Friday, 7 August 2009

puppet iptables module

i now have a working copy of iptables puppet module.


I used the following recipe :

http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleIptables

however, it did require a little tweaking, so probably worth documenting here.

Firstly, we use SVN to add or edit our puppet config, so i needed to add the above files:

/puppet/modules/iptables/files/fragments/default.pp
/puppet/modules/iptables/files/rebuild-iptables
/puppet/modules/iptables/manifests/init.pp

and edit the file
/puppet/manifests/nodes.pp

( i didnt add a seperate class for this, due to the way out environment is structured)

So firstly, default.pp i want to contain the iptables i want to install on a specific punch of servers.

for example:

-A INPUT -j SUL
-A FORWARD -j SUL
-A SUL -i lo -j ACCEPT
-A SUL -i eth0 -j ACCEPT
-A SUL -p icmp --icmp-type any -j ACCEPT
-A SUL -p 50 -j ACCEPT
-A SUL -p 51 -j ACCEPT

I should note that i dont include the SVN headers in this file, because it can intefere with the iptables rebuild script.

So ive checked this into svn, so all good there.

Next, i need to check in rebuild_iptables. Also if you reference your rules in a different way ( eg - A-REDHAT-FIREWALL, or similar ) you will need to edit the script before you check it in.

Thirdly, here is my nodes.pp, which for each server i want to load these rules, i reference the fragment i want to apply to that server:

node 'foo.example.com' inherits foonode {
include iptables
ipt_fragment {"default" : ensure => present }
}

As iptables is a module, you just need to include it. Then you need to reference the fragment.

Lastly, a bit of a gotcha. You need to set the mode of rebuild_iptables in the iptables init.pp otherwise it is not executeable.

file {
"/etc/iptables.d":
ensure => directory,
purge => true,
notify => Exec["rebuild_iptables"];
"/usr/sbin/rebuild-iptables":
mode => "755",
source => "puppet://puppet/iptables/rebuild-iptables";
}


check into svn, run svn-puppet on the server so it has the latest config.

Then on the client, run puppetd --test , or in debug if you prefer.

Please let me know if you find this helpful, or have any other comments.
Posted by at
Labels: ,

6 comments:

  1. Unknown27 August 2009 at 22:28

    hey there,
    maybe you'd like to try the native iptables puppet type:
    http://github.com/camptocamp/puppet-iptables/
    you need to rewrite your firewall rules in the puppet way, but it's worth it because ofr the flexibility it gives you.
    pedro padron

    ReplyDelete
  2. Mel16 February 2010 at 04:32

    hey thanks for the heads-up :) ill check it out!

    ReplyDelete
  3. Unknown7 March 2010 at 16:59

    Hi Mel,

    thanks for this post, it helped me to make my puppet working!
    but I should also watch the previous suggestion :)

    Christophe.

    ReplyDelete
  4. Mel27 July 2010 at 08:18

    so glad i could help! please post/relink and help make me famous! haha thanks.

    ReplyDelete
  5. Jason Antman26 October 2011 at 06:00

    Mel,

    Quite helpful, thanks (though I haven't yet decided between this module or the camptocamp type). I notice that there haven't been many posts or comments here lately, and as I often suffer from ignoring my blog until someone pings me about it, I thought maybe I could be the motivation to post a bit more :)

    -jason
    http://blog.jasonantman.com

    ReplyDelete
  6. Mel26 October 2011 at 11:51

    Hi jason! i see you are another rackable person - it has reminded me to post my photo :)
    i personally like this module better but really comes down to what works in your environment i guess :)
    I havent had any comments in months and months - but then again i havent really been blogging - i keep meaning to set this up on wordpress on aws but i keep not getting round to it :)

    ReplyDelete

Subscribe to: Post Comments (Atom)