Support side-loading iptables rules
This brings the concat module in to manage the iptables rules files piecewise. This creates three new defined types to allow side-loading of iptables rules from other puppet code. Change-Id: I2d425d7671ad672a372c19ac60ef6196e8942ce9
This commit is contained in:
parent
edda5ec179
commit
d27c9566de
35
README.md
35
README.md
|
@ -1,3 +1,38 @@
|
|||
# OpenStack IPTables Module
|
||||
|
||||
This module installs and configures IPTables
|
||||
|
||||
Works on RedHat and Debian systems.
|
||||
|
||||
It has, for now, hardcoded openstack-infra addresses.
|
||||
|
||||
The typical entry point to this module is through the openstack_project::server class
|
||||
|
||||
class { 'openstack_project::server':
|
||||
sysadmins => ['derp'],
|
||||
iptables_public_tcp_ports => [4444, 2121],
|
||||
}
|
||||
|
||||
|
||||
It is also possible to 'side load' iptables rules. The defined types below apply both ipv4 and ipv6 rules. These defines can be applied multiple times.
|
||||
|
||||
iptables::tcp_allow { 'allow port 80 conns':
|
||||
port => 80,
|
||||
}
|
||||
|
||||
iptables::tcp_allow { 'allow port 90 and 100 conns':
|
||||
ports => [90, 100],
|
||||
}
|
||||
|
||||
iptables::udp_allow { 'allow port 80 conns':
|
||||
port => 80,
|
||||
}
|
||||
|
||||
iptables::udp_allow { 'allow port 90 and 100 conns':
|
||||
ports => [90, 100],
|
||||
}
|
||||
|
||||
iptables::rules { 'Allow statsd':
|
||||
rules4 => ['-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT'],
|
||||
rules6 => ['-m udp -p udp -s ::1 --dport 8125 -j ACCEPT'],
|
||||
}
|
||||
|
|
|
@ -42,18 +42,23 @@ class iptables(
|
|||
}
|
||||
|
||||
file { $::iptables::params::rules_dir:
|
||||
ensure => directory,
|
||||
require => Package['iptables'],
|
||||
ensure => directory,
|
||||
require => Package['iptables'],
|
||||
}
|
||||
|
||||
# This file is not required on Red Hat distros... but it
|
||||
# won't hurt to softlink to it either
|
||||
file { "${::iptables::params::rules_dir}/rules":
|
||||
# build it up with concat
|
||||
# 0xx Headers
|
||||
# 1xx TCP
|
||||
# 2xx UDP
|
||||
# 3xx HOSTS
|
||||
# 9xx Footers
|
||||
concat { "${::iptables::params::rules_dir}/rules":
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => template('iptables/rules.erb'),
|
||||
require => [
|
||||
Package['iptables'],
|
||||
File[$::iptables::params::rules_dir],
|
||||
|
@ -62,6 +67,38 @@ class iptables(
|
|||
notify => $notify_iptables,
|
||||
}
|
||||
|
||||
|
||||
concat::fragment { 'iptables-4-header':
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_header.erb'),
|
||||
order => '01'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-4-tcp':
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_tcp.erb'),
|
||||
order => '100'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-4-udp':
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_udp.erb'),
|
||||
order => '200'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-4-raw':
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_raw.erb'),
|
||||
order => '300'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-4-footer':
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_footer.erb'),
|
||||
order => '999'
|
||||
}
|
||||
|
||||
|
||||
file { $::iptables::params::ipv4_rules:
|
||||
ensure => link,
|
||||
owner => 'root',
|
||||
|
@ -72,18 +109,53 @@ class iptables(
|
|||
notify => $notify_iptables,
|
||||
}
|
||||
|
||||
file { $::iptables::params::ipv6_rules:
|
||||
# build it up with concat
|
||||
# 0xx Headers
|
||||
# 1xx TCP
|
||||
# 2xx UDP
|
||||
# 3xx HOSTS
|
||||
# 9xx Footers
|
||||
concat { $::iptables::params::ipv6_rules:
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => template('iptables/rules.v6.erb'),
