In change Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3 we zeroed out
/etc/sysconfig/iptables, but we did not take care of ipv6. This change
is meant to take of the ipv6 part of the problem.
When including this element we empty the stock /etc/sysconfig/ip6tables
file as shipped by the iptables rpm package. The reason for this is that
puppet firewall has a hard time to cope with exiting rules when
/etc/sysconfig/iptables is populated and the iptables service is not
active. The referenced bug has a full explanation for the problem.
Note that ipv6 is slightly more delicate because we will also need a puppet-tripleo
change that implements the dhcpv6 rule that is contained by default
in /etc/sysconfig/ip6tables:
Depends-On: If22080054b2b1fa7acfd101e8c34d2707e8e7864
Change-Id: I0dee5ff045fbfe7b55d078583e16b107eec534aa
Partial-Bug: #1657108
When including this element we empty the stock /etc/sysconfig/iptables
file as shipped by the iptables rpm package. The reason for this is that
puppet firewall has a hard time to cope with exiting rules when
/etc/sysconfig/iptables is populated and the iptables service is not
active. The referenced bug has a full explanation for the problem.
Partial-Bug: #1657108
Change-Id: Iddc21316a1a3d42a1a43cbb4b9c178adba8f8db3
RedHatEnterpriseWorkstation is a variant of RHEL 7, and a possible
output from "lsb_release -si", so add-rule needs to support checking for
that value.
Change-Id: Ie57ba4e94a50129737018d63b121d4c0b1dcc6dc
iptables rules should not be saved on install
of iptables-persistent as rules may leak from
your build environment into your vms.
Use DISTRO_NAME in this element.
Change-Id: I0d61c5453804ef8671ea91b2594f218958b5068f
On Debian, the iptables-persistent service has been renamed to
netfilter-persistent. The svc-map includes both default, ubuntu,
and debian as ubuntu will "fallback" to debian as they are considered
the same family of distro.
Change-Id: I180a580820015a60ceb2221873a38ebbb06cf953
Use the iptables-persistent package
to implement persistence of iptables during a reboot
for Ubuntu and Debian.
Entries are saved to /etc/iptables/rules* on add-rule.
These entries are restored on reboot.
( Note in later versions iptables-persistent is replaced
by netfilter-persistent with plugins in iptables-persistent)
Change-Id: I44b625111d5db34a444c5aa4f6e31c6009c8a6f5
We currently use the add-rule script to create iptables rules that allow
the cloud we deployed to function.
These iptable rules are required on RedHat based distros that have a
default deny-all policy; but they're also useful on Debian distros if
the operators turn on a deny-all policy as part of locking down their
environment. It would be useful if these operators could leverage the
work RedHat has done to get the Debian distro working.
This change adds a check for Debian and allows the add-rule script to
run, as a first step towards full support for Debian-based distros.
Also, install.d installs iptables and there is a Debian specific change.
Change-Id: Iea773d37b18c15a417896e93e29bcdc1e20096ac
Closes-Bug: #1351412
Applies iptables configuration based on an input file and the current
iptables state. This script is used to perform idempotent operations,
eg to prevent adding duplicate rules.
Sample input:
-N stunnel-INPUT
-A stunnel-INPUT -p tcp -m tcp --dport 4433 -j REJECT
-A stunnel-INPUT -j RETURN
-I INPUT -p tcp -j stunnel-INPUT
Unlike 'iptables-restore --noflush' the script is idempotent.
Change-Id: I8eef1361ea90647507cf596f7bfc81815e32a96e
Partially implements: blueprint os-iptables-scripts
There are a few in the tree that don't have it and should. This
will allow future enforcement of this to avoid files being
committed with the wrong mode set.
Change-Id: Ie22a663a230f087b678c01a16219e1c5b7e237c0
Creates a common iptables element where the logic required
to handle iptables rules is consolidated. This change uses
the check (-C) argument to check whether a rule matching
the specification does exist in the selected chain. Based
on the exit code of the check, a rule is added to iptables.
There is no longer a need to store an .ok file in a stateful
manner.
Change-Id: Ib746ff487a286557a05f9d39ab330853564ef98f
Closes-Bug: 1269151
Co-Authored-By: Ronelle Landy <rlandy@redhat.com>