+++ /dev/null
-;;; Directory Local Variables
-;;; See Info node `(emacs) Directory Variables' for more information.
-
-((puppet-mode
- (puppet-indent-level . 2))
- (ruby-mode
- (ruby-indent-level . 2)))
-
Copyright (C) 2011 Puppet Labs, Inc.
Copyright (C) 2011 Jonathan Boyett
-Copyright (C) 2011 Media Temple, Inc.
Some of the iptables code was taken from puppet-iptables which was:
-# puppetlabs-firewall module
+## puppetlabs-firewall module
## User Guide
You may also need to restart Apache, although this shouldn't always be the
case.
-Add the following to your site.pp to make sure class firewall can
-persist iptables rules across reboots:
-
- Firewall {
- notify => Exec['firewall-persist'],
- }
-
-Load the firewall class that provides these helper methods:
-
- class { 'firewall': }
-
### Examples
Basic accept ICMP request example:
table => 'nat',
}
+You can make firewall rules persistent with the following iptables example:
+
+ exec { "persist-firewall":
+ command => $operatingsystem ? {
+ "debian" => "/sbin/iptables-save > /etc/iptables/rules.v4",
+ /(RedHat|CentOS)/ => "/sbin/iptables-save > /etc/sysconfig/iptables",
+ }
+ refreshonly => true,
+ }
+ Firewall {
+ notify => Exec["persist-firewall"]
+ }
+
If you wish to ensure any reject rules are executed last, try using stages.
The following example shows the creation of a class which is where your
last rules should run, this however should belong in a puppet module.
:proto, :gid, :uid, :sport, :dport, :port, :name, :state, :icmp, :limit, :burst, :jump,
:todest, :tosource, :toports, :log_level, :log_prefix, :reject]
- ## Work-around for older vintages of iptables, where iptables-save
- ## returns error if the kernel modules are not loaded. Listing
- ## out the current rules with iptables proper autoloads the kernel modules.
- def self.iptables_init
- if ! File.exists?('/proc/net/ip6_tables_names')
- iptables '-nL'
- end
- end
end
rules = []
counter = 1
- self.iptables_init
-
# String#lines would be nice, but we need to support Ruby 1.8.5
iptables_save.split("\n").each do |line|
unless line =~ /^\#\s+|^\:\S+|^COMMIT/
rules
end
- ## Work-around for older vintages of iptables, where iptables-save
- ## returns error if the kernel modules are not loaded. Listing
- ## out the current rules with iptables proper autoloads the kernel modules.
- def self.iptables_init
- if ! File.exists?('/proc/net/ip_tables_names')
- iptables '-nL'
- end
- end
-
def self.rule_to_hash(line, table, counter)
hash = {}
keys = []
+++ /dev/null
-# Class: firewall
-#
-# This module manages firewalls.
-#
-# Parameters:
-#
-# Actions:
-#
-# Sets up some resources to manage iptables configs on Linux.
-# on various flavours of Linux.
-# 1. A firewall-persist exec to make rebooting safe.
-# 2. Debian hates you and has no provisions for managing iptables by default. Fixes that.
-#
-# Requires:
-#
-# Sample Usage:
-#
-# Put this in site.pp to ensure proper operation:
-# Firewall {
-# notify => Exec['firewall-persist'],
-# }
-#
-class firewall {
-
- Exec {
- path => [ '/bin', '/sbin' ],
- }
-
- case $kernel {
- 'Linux': {
-
- case $operatingsystem {
- Debian: {
- ## The iptables in Lenny definitely works.
- ## Older versions not tested.
- ## Meanwhile, Debian 'testing' will break.
- if $lsbmajdistrelease >= 5 {
- $firewall_supports_ipv6 = true
- }
-
- file { '/etc/iptables':
- ensure => directory,
- group => 'root',
- mode => '0750',
- owner => 'root',
- }
-
- $ip6tables_rules = '/etc/iptables/rules.v6'
-
- ## Squeeze 'iptables-persistent' package has unique rules file.
- case $lsbmajdistrelease {
- 6: { $iptables_rules = '/etc/iptables/rules' }
- default: { $iptables_rules = '/etc/iptables/rules.v4' }
- }
-
- ## Lenny has no intrinsic ability to manage iptables persistence.
- ## So we magick it up here. Note: this persists IPv6 rules..
- if $lsbmajdistrelease <= 5 {
- file { '/etc/init.d/iptables-persistent':
- content => template('firewall/debian/iptables-persistent.erb'),
- group => 'root',
- mode => '0755',
- owner => 'root',
- }
-
- $service_persist_requires = File['/etc/init.d/iptables-persistent']
- }
- else {
- package { 'iptables-persistent':
- ensure => present,
- }
- $service_persist_requires = Package['iptables-persistent']
- }
-
- service { 'iptables-persistent':
- enable => true,
- require => $service_persist_requires,
- }
-
- ## Squeeze 'iptables-persistent' package is ignorant of IPv6.
