical sorting still takes place

Default value: false

`order`

Data type: Integer[0]

The order in which the rule should appear

1 is the minimum and 9999999 is the maximum
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules

Default value: 11

`apply_to`

Data type: Iptables::ApplyTo

The IPTables network type to which to apply this rule

ipv4 -> iptables
ipv6 -> ip6tables
all -> Both
auto -> Try to figure it out from the rule, will not pick all

Default value: 'auto'

`trusted_nets`

Data type: Simplib::Netlist

Client networks that should be allowed

Set to any to allow all networks

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

`iptables::listen::icmp`

This provides a simple way to allow ICMP ports into the system.

See also
- iptables(8)

Examples

Allow `ping` From `1.2.3.4` and `5.6.7.8`

iptables::listen::icmp { "example":
  trusted_nets => [ "1.2.3.4", "5.6.7.8" ],
  icmp_type => '8'
}

### Result

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -p icmp -s 1.2.3.4 --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -p icmp -s 5.6.7.8 --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT

Parameters

The following parameters are available in the iptables::listen::icmp defined type:

icmp_types
first
absolute
order
apply_to
trusted_nets

`icmp_types`

Data type: Variant[Array[String],String]

The iptables-compatible ICMP types that should be allowed

You can list the ICMP types with iptables -p icmp -h
Set to any to allow all ICMP types

`first`

Data type: Boolean

Prepend this rule to the rule set

Default value: false

`absolute`

Data type: Boolean

Make sure that this rule is absolutely first, or last, depending on the setting of first

If first is true, this rule will be at the top of the list
If first is false, this rule will be at the bottom of the list
For all absolute rules, alphabetical sorting still takes place

Default value: false

`order`

Data type: Integer[0]

The order in which the rule should appear

1 is the minimum and 9999999 is the maximum
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules

Default value: 11

`apply_to`

Data type: Iptables::ApplyTo

The IPTables network type to which to apply this rule

ipv4 -> iptables
ipv6 -> ip6tables
all -> Both
auto -> Try to figure it out from the rule, will not pick all

Default value: 'auto'

`trusted_nets`

Data type: Simplib::Netlist

Client networks that should be allowed

Set to any to allow all networks

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

`iptables::listen::tcp_stateful`

Allow access to specific ports from specific hosts or networks

Examples

Provide Access to Specific Ports

iptables::listen::tcp_stateful { 'example':
  trusted_nets => [ '1.2.3.4', '5.6.7.8' ],
  dports => [ 5, '1024:65535' ]
}

### Result

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 5 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 5.6.7.8 --dport 5 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 5.6.7.8 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT

Parameters

The following parameters are available in the iptables::listen::tcp_stateful defined type:

dports
first
absolute
order
apply_to
trusted_nets

`dports`

Data type: Iptables::DestPort

The ports that you want to expose

`first`

Data type: Boolean

Prepend this rule to the rule set

Default value: false

`absolute`

Data type: Boolean

Make sure that this rule is absolutely first, or last, depending on the setting of first

If first is true, this rule will be at the top of the list
If first is false, this rule will be at the bottom of the list
For all absolute rules, alphabetical sorting still takes place

Default value: false

`order`

Data type: Integer[0]

The order in which the rule should appear

1 is the minimum and 9999999 is the maximum
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules

Default value: 11

`apply_to`

Data type: Iptables::ApplyTo

The IPTables network type to which to apply this rule

ipv4 -> iptables
ipv6 -> ip6tables
all -> Both
auto -> Try to figure it out from the rule, will not pick all

Default value: 'auto'

`trusted_nets`

Data type: Simplib::Netlist

Client networks that should be allowed

Set to any to allow all networks

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

`iptables::listen::udp`

Expose UDP ports to a set of hosts

Examples

Allow UDP Access to `1.2.3.4` and `5.6.7.8`

iptables::listen::udp { 'example':
  trusted_nets => [ '1.2.3.4', '5.6.7.8' ],
  dports       => [ 5, '1024:65535' ]
}

### Result

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -p udp -s 1.2.3.4 --dport 5 -j ACCEPT
-A LOCAL-INPUT -p udp -s 5.6.7.8 --dport 5 -j ACCEPT
-A LOCAL-INPUT -p udp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -p udp -s 5.6.7.8 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT

Parameters

The following parameters are available in the iptables::listen::udp defined type:

dports
first
absolute
order
apply_to
trusted_nets

`dports`

Data type: Iptables::DestPort

The ports that you want to expose

`first`

Data type: Boolean

Prepend this rule to the rule set

Default value: false

`absolute`

Data type: Boolean

Make sure that this rule is absolutely first, or last, depending on the setting of first

