IDIOTS!
everywhere! on the internet!
Wednesday, 26 August 2009
Friday, 7 August 2009
puppet iptables module
i now have a working copy of iptables puppet module.
I used the following recipe :
http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleIptables
however, it did require a little tweaking, so probably worth documenting here.
Firstly, we use SVN to add or edit our puppet config, so i needed to add the above files:
/puppet/modules/iptables/files/fragments/default.pp
/puppet/modules/iptables/files/rebuild-iptables
/puppet/modules/iptables/manifests/init.pp
and edit the file
/puppet/manifests/nodes.pp
( i didnt add a seperate class for this, due to the way out environment is structured)
So firstly, default.pp i want to contain the iptables i want to install on a specific punch of servers.
for example:
-A INPUT -j SUL
-A FORWARD -j SUL
-A SUL -i lo -j ACCEPT
-A SUL -i eth0 -j ACCEPT
-A SUL -p icmp --icmp-type any -j ACCEPT
-A SUL -p 50 -j ACCEPT
-A SUL -p 51 -j ACCEPT
I should note that i dont include the SVN headers in this file, because it can intefere with the iptables rebuild script.
So ive checked this into svn, so all good there.
Next, i need to check in rebuild_iptables. Also if you reference your rules in a different way ( eg - A-REDHAT-FIREWALL, or similar ) you will need to edit the script before you check it in.
Thirdly, here is my nodes.pp, which for each server i want to load these rules, i reference the fragment i want to apply to that server:
node 'foo.example.com' inherits foonode {
include iptables
ipt_fragment {"default" : ensure => present }
}
As iptables is a module, you just need to include it. Then you need to reference the fragment.
Lastly, a bit of a gotcha. You need to set the mode of rebuild_iptables in the iptables init.pp otherwise it is not executeable.
file {
"/etc/iptables.d":
ensure => directory,
purge => true,
notify => Exec["rebuild_iptables"];
"/usr/sbin/rebuild-iptables":
mode => "755",
source => "puppet://puppet/iptables/rebuild-iptables";
}
check into svn, run svn-puppet on the server so it has the latest config.
Then on the client, run puppetd --test , or in debug if you prefer.
Please let me know if you find this helpful, or have any other comments.
I used the following recipe :
http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleIptables
however, it did require a little tweaking, so probably worth documenting here.
Firstly, we use SVN to add or edit our puppet config, so i needed to add the above files:
and edit the file
( i didnt add a seperate class for this, due to the way out environment is structured)
So firstly, default.pp i want to contain the iptables i want to install on a specific punch of servers.
for example:
-A INPUT -j SUL
-A FORWARD -j SUL
-A SUL -i lo -j ACCEPT
-A SUL -i eth0 -j ACCEPT
-A SUL -p icmp --icmp-type any -j ACCEPT
-A SUL -p 50 -j ACCEPT
-A SUL -p 51 -j ACCEPT
I should note that i dont include the SVN headers in this file, because it can intefere with the iptables rebuild script.
So ive checked this into svn, so all good there.
Next, i need to check in rebuild_iptables. Also if you reference your rules in a different way ( eg - A-REDHAT-FIREWALL, or similar ) you will need to edit the script before you check it in.
Thirdly, here is my nodes.pp, which for each server i want to load these rules, i reference the fragment i want to apply to that server:
node 'foo.example.com' inherits foonode {
include iptables
ipt_fragment {"default" : ensure => present }
}
As iptables is a module, you just need to include it. Then you need to reference the fragment.
Lastly, a bit of a gotcha. You need to set the mode of rebuild_iptables in the iptables init.pp otherwise it is not executeable.
file {
"/etc/iptables.d":
ensure => directory,
purge => true,
notify => Exec["rebuild_iptables"];
"/usr/sbin/rebuild-iptables":
mode => "755",
source => "puppet://puppet/iptables/rebuild-iptables";
}
check into svn, run svn-puppet on the server so it has the latest config.
Then on the client, run puppetd --test , or in debug if you prefer.
Please let me know if you find this helpful, or have any other comments.
Subscribe to:
Posts (Atom)