- ## So, we slap in a separate IPv6 persistence script just for it.
- if $firewall_supports_ipv6 {
-
- file { $ip6tables_rules:
- group => 'root',
- mode => '0600',
- owner => 'root',
- require => Exec['firewall-persist'],
- }
-
- if $lsbmajdistrelease == 6 {
- file { '/etc/init.d/ip6tables-persistent':
- content => template('firewall/debian/iptables-persistent.erb'),
- group => 'root',
- mode => '0755',
- owner => 'root',
- }
-
- service { 'ip6tables-persistent':
- enable => true,
- require => File['/etc/init.d/ip6tables-persistent'],
- }
-
- }
- }
- }
- ## Since this RedHat section makes assumptions about release version numbering
- ## It only makes sense for RHEL-alike OSes.
- RedHat,CentOS,CloudLinux: {
- ## ip6tables in CentOS 5.x does not support comments
- ## The provider needs comments, so we play dumb on older versions.
- if $lsbmajdistrelease >= 6 {
- $firewall_supports_ipv6 = true
- }
-
- $ip6tables_rules = '/etc/sysconfig/ip6tables'
- $iptables_rules = '/etc/sysconfig/iptables'
-
- package { 'iptables':
- ensure => present,
- }
-
- service { 'iptables':
- enable => true,
- }
-
- package { 'iptables-ipv6':
- ensure => present,
- }
-
- service { 'ip6tables':
- enable => true,
- }
-
- ## RHEL supports IPv6, but older versions do not support comments.
- ## The provider requires comments, so we just force a REJECT on all filter chains there.
- if $firewall_supports_ipv6 {
- file { $ip6tables_rules:
- group => 'root',
- mode => '0600',
- owner => 'root',
- require => Exec['firewall-persist'],
- }
- }
- else {
- file { $ip6tables_rules:
- content => template('firewall/redhat/ip6tables.erb'),
- group => 'root',
- mode => '0600',
- owner => 'root',
- require => Exec['firewall-persist'],
- }
- exec { 'set-ipv6-iptables-policy':
- command => '/sbin/service ip6tables restart',
- subscribe => File[$ip6tables_rules],
- refreshonly => true,
- }
- warning("On '${lsbdistdescription}', the firewall provider does not support ip6tables. Setting a default REJECT rule")
- }
- }
- default: { fail("$operatingsystem is not supported by the firewall class") }
- }
-
- file { $iptables_rules:
- group => 'root',
- mode => '0600',
- owner => 'root',
- require => Exec['firewall-persist'],
- }
-
- ## Tell site.pp (see docs) to notify this exec for all firewall rules
- ## Thus, ensuring good rules at boot time.
- exec { 'firewall-persist':
- command => "iptables-save |sed -e '/^#/ d' > ${iptables_rules}; ip6tables-save |sed -e '/^#/ d' > ${ip6tables_rules}",
- refreshonly => true,
- }
-
- }
- default: {
- warning("'firewall-persist' is currently a noop on ${kernel}")
- exec { 'firewall-persist':
- command => '/bin/true',
- refreshonly => true,
- }
- }
- }
-}
+++ /dev/null
-#!/usr/bin/env rspec
-require 'spec_helper'
-include PuppetSpec::Files
-
-describe 'firewall', :type => :class do
-
- before do
- @puppetdir = tmpdir('firewall')
- manifestdir = File.join(@puppetdir, 'manifests')
- Dir.mkdir(manifestdir)
- FileUtils.touch(File.join(manifestdir, 'site.pp'))
- Puppet[:confdir] = @puppetdir
- end
-
- after do
- FileUtils.remove_entry_secure(@puppetdir)
- end
-
- ## Same results will apply for CentOS & CloudLinux
- describe "RedHat generic tests" do
- let(:facts) {
- {
- :operatingsystem => 'RedHat',
- :kernel => 'Linux',
- :lsbmajdistrelease => 5,
- }
- }
- it { should contain_exec('firewall-persist') }
- it { should contain_file('/etc/sysconfig/ip6tables').with_mode('0600') }
- it { should contain_file('/etc/sysconfig/iptables').with_mode('0600') }
- it { should contain_package('iptables').with_ensure('present') }
- it { should contain_package('iptables-ipv6').with_ensure('present') }
- it { should contain_service('iptables').with_enable(true) }
- it { should contain_service('ip6tables').with_enable(true) }