If first is true, this rule will be at the top of the list
If first is false, this rule will be at the bottom of the list
For all absolute rules, alphabetical sorting still takes place

Default value: false

`order`

Data type: Integer[0]

The order in which the rule should appear

1 is the minimum and 9999999 is the maximum
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules

Default value: 11

`apply_to`

Data type: Iptables::ApplyTo

The IPTables network type to which to apply this rule

ipv4 -> iptables
ipv6 -> ip6tables
all -> Both
auto -> Try to figure it out from the rule, will not pick all

Default value: 'auto'

`trusted_nets`

Data type: Simplib::Netlist

Client networks that should be allowed

Set to any to allow all networks

Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })

`iptables::ports`

A define to allow for the standardization of the iptables::ports syntax across modules

Parameters

The following parameters are available in the iptables::ports defined type:

ports

`ports`

Data type: Hash

    - udp
    - tcp

`iptables::rule`

Add rules to the IPTables configuration file

Result:

*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOCAL-INPUT - [0:0] -A INPUT -j LOCAL-INPUT -A FORWARD -j LOCAL-INPUT -A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT -A LOCAL-INPUT -i lo -j ACCEPT -A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT -A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A LOCAL-INPUT -j LOG --log-prefix "IPT:" -A LOCAL-INPUT -j DROP COMMIT

Examples

Add a TCP Allow Rule

iptables::rule { 'example':
  content => '-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT'
}

Parameters

The following parameters are available in the iptables::rule defined type:

content
table
first
absolute
order
header
apply_to

`content`

Data type: String

The exact content of the rule that should be added

`table`

Data type: String

The name of the table you are adding to

Usual names include (but are not limited to):
- filter
- mangle
- nat
- raw
- security

Default value: 'filter'

`first`

Data type: Boolean

Prepend this rule to the rule set

Default value: false

`absolute`

Data type: Boolean

Make sure that this rule is absolutely first, or last, depending on the setting of first

If first is true, this rule will be at the top of the list
If first is false, this rule will be at the bottom of the list
For all absolute rules, alphabetical sorting still takes place

Default value: false

`order`

Data type: Integer[0]

The order in which the rule should appear

1 is the minimum and 9999999 is the maximum
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules

Default value: 11

`header`

Data type: Boolean

Automatically add the line header -A LOCAL-INPUT

Default value: true

`apply_to`

Data type: Iptables::ApplyTo

The IPTables network type to which to apply this rule

ipv4 -> iptables
ipv6 -> ip6tables
all -> Both
auto -> Try to figure it out from the rule, will not pick all

Default value: 'auto'

Resource types

`ip6tables_optimize`

A name variable, doesn't really do anything

Properties

The following properties are available in the ip6tables_optimize type.

`optimize`

Valid values: true, false

Whether or not to optimize

Default value: true

Parameters

The following parameters are available in the ip6tables_optimize type.

disable
ignore
name
precise_match
provider

`disable`

Valid values: true, false

This is a way to authoritatively disable the application of the iptables module.

Default value: false

`ignore`

Ignore all running iptables rules matching one or more provided Ruby regexes. The regexes are compared against the jump and chain options, as well as the interface name of the running rules and excluded from the synchronization comparison against the new rules.

!!Do not include the beginning and ending slashes in your regular expressions.!!

NOTE: If a rule has been added or removed, this setting ignored and ip6tables will be restarted! If you have services which are affected by this, make sure that they subscribe to Service['ip6tables'] and/or Service['ip6tables'] as appropriate.

Examples:

Preserve all rules whose chain begins with the word 'foo'

ignore => '^foo'

Preserve all rules whose chain begins with the word 'foo' or

ends with the word 'bar'

ignore => ['^foo','bar$']

`name`

namevar

A name variable, doesn't really do anything

`precise_match`

Valid values: true, false

This is enabled by default because it is a more correct approach.

NOTE: You MUST use the exact same syntax that will be returned by ip6tables-save if you enable this option!
For example, you cannot write echo-request for an ICMP echo match, you must instead use 8.

Default value: true

`provider`

The specific backend to use for this ip6tables_optimize resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

`iptables_default_policy`

Manage the default policy on iptables tables built-in chains

Properties

The following properties are available in the iptables_default_policy type.

