79 lines
2.4 KiB
Puppet
79 lines
2.4 KiB
Puppet
# Class: iptables
|
|
#
|
|
# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
|
|
#
|
|
# params:
|
|
# rules4: A list of additional iptables v4 rules
|
|
# eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
|
|
# rules6: A list of additional iptables v6 rules
|
|
# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
|
|
# public_tcp_ports: List of integer TCP ports on which to allow all traffic
|
|
# public_udp_ports: List of integer UDP ports on which to allow all traffic
|
|
class iptables(
|
|
$rules4 = [],
|
|
$rules6 = [],
|
|
$public_tcp_ports = [],
|
|
$public_udp_ports = []
|
|
) {
|
|
package { 'iptables-persistent':
|
|
ensure => present,
|
|
}
|
|
|
|
service { 'iptables-persistent':
|
|
require => Package['iptables-persistent'],
|
|
# Because there is no running process for this service, the normal status
|
|
# checks fail. Because puppet then thinks the service has been manually
|
|
# stopped, it won't restart it. This fake status command will trick puppet
|
|
# into thinking the service is *always* running (which in a way it is, as
|
|
# iptables is part of the kernel.)
|
|
hasstatus => true,
|
|
status => true,
|
|
# Under Debian, the "restart" parameter does not reload the rules, so tell
|
|
# Puppet to fall back to stop/start, which does work.
|
|
hasrestart => false,
|
|
}
|
|
|
|
file { '/etc/iptables':
|
|
ensure => directory,
|
|
}
|
|
|
|
file { '/etc/iptables/rules':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0640',
|
|
content => template('iptables/rules.erb'),
|
|
require => [
|
|
Package['iptables-persistent'],
|
|
File['/etc/iptables'],
|
|
],
|
|
# When this file is updated, make sure the rules get reloaded.
|
|
notify => Service['iptables-persistent'],
|
|
}
|
|
|
|
file { '/etc/iptables/rules.v4':
|
|
ensure => link,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0640',
|
|
target => '/etc/iptables/rules',
|
|
require => File['/etc/iptables/rules'],
|
|
notify => Service['iptables-persistent'],
|
|
}
|
|
|
|
file { '/etc/iptables/rules.v6':
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0640',
|
|
content => template('iptables/rules.v6.erb'),
|
|
require => [
|
|
Package['iptables-persistent'],
|
|
File['/etc/iptables'],
|
|
],
|
|
# When this file is updated, make sure the rules get reloaded.
|
|
notify => Service['iptables-persistent'],
|
|
replace => true,
|
|
}
|
|
}
|