iptables

Puppet module for foo

Project URL RSS Feed Report issues

Module Stats

75,507 downloads

22,810 latest version

2.0 quality score

Version information

released Nov 22nd 2013

This module has been deprecated by its author since Oct 28th 2019.

The reason given was: No longer maintained

The author has suggested puppetlabs-firewall as its replacement.

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'example42-iptables', '2.1.3'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add example42-iptables

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install example42-iptables --version 2.1.3

Documentation

example42/iptables — version 2.1.3 Nov 22nd 2013

Puppet module: iptables

This is a Puppet module for iptables based on the second generation layout ("NextGen") of Example42 Puppet Modules.

Made by Alessandro Franceschi / Lab42

Official site: http://www.example42.com

Official git repository: http://github.com/example42/puppet-iptables

Released under the terms of Apache 2 License.

This module requires functions provided by the Example42 Puppi module (you need it even if you don't use and install Puppi)

DESCRIPTION:

This module manages iptables. In order to have functionality and flexibility some design decisions have been enforced:

Rules are based on a iptables-save format file.
On RedHat/Centos systems it has been followed the standard iptables service approach
On Debian/Ubuntu the same approach is achived via the iptables-persistent package
Custom firewall solutions and builders are ignored or disabled (Shorewall, Ufw...)

The rules configuration can be made in two ways:

File Mode: Providing custom iptables files (as static files or templates)
Concat Mode: Buildind up rules files with concat (this is the default choice and allows dynamic automatic firewalling rules with Example42 firewall extension)

USAGE - Overrides and Customizations

Default usage (Concat mode). It follows these defaults:
- Default policy is ACCEPT (to permit reachability in case of syntax errors)
- Last rule of every chain is a DENY as defined by $iptables_block_policy
- Intermediate rules are generally ACCEPTs
- Localhost and established traffic is ALLOWED

So a simple:

    class { 'iptables':
    }

Allows SSH access on port TCP 22
Allows ping and all ICMP packets
Allows localhost and established traffic
Allows outbound traffic
Allows multicast and broadcast traffic
Blocks everything else

Use custom sources for iptables file

  class { 'iptables':
    config => 'file', # This is needed to activate file mode
    source => [ "puppet:///modules/lab42/iptables/iptables-${hostname}" , "puppet:///modules/lab42/iptables/iptables" ], 
  }

Use custom template for iptables file. Note that template and source arguments are alternative.

  class { 'iptables':
    config => 'file', # This is needed to activate file mode
    template => 'example42/iptables/iptables.conf.erb',
  }

Automatically include a custom subclass

  class { 'iptables':
    my_class => 'iptables::example42',
  }

CONCAT MODE SPECIFIC USER VARIABLES:

In concat mode some parameters define the general behaviour:

$block_policy *

Define what to do with packets not expressively accepted:

drop (Default) - DROP them silently
reject - REJECT them with ICMP unreachable
accept - ACCEPT them (Beware, if you do this you have no firewall :-)
$icmp_policy *

Define what to to with ICMP packets

drop - DROP them all
safe - ALLOW all ICMP types except echo & reply (Ping)
accept (Default) - ACCEPT them all
$output_policy *

Define what to to with outbound packets

drop - DROP them (except for established and localhost
accept (Default) - ACCEPT them
$log *

Define what you what to log (all | dropped | none)

$log_level *

Define the level of logging (numeric or see syslog.conf(5))

$safe_ssh *

Define if you want to force the precence of a rule that allows access to SSH port (tcp/22).

$broadcast_policy *

Define what to do with INPUT broadcast packets

drop - Treat them with the $iptables_block_policy
accept (Default) - Expressely ACCEPT them
$multicast_policy *

Define what to do with INPUT multicast

"drop" - Treat them with the $iptables_block_policy
"accept" (Default) - Expressely ACCEPT them

So for example for a stricter setup, compared to default:

    class { 'iptables':
      config           => 'concat', # This enforces concat mode (Default value)
      safe_ssh         => false,
      broadcast_policy => 'drop',
      multicast_policy => 'drop',
      icmp_policy      => 'drop',
      output_policy    => 'drop',
    }

IPv6 specific configuration

In order to enable IPv6 there have to be configured two parts:

iptables should be IPv6 enabled: class{ 'iptables' : enable_v6 => true, }
then iptables::rules can be IPv6 enabled also: iptables::rule { 'http': port => '80', protocol => 'tcp', enable_v6 => true, }

If specific source / destination adresses should be used, a definition will look like: iptables::rule { 'http': source => '10.42.0.0/24', source_v6 => '2001:0db8:3c4d:0015:0000:0000:abcd:ef12', destination => '$ipaddress_eth0', destination_v6 => '2001:470:27:37e::2/64', port => '80', protocol => 'tcp', enable_v6 => true, }

Usage of iptables module with Example42 automatic firewalling

The concat mode of this module is particularly useful when used with Example42's automatic firewalling features.

You can enable them either setting a topscope variable or passing the firewall => true parameter to a (nextgen) class.

You have also to set firewall_tool => 'iptables'.

So, for example, you can enable site wide automatic firewalling with:

    $::firewall = true
    $::firewall_tool = 'iptables'

and then whenever you add a NextGen Example42 module to a node, it's port is automatically openened (to every ip).

If you want to have better control on who can access to that port, you can use the firewall_src parameter and you can define the destination IP with the firewall_dst one. For example the following accepts connections on MySql port only form 10.42.42.42/32 on eth1:

    class { 'mysql':
      firewall_src  => '10.42.42.42/32', # Allowed source
      firewall_dst  => $ipaddress_eth1,  # Destination IP (default is $ipaddress
    }

Module specific defines

All the single rules in Concat mode are managed by the iptables::rule define. You can use it to automatically allow access from all your nodes when you don't know their address upstream (for example in the cloud)

    @@firewall { $hostname:
      source => $ipaddress,
      tag    => prod,
    }
    Firewall <| tag == prod |>

If you have a single node from where you want to ensure access you can also do something like:

    firewall { 'alfa': source => '42.42.42.42', }

Copyright (C) 2013 Alessandro Franceschi / Lab42

for the relevant commits Copyright (C) by the respective authors.

Contact Lab42 at: info@lab42.it

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Modules

Discover

Contribute

Resources

About Forge

Getting Started