Hello all,
I''m trying to implement iptables management via puppet. My goal is to
have a set of default rules that get inherited by every node and then a set of
modules defining services, where each service definition brings its own
additional iptables rules and they should be properly merged together.
But I''m stuck at the first steps of implementing firewall module. As I
understand the documentation, the number in te name of the rule is used to
properly order the rules in the iptables table. However this is not what I
observe.
Consider the following rules:
class iptables {
service { ''iptables'':
enable => true,
subscribe => File[''/etc/sysconfig/iptables''],
}
firewall { ''000 allow lo in'':
iniface => ''lo'',
action => accept,
}
firewall { ''002 allow packets with valid state'':
state => [''RELATED'',
''ESTABLISHED''],
iniface => ''eth0'',
action => accept,
}
firewall { ''032 allow icmp on eth0'':
proto => ''icmp'',
iniface => ''eth0'',
action => accept,
}
firewall { ''100 allow ssh'':
destination => $ipaddress_eth0,
proto => ''tcp'',
dport => ''22'',
state => ''NEW'',
action => accept,
ensure => ''present'',
}
firewall { ''100 allow nrpe'':
destination => $ipaddress_eth0,
proto => ''tcp'',
dport => ''5666'',
state => ''NEW'',
action => accept,
}
firewall { ''100 allow snmp'':
destination => $ipaddress_eth0,
proto => ''udp'',
dport => ''161'',
action => accept,
}
firewall { ''999 reject everything else'':
action => reject,
reject => ''icmp-admin-prohibited'',
}
firewall { ''999 reject everything else on forward'':
chain => ''FORWARD'',
action => reject,
reject => ''icmp-admin-prohibited'',
}
resources { ''firewall'':
purge => true,
}
exec { "persist-firewall":
command => ''/sbin/service iptables save'',
refreshonly => true,
}
Firewall {
notify => Exec["persist-firewall"]
}
}
When I run puppetd -t on a node, I get something like this in iptables -nL
output (cut to just comment field):
Chain INPUT (policy ACCEPT)
/* 100 allow snmp */
/* 100 allow ssh */ state NEW
/* 032 allow icmp on eth0 */
/* 002 allow packets with valid state */
/* 999 reject everything else */
/* 000 allow lo in */
/* 100 allow nrpe */ state NEW
Chain FORWARD (policy ACCEPT)
/* 999 reject everything else on forward */ reject-with icmp-admin-prohibited
Order of the rules appears random, sometimes the reject everything rule is
applied first and I lose connection to the server.
My observation is that either the number in the rule name has no meaning or
I''m doing something wrong. Since I''m relatively new to the
puppet (but was working with cfengine 7-8 years ago), I''m asking this
group for suggestions before I file a bug report.
Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client.
--
Jure Pečar
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
It''s because puppet doesn''t read sequentially but randomly accesses the module/class. You might be able to get around this by using a template. On 27 December 2011 05:13, Jure Pečar <jure.pecar@gmail.com> wrote:> > Hello all, > > I''m trying to implement iptables management via puppet. My goal is to have > a set of default rules that get inherited by every node and then a set of > modules defining services, where each service definition brings its own > additional iptables rules and they should be properly merged together. > > But I''m stuck at the first steps of implementing firewall module. As I > understand the documentation, the number in te name of the rule is used to > properly order the rules in the iptables table. However this is not what I > observe. > > Consider the following rules: > > class iptables { > service { ''iptables'': > enable => true, > subscribe => File[''/etc/sysconfig/iptables''], > } > firewall { ''000 allow lo in'': > iniface => ''lo'', > action => accept, > } > firewall { ''002 allow packets with valid state'': > state => [''RELATED'', ''ESTABLISHED''], > iniface => ''eth0'', > action => accept, > } > firewall { ''032 allow icmp on eth0'': > proto => ''icmp'', > iniface => ''eth0'', > action => accept, > } > firewall { ''100 allow ssh'': > destination => $ipaddress_eth0, > proto => ''tcp'', > dport => ''22'', > state => ''NEW'', > action => accept, > ensure => ''present'', > } > firewall { ''100 allow nrpe'': > destination => $ipaddress_eth0, > proto => ''tcp'', > dport => ''5666'', > state => ''NEW'', > action => accept, > } > firewall { ''100 allow snmp'': > destination => $ipaddress_eth0, > proto => ''udp'', > dport => ''161'', > action => accept, > } > firewall { ''999 reject everything else'': > action => reject, > reject => ''icmp-admin-prohibited'', > } > firewall { ''999 reject everything else on forward'': > chain => ''FORWARD'', > action => reject, > reject => ''icmp-admin-prohibited'', > } > resources { ''firewall'': > purge => true, > } > exec { "persist-firewall": > command => ''/sbin/service iptables save'', > refreshonly => true, > } > Firewall { > notify => Exec["persist-firewall"] > } > } > > When I run puppetd -t on a node, I get something like this in iptables -nL > output (cut to just comment field): > > Chain INPUT (policy ACCEPT) > /* 100 allow snmp */ > /* 100 allow ssh */ state NEW > /* 032 allow icmp on eth0 */ > /* 002 allow packets with valid state */ > /* 999 reject everything else */ > /* 000 allow lo in */ > /* 100 allow nrpe */ state NEW > > Chain FORWARD (policy ACCEPT) > /* 999 reject everything else on forward */ reject-with > icmp-admin-prohibited > > Order of the rules appears random, sometimes the reject everything rule is > applied first and I lose connection to the server. > > My observation is that either the number in the rule name has no meaning > or I''m doing something wrong. Since I''m relatively new to the puppet (but > was working with cfengine 7-8 years ago), I''m asking this group for > suggestions before I file a bug report. > > Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client. > > -- > > Jure Pečar > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
You could use stages as described in documentation: http://forge.puppetlabs.com/puppetlabs/firewall On Dec 27, 1:48 am, Mark Walkom <markwal...@gmail.com> wrote:> It''s because puppet doesn''t read sequentially but randomly accesses the > module/class. > You might be able to get around this by using a template. > > On 27 December 2011 05:13, Jure Pečar <jure.pe...@gmail.com> wrote: > > > > > > > > > > > Hello all, > > > I''m trying to implement iptables management via puppet. My goal is to have > > a set of default rules that get inherited by every node and then a set of > > modules defining services, where each service definition brings its own > > additional iptables rules and they should be properly merged together. > > > But I''m stuck at the first steps of implementing firewall module. As I > > understand the documentation, the number in te name of the rule is used to > > properly order the rules in the iptables table. However this is not what I > > observe. > > > Consider the following rules: > > > class iptables { > > service { ''iptables'': > > enable => true, > > subscribe => File[''/etc/sysconfig/iptables''], > > } > > firewall { ''000 allow lo in'': > > iniface => ''lo'', > > action => accept, > > } > > firewall { ''002 allow packets with valid state'': > > state => [''RELATED'', ''ESTABLISHED''], > > iniface => ''eth0'', > > action => accept, > > } > > firewall { ''032 allow icmp on eth0'': > > proto => ''icmp'', > > iniface => ''eth0'', > > action => accept, > > } > > firewall { ''100 allow ssh'': > > destination => $ipaddress_eth0, > > proto => ''tcp'', > > dport => ''22'', > > state => ''NEW'', > > action => accept, > > ensure => ''present'', > > } > > firewall { ''100 allow nrpe'': > > destination => $ipaddress_eth0, > > proto => ''tcp'', > > dport => ''5666'', > > state => ''NEW'', > > action => accept, > > } > > firewall { ''100 allow snmp'': > > destination => $ipaddress_eth0, > > proto => ''udp'', > > dport => ''161'', > > action => accept, > > } > > firewall { ''999 reject everything else'': > > action => reject, > > reject => ''icmp-admin-prohibited'', > > } > > firewall { ''999 reject everything else on forward'': > > chain => ''FORWARD'', > > action => reject, > > reject => ''icmp-admin-prohibited'', > > } > > resources { ''firewall'': > > purge => true, > > } > > exec { "persist-firewall": > > command => ''/sbin/service iptables save'', > > refreshonly => true, > > } > > Firewall { > > notify => Exec["persist-firewall"] > > } > > } > > > When I run puppetd -t on a node, I get something like this in iptables -nL > > output (cut to just comment field): > > > Chain INPUT (policy ACCEPT) > > /* 100 allow snmp */ > > /* 100 allow ssh */ state NEW > > /* 032 allow icmp on eth0 */ > > /* 002 allow packets with valid state */ > > /* 999 reject everything else */ > > /* 000 allow lo in */ > > /* 100 allow nrpe */ state NEW > > > Chain FORWARD (policy ACCEPT) > > /* 999 reject everything else on forward */ reject-with > > icmp-admin-prohibited > > > Order of the rules appears random, sometimes the reject everything rule is > > applied first and I lose connection to the server. > > > My observation is that either the number in the rule name has no meaning > > or I''m doing something wrong. Since I''m relatively new to the puppet (but > > was working with cfengine 7-8 years ago), I''m asking this group for > > suggestions before I file a bug report. > > > Env is puppet 2.6.12, centos 5.7 on server, centos 6.2 on client. > > > -- > > > Jure Pečar > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, 27 Dec 2011 17:48:11 +1100 Mark Walkom <markwalkom@gmail.com> wrote:> It''s because puppet doesn''t read sequentially but randomly accesses the > module/class. > You might be able to get around this by using a template.Well the documentation clearly states: Parameters name The canonical name of the rule. This name is also used for ordering so make sure you prefix the rule with a number What I want to achieve is exactly what''s described in this blog post: http://geek.jasonhancock.com/2011/10/11/managing-iptables-firewalls-with-puppet/ However, it doesn''t work for me. How can I figure out why not? -- Jure Pečar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
FWIW, I decided to tinker with this module today and the examples do not work
I used the line:
firewall { ''100 allow http'':
proto => ''tcp'',
dport => ''80'',
jump => ''ACCEPT'',
}
and got :
Parameter jump failed: Jump destination should not be one of ACCEPT, REJECT or
DENY. Use the action property instead.
Are these things tested before checking them into the repository ?
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Tue, 27 Dec 2011 04:32:03 -0800 (PST) bel <belminf@gmail.com> wrote:> You could use stages as described in documentation: > > http://forge.puppetlabs.com/puppetlabs/firewallNow I''ve implemented stages and indeed output of puppet agent makes me think they are in place: notice: /Firewall[002 allow icmp on eth0]/ensure: created notice: /Firewall[001 allow packets with valid state]/ensure: created notice: /Firewall[000 allow lo in]/ensure: created notice: /Firewall[003 allow ssh]/ensure: created notice: /File[/etc/sysconfig/iptables]/ensure: created notice: /Firewall[100 allow nrpe]/ensure: created notice: /Firewall[100 allow snmp]/ensure: created notice: /Firewall[999 reject everything else on forward]/ensure: created notice: /Firewall[998 reject everything else]/ensure: created But then I lose ssh connection. Looking at local console it is obvious why: Chain INPUT (policy ACCEPT) /* 998 reject everything else */ /* 100 allow nrpe */ /* 100 allow snmp */ /* 003 allow ssh */ /* 000 allow lo in */ /* 001 allow icmp on eth0 */ /* 002 allow packets with valid state */ Chain FORWARD (policy ACCEPT) /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified. -- Jure Pečar -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan White
2011-Dec-27 17:33 UTC
Re: [Puppet Users] puppetlabs firewall module: How do I ...?
/sbin/iptables -A INPUT -p tcp -s 10.0.0.0/255.0.0.0 --dport ssh --syn -j ACCEPT How do I get the "--syn" option onto the command that Puppet runs ? “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.” Bill Waterson (Calvin & Hobbes) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Dan White
2011-Dec-27 18:58 UTC
Re: [Puppet Users] puppetlabs firewall module: Another How do I ...?