`policy`

Valid values: ACCEPT, DROP, accept, drop

The IPTables JUMP policy to apply

Default value: DROP

Parameters

The following parameters are available in the iptables_default_policy type.

apply_to
chain
name
provider
table

`apply_to`

Valid values: ipv4, ipv6, all

What version(s) of iptables to which to apply this rule. 'all' is equivalent to ['ipv4', 'ipv6'] as appropriate.

Default value: all

`chain`

namevar

The targeted chain

`name`

A name of the form : to which the resource will be applied

`provider`

The specific backend to use for this iptables_default_policy resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

`table`

namevar

The table that the chain belongs to

`iptables_optimize`

The path to the target file to be optimized. Mainly used for ensuring that the file comes after the optimization.

Properties

The following properties are available in the iptables_optimize type.

`optimize`

Valid values: true, false

Whether or not to optimize

Default value: true

Parameters

The following parameters are available in the iptables_optimize type.

disable
ignore
name
precise_match
provider

`disable`

Valid values: true, false

This is a way to authoritatively disable the application of the iptables module.

Default value: false

`ignore`

!!Do not include the beginning and ending slashes in your regular expressions.!!

NOTE: If a rule has been added or removed, this setting ignored and iptables will be restarted! If you have services which are affected by this, make sure that they subscribe to Service['iptables'] and/or Service['ip6tables'] as appropriate.

Examples:

Preserve all rules whose jump or chain begins with the word 'foo'

ignore => '^foo'

Preserve all rules whose jump or chain begins with the word 'foo' or

ends with the word 'bar'

ignore => ['^foo','bar$']

`name`

namevar

The path to the target file to be optimized. Mainly used for ensuring that the file comes after the optimization.

`precise_match`

Valid values: true, false

This is enabled by default because it is a more correct approach.

NOTE: You MUST use the exact same syntax that will be returned by iptables-save if you enable this option!
For example, you cannot write echo-request for an ICMP echo match, you must instead use 8.

Default value: true

`provider`

The specific backend to use for this iptables_optimize resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

`iptables_rule`

Authoritatively manage iptables rules. This type is atomic, either all rules work, or the old rules are preserved.

Properties

The following properties are available in the iptables_rule type.

`content`

Valid values: /\w+/

The content of the rule that should be added

Parameters

The following parameters are available in the iptables_rule type.

absolute
apply_to
comment
comment_header
first
header
include_comment
name
order
provider
resolve
table

`absolute`

Valid values: true, false

Set to 'true' if you want the rule to be the absolute first or last. This is relative and places items in alphabetical order if multiple absolute first/lasts are specified.

Default value: false

`apply_to`

Valid values: ipv4, ipv6, all, auto

What version(s) of iptables to which to apply this rule. If set to 'auto' (the default) then we'll try to guess what you want and default to ['ipv4','ipv6'].

If 'auto' is set then each line will be evaluated as an independent rule.

Any rules that have IPv4 addresses will be applied to iptables.
Any rules that have IPv6 addresses will be applied to ip6tables.
All other rules will be applied to both utilities.
If in doubt, split your rules and specify your tables!

Default value: auto

`comment`

A comment to add to the rule.

The value of $comment_header will be prepended.

Empty comments (no content and no header) will be discarded.

Content will be truncated at 255 characters, including the header.

Default value: ''

`comment_header`

A header to prepend to all comments for easy visual rule tracking

Default value: SIMP:

`first`

Valid values: true, false

Set to 'true' if you want to prepend your rule.

Default value: false

`header`

Valid values: true, false

Whether or not to auto-include the table LOCAL-INPUT in the rule.

Default value: true

`include_comment`

Valid values: true, false, yes, no

Whether or not to include the value in the $comment paramter

Default value: true

`name`

namevar

The name of the rule. Simply used for creating the unique fragments.

`order`

Valid values: /\d+/

The order in which the rule should appear. 1 is the minimum and 999 is the max.

Default value: 11

`provider`

The specific backend to use for this iptables_rule resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

`resolve`

Valid values: true, false

Whether or not to use DNS resolution to identify hostnames in IPTables statements.

This should probably be left at :true since it is a rare scenario and, should you use this, you will want the rule to go into either iptables or ip6tables correctly.

With this enabled, the IP address that is resolved will be added to IPTables and not the hostname itself.

Default value: true

`table`

The name of the table that you are adding to.

Default value: filter

`xt_recent`

Sets the various options on the running xt_recent kernel module.

If the module needs to be loaded, attempts to load the module.

Properties

The following properties are available in the xt_recent type.

`ip_list_gid`

Valid values: /^\d+$/

Numerical GID for ownership of /proc/net/xt_recent/* files.

