Hello Community,
we are managing 40 Linux Servers with Puppet and it is really a great tool.
But now we want to configure our firewall settings via Puppet and I am
searching for an elegant way to do this.
The settings are configured manually, yet. We have some Servers which are
using Webservices including a MySql database, like
f. e. Moodle, BSCW, Jira and so on. In the most cases the databases are
running on their own server for a better performance.
For example Moodle has two servers: The Moodleserver with the
webapplication and a second server for the Moodle database.
The idea is, that the MySql database is only open through the web (internet
and intranet) for the Moodleserver.
So we configured the ip tables on that machines like this:
# Allow MySQL from 192.168.190.56 (Moodle Server)
-A INPUT -p tcp -s 192.168.190.56 --dport 3355 -j ACCEPT
-A INPUT -p tcp -s 217.198.190.56 --dport 3355 -j ACCEPT
# Allow MySQL from 192.168.200.190 (Jira Server)
-A INPUT -p tcp -s 192.168.200.160 --dport 3355 -j ACCEPT
-A INPUT -p tcp -s 217.198.200.160 --dport 3355 -j ACCEPT
Now we want to build a class "firewall" and a template, that could do
this
job dynamical for us. So that we could use a puppetVar in LDAP with
ip:port pairs like in the sample picture below:
<https://lh4.googleusercontent.com/-_NnhR02RdpU/UyAvBOoj5aI/AAAAAAAAA7A/-Fa6DVjCp7A/s1600/Auswahl_001.png>
In this example the puppet client bscw-server.example.com should configure
it's IP-Tables rules like in the manually config above.
The problem is: I am a very bad coder and I don't know Ruby very good.
The firewall class is already written, I think this should work:
class firewall{
package { "iptables":
ensure => latest,
}
file { "/etc/iptables":
ensure => "directory",
path => "/etc/iptables",
owner => "root",
group => "root",
mode => 700,
}
file { "/etc/iptables/up.rules":
owner => root,
group => root,
mode => 600,
content => template("firewall/up.rules.erb"),
}
exec { "/sbin/iptables-restore < /etc/iptables/up.rules":
subscribe => File["/etc/iptables/up.rules"],
}
file { "/etc/network/if-pre-up.d/iptables":
owner => root,
group => root,
mode => 755,
source => "puppet:///firewall/iptables",
}
}
For the template (up.rules.erb) I could realize to configure simple allowed
ports:
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
-A INPUT -p tcp -m multiport --dports <%= tcp_ports %> -j ACCEPT
# Allows SSH connections
# Alle
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow Simpana
-A INPUT -p tcp -s 192.168.129.52 -m state --state NEW -m multiport
--dports 8400:8420 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow Nagios NRPE
-A INPUT -p tcp -s <%= nagios %> --dport 5666 -j ACCEPT
# Drop Netbios
-A INPUT -p udp --match multiport --dports 137,138 -j DROP
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
But this is to static. I don't want to allow generally Port 443 for example
(this would work with this template), I want a solution for IP + Port Pairs.
Does anybody has an idea, how I could do this?
Thanks a lot
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5650012e-d324-4143-a298-0534bc88858c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.