RHEL 5.7
I need to duplicate this command (that does work):
# allow (udp) dns from IP range
/sbin/iptables -A INPUT -p udp -s 10.0.0.0/8 --sport domain --dport 1025:65535
-j ACCEPT
So I tried:
firewall { "011 a allow DNS":
proto => ''udp'',
sport => ''domain'',
dport => ''1025-65535'',
source => [''10.0.0.0/8''],
action => ''accept'',
}
And it says:
err: /Firewall[011 a allow DNS]: Could not evaluate: Execution of
''/sbin/iptables -R INPUT 16 -t filter -s 10.0.0.0/8 -p udp -m multiport
--sports 53 -m multiport --dports 1025:65535 -m comment --comment 011 a allow
DNS -j ACCEPT'' returned 2: Try `iptables -h'' or
''iptables --help'' for more information.
So I pull from the log:
/sbin/iptables -I INPUT 4 -t filter -s 10.0.0.0/8 -p udp -m multiport --sports
53 -m multiport --dports 1025:65535 -m comment --comment 011 a allow DNS -j
ACCEPT
and it says :
Bad argument `1025:65535''
Try `iptables -h'' or ''iptables --help'' for more
information.
firewall { "011 a allow DNS": proto => ''udp'',
sport => ''53'', source =>
[''10.0.0.0/8''], action => ''accept'', }
-A INPUT -s 10.0.0.0/255.0.0.0 -p udp -m multiport --sports 53 -m comment
--comment "011 a allow DNS" -j ACCEPT
firewall { "011 a allow DNS": proto => ''udp'',
sport => ''53'', dport => ''1025'', source
=> [''10.0.0.0/8''], action =>
''accept'', }
err: /Firewall[011 a allow DNS]: Could not evaluate: Execution of
''/sbin/iptables -R INPUT 13 -t filter -s 10.0.0.0/8 -p udp -m multiport
--sports 53 -m multiport --dports 1025 -m comment --comment 011 a allow DNS -j
ACCEPT'' returned 2: Try `iptables -h'' or ''iptables
--help'' for more information.
“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Your iptables rules are wrong, that is why you lose SSH connection. I''d look into those before worrying about Puppet. On Wed, Dec 28, 2011 at 3:02 AM, Jure Pečar <jure.pecar@gmail.com> wrote:> On Tue, 27 Dec 2011 04:32:03 -0800 (PST) > bel <belminf@gmail.com> wrote: > > > You could use stages as described in documentation: > > > > http://forge.puppetlabs.com/puppetlabs/firewall > > Now I''ve implemented stages and indeed output of puppet agent makes me > think they are in place: > > notice: /Firewall[002 allow icmp on eth0]/ensure: created > notice: /Firewall[001 allow packets with valid state]/ensure: created > notice: /Firewall[000 allow lo in]/ensure: created > notice: /Firewall[003 allow ssh]/ensure: created > notice: /File[/etc/sysconfig/iptables]/ensure: created > notice: /Firewall[100 allow nrpe]/ensure: created > notice: /Firewall[100 allow snmp]/ensure: created > notice: /Firewall[999 reject everything else on forward]/ensure: created > notice: /Firewall[998 reject everything else]/ensure: created > > But then I lose ssh connection. Looking at local console it is obvious why: > > Chain INPUT (policy ACCEPT) > /* 998 reject everything else */ > /* 100 allow nrpe */ > /* 100 allow snmp */ > /* 003 allow ssh */ > /* 000 allow lo in */ > /* 001 allow icmp on eth0 */ > /* 002 allow packets with valid state */ > > Chain FORWARD (policy ACCEPT) > /* 999 reject everything else on forward */ reject-with > icmp-admin-prohibited > > So again it looks like number in the rule name have no meaning whatsoever. > Rules are inserted according to stages, but without rule position (iptables > -I chain rulenum) so each one ends on top, since for iptables rulenum > parameter is optional and set to 1 (=top of the table) if not specified. > > > -- > > Jure Pečar > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I''d reverse my stages if I were you. Seems like that will fix it. On Dec 27 2011, 11:02 am, Jure Pečar <jure.pe...@gmail.com> wrote:> On Tue, 27 Dec 2011 04:32:03 -0800 (PST) > > bel <belm...