Default value: 0

`ip_list_hash_size`

Valid values: /^\d+$/

Hash table size. 0 means to calculate it based on ip_list_tot.

Default value: 0

`ip_list_perms`

Valid values: /^[0-7]{4}$/

Permissions for /proc/net/xt_recent/* files.

Default value: 0640

`ip_list_tot`

Valid values: /^\d+$/

The number of addresses remembered per table. This effectively becomes the maximum size of your block list. Be aware that more addresses means more load on your system.

Default value: 100

`ip_list_uid`

Valid values: /^\d+$/

Numerical UID for ownership of /proc/net/xt_recent/* files.

Default value: 0

`ip_pkt_list_tot`

Valid values: /^\d+$/

The number of packets per address remembered.

Default value: 20

Parameters

The following parameters are available in the xt_recent type.

name
provider

`name`

namevar

The path to the xt_recent variables to be manipulated

`provider`

The specific backend to use for this xt_recent resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

Functions

`iptables::slice_ports`

Type: Ruby 4.x API

Split a stringified Iptables::DestPort into an Array that contain groupings of max_length size.

`iptables::slice_ports(Variant[String,Array[String]] $input, Integer[1] $max_length)`

Split a stringified Iptables::DestPort into an Array that contain groupings of max_length size.

Returns: Array[Array[String]] ]

`input`

Data type: Variant[String,Array[String]]

One or more ports or port ranges, all represented as strings.

`max_length`

Data type: Integer[1]

The maximum length of each group.

`iptables::use_firewalld`

Type: Puppet Language

Returns true if the client can/should use firewalld

`iptables::use_firewalld(Variant[String[1], Boolean] $enable = true)`

Returns true if the client can/should use firewalld

Returns: Boolean

`enable`

Data type: Variant[String[1], Boolean]

The type of enablement to use

true => Do the right thing based on the underlying OS
false => Return false
firewalld => Force firewalld if available

Data types

`Iptables::ApplyTo`

Valid families to which rules should apply

Alias of Enum['ipv4', 'ipv6', 'all', 'auto']

`Iptables::DestPort`

An iptables_rule compatible port range or Array

Alias of Variant[Simplib::Port, Iptables::PortRange, Array[Variant[Simplib::Port, Iptables::PortRange]]]

`Iptables::PortRange`

An iptables-compatible Port Range

Alias of Pattern['^([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5]):([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5])$']

Wed Jan 17 2024 Richard Gardner rick@sicura.us - 6.13.1

Fixed missing update to hiera.yaml for puppet 8 support

Tue Oct 24 2023 Steven Pritchard steve@sicura.us - 6.13.0

Add EL9 support

Wed Oct 11 2023 Steven Pritchard steve@sicura.us - 6.12.0

[puppetsync] Updates for Puppet 8
- These updates may include the following:
  - Update Gemfile
  - Add support for Puppet 8
  - Drop support for Puppet 6
  - Update module dependencies

Wed Sep 06 2023 Steven Pritchard steve@sicura.us - 6.11.0

Add AlmaLinux 8 support

Wed Sep 06 2023 Steven Pritchard steve@sicura.us - 6.10.0

Add support for Puppet 8 and stdlib 9
Drop support for Puppet 6
Update gem dependencies
Clean up Gemfile for rubocop

Mon Aug 07 2023 Steven Pritchard steve@sicura.us - 6.9.0

Remove extra gating logic in iptables class

Mon Jun 12 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.8.0

Add RockyLinux 8 support

Mon Jun 05 2023 Chris Tessmer chris.tessmer@onyxpoint.com - 6.7.0

Add RockyLinux 8 support

Sun Feb 13 2022 Trevor Vaughan trevor@sicura.us - 6.6.1

Support Amazon Linux 2

Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.6.0

Removed support for Puppet 5
Ensured support for Puppet 7 in requirements and stdlib

Wed Mar 10 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.5

Fixed
- Moved the service-relevant files out of install and into service
- Ensure that EL8+ installs iptables-service instead of trying to install the EL7 packages
- Call iptables::install in all enabled modes since firewalld may require the underlying packages

Thu Jan 07 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.5.5

Removed EL6 support

Mon Nov 16 2020 Liz Nemsick lnemsick.simp@gmail.com - 6.5.4

Fixed a bug in which the iptables services and rules were not managed when iptables::use_firewalld was set to true on an EL6 system.
Fixed an ordering issue with setting xt_recent parameters that could occur on OEL7 nodes. However, there are other issues with xt_recent on OEL that may prevent this module from working on OEL in some circumstances.

Fri Oct 23 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.3

Ensure that systems that do not have firewalld will not attempt to configure it.