|
||||
require => [
|
||||
Package['iptables'],
|
||||
File[$::iptables::params::rules_dir],
|
||||
],
|
||||
# When this file is updated, make sure the rules get reloaded.
|
||||
notify => $notify_iptables,
|
||||
replace => true,
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-6-header':
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_header.erb'),
|
||||
order => '01'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-6-tcp':
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_tcp.erb'),
|
||||
order => '100'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-6-udp':
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_udp.erb'),
|
||||
order => '200'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-6-raw':
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_raw.erb'),
|
||||
order => '300'
|
||||
}
|
||||
|
||||
concat::fragment { 'iptables-6-footer':
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_footer.erb'),
|
||||
order => '999'
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
|
||||
define iptables::hosts_allow (
|
||||
$rules4 = undef,
|
||||
$rules6 = undef,
|
||||
) {
|
||||
|
||||
if $rules4 == undef and $rules6 == undef {
|
||||
fail('You must pass rules4 or rules6 to iptables::rules')
|
||||
}
|
||||
|
||||
if $rules4 != undef {
|
||||
|
||||
concat::fragment { "iptables-4-hosts-${name}":
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_hosts.erb'),
|
||||
order => '110'
|
||||
}
|
||||
}
|
||||
|
||||
if $rules6 != undef {
|
||||
concat::fragment { "iptables-6-hosts-${name}":
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_hosts.erb'),
|
||||
order => '110'
|
||||
}
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
|
||||
define iptables::tcp_allow (
|
||||
$port = undef,
|
||||
$ports = undef,
|
||||
) {
|
||||
|
||||
if $port == undef and $ports == undef {
|
||||
fail('You must pass port or ports to iptables::tcp_allow')
|
||||
}
|
||||
|
||||
$pub = pick($port, $ports)
|
||||
$public_tcp_ports = flatten([$pub])
|
||||
|
||||
concat::fragment { "iptables-4-tcp-${name}":
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_tcp.erb'),
|
||||
order => '110'
|
||||
}
|
||||
|
||||
concat::fragment { "iptables-6-tcp-${name}":
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_tcp.erb'),
|
||||
order => '110'
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
|
||||
define iptables::udp_allow (
|
||||
$port = undef,
|
||||
$ports = undef,
|
||||
) {
|
||||
|
||||
if $port == undef and $ports == undef {
|
||||
fail('You must pass port or ports to iptables::udp_allow')
|
||||
}
|
||||
|
||||
$pub = pick($port, $ports)
|
||||
$public_udp_ports = flatten([$pub])
|
||||
|
||||
concat::fragment { "iptables-4-udp-${name}":
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
content => template('iptables/rules4_udp.erb'),
|
||||
order => '110'
|
||||
}
|
||||
|
||||
concat::fragment { "iptables-6-udp-${name}":
|
||||
target => $::iptables::params::ipv6_rules,
|
||||
content => template('iptables/rules6_udp.erb'),
|
||||
order => '110'
|
||||
}
|
||||
|
||||
}
|
|
@ -7,5 +7,7 @@
|
|||
"source": "git://git.openstack.org/openstack-infra/puppet-iptables.git",
|
||||
"project_page": "http://docs.openstack.org/infra/system-config/",
|
||||
"issues_url": "https://storyboard.openstack.org/#!/project/770",
|
||||
"dependencies": []
|
||||
"dependencies": [
|
||||
{"name":"puppetlabs/concat","version_requirement":">=1.0.0 <2.0.0"}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
COMMIT
|
|
@ -0,0 +1,15 @@
|
|||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:openstack-INPUT - [0:0]
|
||||
-A INPUT -j openstack-INPUT
|
||||
-A openstack-INPUT -i lo -j ACCEPT
|
||||
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
|
||||
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
|
||||
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
# SSH from anywhere
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
# SNMP from openstack cacti
|
||||
-A openstack-INPUT -m udp -p udp --dport 161 -s 50.57.120.246 -j ACCEPT
|
||||
-A openstack-INPUT -m udp -p udp --dport 161 -s 198.61.215.188 -j ACCEPT
|
|
@ -0,0 +1,4 @@
|
|||
# Per-host rules
|
||||
<% @rules4.each do |rule| -%>
|
||||
-A openstack-INPUT <%= rule %>
|
||||
<% end -%>
|
|
@ -0,0 +1,4 @@
|
|||
# Public TCP ports
|
||||
<% @public_tcp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
|
@ -0,0 +1,4 @@
|
|||
# Public UDP ports
|
||||
<% @public_udp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
|
@ -0,0 +1,2 @@
|
|||
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
COMMIT
|
|
@ -0,0 +1,13 @@
|
|||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:openstack-INPUT - [0:0]
|
||||
-A INPUT -j openstack-INPUT
|
||||
-A openstack-INPUT -i lo -j ACCEPT
|
||||
-A openstack-INPUT -p icmpv6 -j ACCEPT
|
||||
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
# SSH from anywhere
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
# SNMP from openstack cacti
|
||||
-A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:780d:0509:3bc3:d7f6:ff04:49de -j ACCEPT
|
|
@ -0,0 +1,4 @@
|
|||
# Per-host rules
|
||||
<% @rules6.each do |rule| -%>
|
||||
-A openstack-INPUT <%= rule %>
|
||||
<% end -%>
|
|
@ -0,0 +1,4 @@
|
|||
# Public TCP ports
|
||||
<% @public_tcp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
|
@ -0,0 +1,4 @@
|
|||
# Public UDP ports
|
||||
<% @public_udp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
Loading…
Reference in New Issue