- end
-
- ## Same results will apply for CentOS & CloudLinux
- describe "RedHat 5.x tests" do
- let(:facts) {
- {
- :operatingsystem => 'RedHat',
- :kernel => 'Linux',
- :lsbmajdistrelease => 5,
- }
- }
- it { should contain_exec('set-ipv6-iptables-policy') }
- end
-
- describe "Debian generic tests" do
- let(:facts) {
- {
- :operatingsystem => 'Debian',
- :kernel => 'Linux',
- }
- }
- it { should contain_exec('firewall-persist') }
- it { should contain_file('/etc/iptables/rules.v6').with_mode('0600') }
- it { should contain_service('iptables-persistent').with_enable(true) }
- end
- describe "Debian Lenny tests" do
- let(:facts) {
- {
- :operatingsystem => 'Debian',
- :kernel => 'Linux',
- :lsbmajdistrelease => 5,
- }
- }
- it { should contain_file('/etc/init.d/iptables-persistent') }
- it { should contain_file('/etc/iptables/rules.v4').with_mode('0600') }
-
- end
- describe "Debian Squeeze tests" do
- let(:facts) {
- {
- :operatingsystem => 'Debian',
- :kernel => 'Linux',
- :lsbmajdistrelease => 6,
- }
- }
- it { should contain_file('/etc/init.d/ip6tables-persistent') }
- it { should contain_file('/etc/iptables/rules').with_mode('0600') }
- it { should contain_package('iptables-persistent').with_ensure('present') }
- it { should contain_service('ip6tables-persistent').with_enable(true) }
- end
- describe "Debian Wheezy tests" do
- let(:facts) {
- {
- :operatingsystem => 'Debian',
- :kernel => 'Linux',
- :lsbmajdistrelease => 7,
- }
- }
- it { should contain_file('/etc/iptables/rules.v4').with_mode('0600') }
- it { should contain_file('/etc/iptables/rules.v6').with_mode('0600') }
- it { should contain_package('iptables-persistent').with_ensure('present') }
- end
-end
require 'mocha'
gem 'rspec', '>=2.0.0'
require 'rspec/expectations'
-require 'rspec-puppet'
# So everyone else doesn't have to include this base constant.
module PuppetSpec
RSpec.configure do |config|
include PuppetSpec::Fixtures
- config.module_path = File.join(File.dirname(__FILE__), '../../')
-
config.mock_with :mocha
config.before :each do
# Set the confdir and vardir to gibberish so that tests
# have to be correctly mocked.
+ Puppet[:confdir] = "/dev/null"
Puppet[:vardir] = "/dev/null"
# Avoid opening ports to the outside world
+++ /dev/null
-#!/bin/sh
-#
-<% version = lsbmajdistrelease.to_i -%>
-### BEGIN INIT INFO
-# Provides: <% if version <= 5 %>iptables<% else %>ip6tables<%end%>-persistent
-# Required-Start: mountkernfs $local_fs
-# Required-Stop: $local_fs
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# X-Start-Before: $network
-# X-Stop-After: $network
-# Short-Description: Set up iptables rules
-### END INIT INFO
-
-. /lib/lsb/init-functions
-
-rc=0
-IP6TABLES_RULES=<%= ip6tables_rules %>
-<% if version <= 5 -%>
-IPTABLES_RULES=<%= iptables_rules %>
-<% end -%>
-
-case "$1" in
- start|restart|reload|force-reload)
- log_action_begin_msg "Loading iptables rules"
-
-<% if version <= 5 -%>
- if [ -f $IPTABLES_RULES ]; then
- log_action_cont_msg " IPv4"
- iptables-restore < $IPTABLES_RULES 2> /dev/null
- if [ $? -ne 0 ]; then
- rc=1
- fi
- fi
-<% end -%>
-
- if [ -f $IP6TABLES_RULES ]; then
- log_action_cont_msg " IPv6"
- ip6tables-restore < $IP6TABLES_RULES 2> /dev/null
- if [ $? -ne 0 ]; then
- rc=1
- fi
- fi
-
- log_action_end_msg $rc
- ;;
- stop)
- ;;
- *)
- echo "Usage: $0 {start|restart|reload|force-reload|save}" >&2
- exit 1
- ;;
-esac
-
-exit $rc
+++ /dev/null
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -j REJECT --reject-with icmp6-port-unreachable
--A FORWARD -j REJECT --reject-with icmp6-port-unreachable
--A OUTPUT -j REJECT --reject-with icmp6-port-unreachable
-COMMIT
+++ /dev/null
-node default {
- class { 'firewall': }
-}
Code Review / puppet-modules / puppetlabs-firewall.git / commitdiff