Tue Sep 29 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.2

Fix README.md inaccuracies

Tue Aug 18 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.1

Ensure that all addresses are normalized when rules are processed
Remove nested looped rule normalization of addresses since it is no longer required
Fix normalize_addresses() so that it simply grabs the netmask if present and slaps on the appropriate one if not

Wed Jun 10 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.0

Removed the experimental firewalld support
Hooked the module into the new simp/simp_firewalld module

Wed May 27 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0

Fixed some bugs in the 'munge' portions of the native types.
Improved the internal rule matching to handle most netmask and port updates.
Added a exact_match Boolean to the iptables_optimize and ip6tables_optimize native types to allow for more aggressive rule matching.
- This change requires that inbound rules match whatever is returned by iptables-save and/or ip6tables-save to prevent iptables flapping.
Experimental firewalld support
- Added support for voxpupuli/firewalld
- Added an iptables::firewalld_shim class for configuring firewalld in accordance with the current iptables configuration.
- Ensure that the iptables::listen::* will work in firewalld mode
- No work has been done to convert the advanced capabilities such as scanblock.
- Will automatically use firewalld in EL 8
- Allows optional enabling of firewalld in EL 7 by either setting iptables::use_firewalld to true
- IPv6 is not currently supported due to needing to move the auto-detection logic to a higher level. Preferrably, this will go into the upstream firewalld module.

Wed Sep 11 2019 Mark Fitch CodePhase@users.noreply.github.com - 6.3.1

Allow LOCAL-INPUT jump rule in FORWARD and INPUT chains to occur last as a default action through the addition of an iptables::rules::base::force_local_input parameter

Wed Aug 21 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.1

Allow users to disable adding the 'SIMP:' prefix to the comment
Allow users to disable comments on rules completely
Added REFERENCE.md
Removed outdated 'doc' directory

Fri Jul 05 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.3.0

Add v2 compliance_markup data

Fri Jun 21 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.2

Add rule to allow outbound communication over OUTPUT to the loopback device by default.

Mon Jun 10 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.2.1

Allow 'proto' in iptables::ports to be an array

Mon Apr 08 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0

Added 'iptables_default_policy' for modifying the default policy of the 'filter' table on either IPv4 or IPv6.
Added 'iptables::rules::default_drop' to allow users to easily toggle the default drop behavior of the default filter policies.
Removed Puppet 4 support
Added Puppet 6 support

Mon Apr 01 2019 Jim Anderson thesemicolons@protonmail.com - 6.2.0

Added rule to drop 127.0.0.0/8 addresses as defined in RFC 1122 - Section: 3.2.1.3(g).

Mon Mar 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0

Fixed bug in which port ranges specified by iptables::listen::tcp_stateful::dports or iptables::listen::udp::dports could be erroneously split over multiple iptables rules
Replaced deprecated simplib Puppet 3 function slice_array with iptables::slice_ports

Mon Mar 25 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.2.0

Updated puppet template scope API from 3 to newer

Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.7

Update the upper bound of stdlib to < 6.0.0
Update a URL in the README.md

Mon Jan 21 2019 Miguel Cruz mcruz@metrostarsystems.com - 6.1.7

Fix typo in documentation

Thu Nov 01 2018 Jeanne Greulich jeanne.greulichr@onyxpoint.com - 6.1.6

static asset updates for puppet 5

Thu Oct 11 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.6

Changed $package_ensure from 'latest' to 'installed'
- It will also respect simp_options::package_ensure

Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.6

Drop Hiera 4 support

Thu May 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.5

Perform deep rule comparison on rulesets that are otherwise identical
Remove chances for memory leaks due to the design of iptables_rule
Set init script permissions back to the RPM defaults of 0755

Thu May 03 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.4

Remove erroneous native IPTables jump point retention

Wed May 02 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.3

Fix issue where a jump target went to an empty ruleset and the chain was dropped
Retain all native IPTables jump points by default
Add == method for IPTables Rulesets

Sun Mar 11 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.2

Added support for OEL 6 and 7
Added Puppet 5 acceptance tests

Mon Jan 22 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1

Fixed bugs in the chain retention and optimization code that would cause iptables to fail to reload in some situations.

Mon Jan 22 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1

This commit moves the logic that parses the iptables::ports Hash into a define, to make it possible to use the same hash format in other modules without copying code.
There was also a bug where compilation would fail if proto was specified in the defaults section of the Hash.

