commit d8056447b8cf145a48914ce7aa14ee77659fba11
Author: James E. Blair <james.blair@rackspace.com>
Date:   Mon Aug 8 21:31:23 2011 +0000

    Add iptables module and rules to puppet.
    
    Change-Id: I3ed4896dd13f0de26c287a34f8a8e858d21a4634

diff --git a/manifests/init.pp b/manifests/init.pp
new file mode 100644
index 0000000..f6cae81
--- /dev/null
+++ b/manifests/init.pp
@@ -0,0 +1,41 @@
+#http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
+
+class iptables($rules='', $public_tcp_ports=[], $public_udp_ports=[]) {
+  package {
+    "iptables-persistent": ensure => present;
+  }
+
+  service { "iptables-persistent":
+    require => Package["iptables-persistent"],
+
+    # Because there is no running process for this service, the normal status
+    # checks fail.  Because puppet then thinks the service has been manually
+    # stopped, it won't restart it.  This fake status command will trick puppet
+    # into thinking the service is *always* running (which in a way it is, as
+    # iptables is part of the kernel.)
+    hasstatus => true,
+    status => "true",
+    
+    # Under Debian, the "restart" parameter does not reload the rules, so tell
+    # Puppet to fall back to stop/start, which does work.
+    hasrestart => false,
+    
+  }
+
+  file { "/etc/iptables":
+      ensure => directory
+  }
+
+  file {
+    "/etc/iptables/rules":
+      owner   => "root",
+      group   => "root",
+      mode    => 640,
+      content => template('iptables/rules.erb'),
+      require => [Package["iptables-persistent"], File["/etc/iptables"]],
+      
+      # When this file is updated, make sure the rules get reloaded.
+      notify  => Service["iptables-persistent"],
+      ;
+  }
+}
diff --git a/templates/rules.erb b/templates/rules.erb
new file mode 100644
index 0000000..382689a
--- /dev/null
+++ b/templates/rules.erb
@@ -0,0 +1,27 @@
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:openstack-INPUT - [0:0]
+-A INPUT -j openstack-INPUT
+-A FORWARD -j openstack-INPUT
+-A openstack-INPUT -i lo -j ACCEPT
+-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
+#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
+-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+# SSH from anywhere
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+# SNMP from openstack cacti
+-A openstack-INPUT -m udp -p udp --dport 161 -s 50.57.120.246 -j ACCEPT
+# Public TCP ports
+<% public_tcp_ports.each do |port| -%>
+-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
+<% end -%>
+# Public UDP ports
+<% public_udp_ports.each do |port| -%>
+-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
+<% end -%>
+# Per-host rules
+<%= rules %>
+-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
+COMMIT