@gmail.com> wrote: > > You could use stages as described in documentation: > > >http://forge.puppetlabs.com/puppetlabs/firewall > > Now I''ve implemented stages and indeed output of puppet agent makes me think they are in place: > > notice: /Firewall[002 allow icmp on eth0]/ensure: created > notice: /Firewall[001 allow packets with valid state]/ensure: created > notice: /Firewall[000 allow lo in]/ensure: created > notice: /Firewall[003 allow ssh]/ensure: created > notice: /File[/etc/sysconfig/iptables]/ensure: created > notice: /Firewall[100 allow nrpe]/ensure: created > notice: /Firewall[100 allow snmp]/ensure: created > notice: /Firewall[999 reject everything else on forward]/ensure: created > notice: /Firewall[998 reject everything else]/ensure: created > > But then I lose ssh connection. Looking at local console it is obvious why: > > Chain INPUT (policy ACCEPT) > /* 998 reject everything else */ > /* 100 allow nrpe */ > /* 100 allow snmp */ > /* 003 allow ssh */ > /* 000 allow lo in */ > /* 001 allow icmp on eth0 */ > /* 002 allow packets with valid state */ > > Chain FORWARD (policy ACCEPT) > /* 999 reject everything else on forward */ reject-with icmp-admin-prohibited > > So again it looks like number in the rule name have no meaning whatsoever. Rules are inserted according to stages, but without rule position (iptables -I chain rulenum) so each one ends on top, since for iptables rulenum parameter is optional and set to 1 (=top of the table) if not specified. > > -- > > Jure Pečar-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 4 January 2012 07:33, bel <belminf@gmail.com> wrote:> I''d reverse my stages if I were you. Seems like that will fix it. > > On Dec 27 2011, 11:02 am, Jure Pečar <jure.pe...@gmail.com> wrote: > > On Tue, 27 Dec 2011 04:32:03 -0800 (PST) > > > > bel <belm...@gmail.com> wrote: > > > You could use stages as described in documentation: > > > > >http://forge.puppetlabs.com/puppetlabs/firewall > > > > Now I''ve implemented stages and indeed output of puppet agent makes me > think they are in place: > > > > notice: /Firewall[002 allow icmp on eth0]/ensure: created > > notice: /Firewall[001 allow packets with valid state]/ensure: created > > notice: /Firewall[000 allow lo in]/ensure: created > > notice: /Firewall[003 allow ssh]/ensure: created > > notice: /File[/etc/sysconfig/iptables]/ensure: created > > notice: /Firewall[100 allow nrpe]/ensure: created > > notice: /Firewall[100 allow snmp]/ensure: created > > notice: /Firewall[999 reject everything else on forward]/ensure: created > > notice: /Firewall[998 reject everything else]/ensure: created > > > > But then I lose ssh connection. Looking at local console it is obvious > why: > > > > Chain INPUT (policy ACCEPT) > > /* 998 reject everything else */ > > /* 100 allow nrpe */ > > /* 100 allow snmp */ > > /* 003 allow ssh */ > > /* 000 allow lo in */ > > /* 001 allow icmp on eth0 */ > > /* 002 allow packets with valid state */ > > > > Chain FORWARD (policy ACCEPT) > > /* 999 reject everything else on forward */ reject-with > icmp-admin-prohibited > > > > So again it looks like number in the rule name have no meaning > whatsoever. Rules are inserted according to stages, but without rule > position (iptables -I chain rulenum) so each one ends on top, since for > iptables rulenum parameter is optional and set to 1 (=top of the table) if > not specified. > > >Perhaps try using a collection. Define all new firewall resources as virtual, then in the iptables module, realize them. ie. class nagios::nrpe::config { ... @firewall { ''100 allow nrpe'': destination => $ipaddress_eth0, proto => ''tcp'', dport => ''5666'', state => ''NEW'', action => accept, } } class iptables { ... @firewall { ''000 allow lo in'': iniface => ''lo'', action => accept, } ... Firewall <| |> { notify => Exec["persist-firewall"], } } You could then use stages to ensure iptables is evaluated last. The firewall type should be autoloaded. Cheers, Grant -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.