Mon Dec 04 2017 Some Dude 7zbayf+sw1l67jjhlbk@sharklasers.com - 6.1.0-0

Fixed a bug in the order of the IPTables rules in scanblock module
- Previously, IPTables would not block connections from banned IPs that were accessing open ports.

Thu Nov 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0

Added the ability to ignore interfaces using the 'ignore' regex array
Fixed issues with ignoring rules and added some optimization
No longer apply IPTables rules in the optimization phase and simply wait for the downstream service to trigger

Thu Aug 10 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0

Updated iptables::listen::tcp_stateful example to pass valid Iptables::DestPort types to dports

Wed May 24 2017 Brandon Riden brandon.riden@onyxpoint.com - 6.0.1-0

Added a workaround for Puppet 4.10 type issues
- There was a bug in Puppet where all lookup() Hash keys were being converted into Strings even if they were another data type
- This is fixed in Puppet > 4.10.2 but this patch will remain for backwards compatibility
Update puppet dependency in metadata.json
Remove OBE pe dependency in metadata.json

Thu Jan 13 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0

Added a feature to add resources via hiera

Wed Jan 11 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0

Removed the legacy call to Facter in the 'xt_recent' 'set' provider

Wed Dec 07 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0

Renamed the global catalyst 'client_nets' to 'trusted_nets'

Wed Nov 09 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0

Fixed bug in the set provider for the xt_recent type that required manual modifications to the permissions for the /sys/module/xt_recent/parameters/* files, in order for the scanblock capability to be enabled.
Fixed bugs in the xt_recent type and its set provider that caused Puppet to believe /sys/module/xt_recent/parameters/ip_list_perms file content had changed when it had not.
Eliminated use of deprecated Puppet.newtype
Updated to compliance_markup version 2

Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.5-0

Updated the ip6tables_optimize provider so that it works in Puppet 4

Fri Aug 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.4-0

Ensure that the SELinux context on the init scripts is correct so that the runs are idempotent

Thu Jul 07 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0

Fixed an issue with the remote lookup regular expression processing in Ruby 1.8

Mon May 16 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.2-0

Sanitized fact references to run under STRICT_VARIABLES=yes

Wed Apr 13 2016 Kendall Moore kendall.moore@onyxpoint.com - 4.1.1-0

Changed default provider of services to redhat

Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 4.1.0-17

Removed custom type deprecation warning

Fri Feb 19 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-16

Added compliance function support

Tue Jan 26 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-15

Normalized common static module assets

Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-14

migration to simplib and simpcat (lib/ only)

Mon Jul 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13

Added an iptables::prevent_localhost_spoofing class to handle IPv6 spoofed communication.

Wed Jul 08 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-12

Updated iptables::disable's default to look up 'use_iptables' from hiera.
Fixed iptables::disable to disable management of IPv4 rules.

Mon Apr 27 2015 Michael Riddle mriddle@onyxpoint.com - 4.1.0-11

Implemented a workaround for ports being read in as valid ipv6 addresses on iptables lines that don't contain any ipaddress. Any iptables lines containing a port with no ipaddress would only validate as an ipv6 rule.

Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10

Fixed DNS resolution in the IPTables provider. Unfortunately, this never actually worked as implemented.

Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9

Changed puppet-server requirement to puppet

Tue Aug 05 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8

Changed all top-scope class variable calls to actual global variables. This isn't great, but there isn't an elegant way to do this inside Puppet right now.
Update to fix the scenario where the /etc/sysconfig/ip*tables files don't exist.
Fixed a typo where the ip6tables-retry script was really calling iptables.

Tue Jul 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-7

Added CentOS as a supported OS as part of CentOS 7 upgrade.

Thu Jun 26 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6

Provide for RHEL7 compatiblity.
Added an iptables::disable option that will disable our IPTables enforcement by way of telling optimize to effectively noop.
Rewrote most of the IPTables native type to be more maintainable.
Added a new option iptables::authoritative which, when set, ties iptables_optimize to the iptables service. When not set, optimize will simply do what it can on the chains that it knows about. This is new and may need a bit more work on some edge cases.

Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5

Removed MD5 file checksums for FIPS compliance.

Tue Apr 29 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4

Updated the optimize code to ignore matches in both chains and jumps.

Tue Apr 15 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4

Ensure that DNS lookups are sorted so that iptables does not continually restart.
Moved the default rules out of sec and into iptables::base_rules.
Updated the iptables class to call out to base_rules and scanblock based on parameters.

Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3

Updated all string booleans to native booleans in manifests and templates.

Wed Dec 11 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2

Updated the rule comparison code in iptables_rule to properly compare the new and old rules.
Properly handle blank lines in the /etc/sysconfig/ip*tables files.
Fixed the providers to properly handle the case where /etc/sysconfig/iptables is absent and/or the commands are at alternate paths.

Thu Nov 21 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1

Made several changes to the iptables_rule custom type to:
- Now resolves all hostnames in the rules by default. This can be disabled but may cause issues with the autodiscovery between ipv4
- Ensure that the -A header is not prepended to a rule if it already has a header value.
- Ensure that no rules attempt to be added if they belong to a table that is not valid for the given ip*tables type.

Tue Nov 19 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.1-1

Fixed an issue in iptables_optimize where a situation could arize that would cause the table definitions to not be properly loaded and the iptables reload to fail.

Thu Oct 10 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.1-0

Removed all calls to the Puppet FileLocking classes which get removed in later versions of Puppet.
Added an iptables::scanblock class which will work to semi-permanently block any IP address that is prodding your host. This is mainly intended for Internet facing hosts.
The IPTables module custom types were almost completely rewritten.
The iptables_requires_restart facts are gone and you can now pass an array of regular expressions to the 'ignore' variable of the iptables class and have it ignore running rules with targets matching any of the expressions when deciding to restart iptables.

Fri Oct 04 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-1

Updated template to reference instance variables with @

Wed Jul 31 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0

CRIT: There was a severe bug in allow_all_services.erb that would make any call to iptables::add_all_listen open IPTables to all hosts. This has been corrected.
Updated the ip*tables_requires_restart facts to only select on the -j options no matter what order they are in.
Added a call to 'validate_net_list' to all iptables defines so that incorrect client_nets arrays fail hard.

Tue Jan 08 2013 Maintenance 2.1.0-6

Added two new facts: iptables_requires_restart and ip6tables_requires_restart that replace the ip(6)?tables_running and ip(6)?tables_saved facts. The old facts simply were not accurate enough for complex situations.
Update to fix the ability of the iptables rule mechanisms to handle rules with over 15 ports.
Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.

Fri Oct 19 2012 Maintenance 2.1.0-5

Removed one line in the iptables_rule type that caused the type to fail if ipv6 wasn't enabled on the target system.

Tue Sep 18 2012 Maintenance 2.1.0-4

Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.

Fri Aug 17 2012 Maintenance 2.1.0-3

Moved all dynamic resource creation and checking to 'finish' instead of 'initialize' in the custom type.

Tue Jul 24 2012 Maintenance 2.1.0-2

Fix all instances of 'IPT:' instead of "IPT:"

Tue Jun 26 2012 Maintenance 2.1.0-1

Trigger ip6?tables restart when rules change on the host regardless of the count.

Thu Jun 07 2012 Maintenance 2.1.0-0

Ensure that Arrays in templates are flattened.
Call facts as instance variables.
Rewrote the iptables templates to more efficiently handle checking for the 'any' case.
Moved mit-tests to /usr/share/simp...
This is a massive rewrite of the iptables module that adds native support for ip6tables as well as some magical rule munging that should make life easier.
The old methods have been kept around for backward compatibliity purposes.
Rules are now also optimized before being written and ip(6)tables will try to fall back to the previous configuration upon restart.
This is not the Puppet Labs module since that one a) doesn't let you add artibrary rules and b) modifies rules on the fly which turned out to be quite dangerous at times. This is more of an all-or-nothing approach.
More will be added to the native type as time allows.

Fri Mar 02 2012 Maintenance 2.0.0-6

Added a startup script, iptables-retry to try and restart iptables after networking starts just in case a rule was added with an fqdn.
Updated the iptables startup script to the latest version.
Reformatted all code to meet Puppet Labs' guidance.
Improved test stubs.
Added a check in the custom facts to not call iptables if service iptables status doesn't return anything.

Mon Dec 26 2011 Maintenance 2.0.0-5

Updated the spec file to not require a separate file list.
Scoped all of the top level variables.

Mon Dec 05 2011 Maintenance 2.0.0-4

No longer print the status messages when nothing needs to happen. These can be enabled using the $class_debug variable.

Mon Oct 10 2011 Maintenance 2.0.0-3

Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.

Mon Sep 12 2011 Maintenance 2.0.0-2

Ensure that the iptables_running fact does not do DNS lookups.

Mon Apr 18 2011 Maintenance - 2.0.0-1

Changed puppet://$puppet_server/ to puppet:///
Updated to use concat_build and concat_fragment types.

Tue Jan 11 2011 Maintenance 2.0.0-0

Refactored for SIMP-2.0.0-alpha release

Tue Oct 26 2010 Maintenance - 1-1

Converting all spec files to check for directories prior to copy.

Fri May 21 2010 Maintenance 1.0-0

Doc update and code refactor

Fri May 07 2010 Maintenance 0.1-20

Added a fact, iptables_running that returns the number of rules in the running iptables.
Added a fact, iptables_saved that returns the number of rules in the saved iptables rule set.
Added a check to see if the running IPTables ruleset has fewer rules than the specified IPTables ruleset. If it does, have IPTables reload.

Sat Feb 13 2010 Maintenance 0.1-19

Moved the ESTABLISHED/RELATED rule to the top of the stack.

Thu Jan 28 2010 Maintenance 0.1-18

The IPTables service now uses iptables-restore instead of 'service iptables restart' to restart iptables. This means that no state will be lost due to spurious iptables restarts.

Mon Nov 02 2009 Maintenance 0.1-17

Added the ability to have custom comments above each entry.
Now remove any subsequent duplicate entries comments will, of course, cause problems with this.

pupmod-simp-iptables - A Puppet Module for managing IPTables

--

Per Section 105 of the Copyright Act of 1976, these works are not entitled to
domestic copyright protection under US Federal law.

The US Government retains the right to pursue copyright protections outside of
the United States.

The United States Government has unlimited rights in this software and all
derivatives thereof, pursuant to the contracts under which it was developed and
the License under which it falls.

---

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Modules

Discover

Contribute

Resources

About Forge

Getting Started

iptables

Version information

This version is compatible with:

Start using this module

Documentation

Table of Contents

Overview

This is a SIMP module

Module Description

Setup

What iptables affects

Beginning with iptables

I want a basic secure iptables setup

Usage

I want to open a specific port or allow access

This module doesn't cover my specific iptables rule

Firewalld Mode

Enabling Firewalld Mode

Reference

Limitations

Development

Acceptance tests

Reference

Table of Contents

Classes

Defined types

Resource types

Functions

Data types

Classes

iptables

Parameters

enable

use_firewalld

ensure

ipv6

class_debug

optimize_rules

precise_match

ignore

default_rules

scanblock

prevent_localhost_spoofing

ports

iptables::install

Parameters

ipv4_package

ipv6_package

iptables::rules::base

Parameters

allow_ping

drop_broadcast

drop_loopback

drop_multicast

force_local_input

iptables::rules::default_drop

Parameters

filter_input

filter_forward

filter_output

iptables::rules::mod_recent

Parameters

notify_iptables

ip_list_tot

ip_pkt_list_tot

ip_list_hash_size

ip_list_perms

ip_list_uid

ip_list_gid

iptables::rules::prevent_localhost_spoofing

iptables::rules::scanblock

Management

Parameters

enable

`iptables`

`enable`

`use_firewalld`

`ensure`

`ipv6`

`class_debug`

`optimize_rules`

`precise_match`

`ignore`

`default_rules`

`scanblock`

`prevent_localhost_spoofing`

`ports`

`iptables::install`

`ipv4_package`

`ipv6_package`

`iptables::rules::base`

`allow_ping`

`drop_broadcast`

`drop_loopback`

`drop_multicast`

`force_local_input`

`iptables::rules::default_drop`

`filter_input`

`filter_forward`

`filter_output`

`iptables::rules::mod_recent`

`notify_iptables`

`ip_list_tot`

`ip_pkt_list_tot`

`ip_list_hash_size`

`ip_list_perms`

`ip_list_uid`

`ip_list_gid`

`iptables::rules::prevent_localhost_spoofing`

`iptables::rules::scanblock`

`enable`

`seconds`

`hitcount`

`set_rttl`

`update_interval`

`logs_per_minute`

`ip_list_tot`

`ip_pkt_list_tot`

`ip_list_hash_size`

`ip_list_perms`

`ip_list_uid`

`ip_list_gid`

`iptables::service`

`enable`

`ipv6`

`iptables::listen::all`

Open Access to Hosts ``1.2.3.4` and `5.6.7.8`

`first`

`absolute`

`order`

`apply_to`

`trusted_nets`

`iptables::listen::icmp`

Allow `ping` From `1.2.3.4` and `5.6.7.8`

`icmp_types`

`first`

`absolute`

`order`

`apply_to`

`trusted_nets`

`iptables::listen::tcp_stateful`

`dports`

`first`

`absolute`

`order`

`apply_to`

`trusted_nets`

`iptables::listen::udp`

Allow UDP Access to `1.2.3.4` and `5.6.7.8`

`dports`

`first`

`absolute`

`order`

`apply_to`