Puppet users - Jun 2007 - iptables module?

I know people must be doing something to manage iptables, but I
haven''t been able to find anything yet. ( My google-fu must be weak
today. )

What are you using to manage your iptables?

-- 
--
Perfection is just a word I use occasionally with mustard.
--Atom Powers--

Atom Powers wrote:
> I know people must be doing something to manage iptables, but I
> haven''t been able to find anything yet. ( My google-fu must be
weak
> today. )
>
> What are you using to manage your iptables?
>   
I haven''t integrated it with Puppet yet, but I use a wrapper called 
''FireHOL'' - http://firehol.sourceforge.net

It has a very clean syntax and makes doing relatively complex things 
with iptables very easy. Best of all, its config is very terse and human 
readable.

The reason i''m mentioning this though isn''t to advertise it. I
haven''t
integrated it with Puppet yet as it has a ''try'' mode 
(/etc/init.d/firehol try   ||   /usr/sbin/firehol try ) which will 
install the new config for 30s and then automatically back it out if you 
don''t type ''commit''. I really like this function,
especially as most of
the machines I manage are remote.

I ensure that I can SSH onto the machine in the 30 seconds grace, and 
then if that works I commit the firehol config. At least that way I know 
I can get on to repair anything that may have gone wrong with other rules.

I''m wondering if anyone has found way to  Puppetized
''automatic backout''
type configurations like this?

I''m thinking of something along the lines of this:

1. Puppet installs new config to /etc/firehol/firehol.conf.new
2. Puppet copies old config to /etc/firehol/firehol.conf.last
3. Puppet installs /etc/firehol/firehol.conf.new to 
/etc/firehol/firehol.conf
       - with   notify => Service[firehol]
4. Puppet looks for a file /etc/firehol/config-is-ok, with a timestamp 
within 30s of the timestamp of /etc/firehol/firehol.conf
5. If timestamp is within 30s, all is good, leave config in place.
6. If timestamp is not within 30s, assume the admin is not able to log 
in to ''touch'' the config-is-ok file, and (use Puppet to) back
out steps 1-3.

Does anyone have any better suggestions?

Cheers,

mike

On Jun 28, 2007, at 1:46 PM, Mike Pountney wrote:
> The reason i''m mentioning this though isn''t to advertise
it. I haven''t
> integrated it with Puppet yet as it has a ''try'' mode
> (/etc/init.d/firehol try   ||   /usr/sbin/firehol try ) which will
> install the new config for 30s and then automatically back it out  
> if you
> don''t type ''commit''. I really like this
function, especially as
> most of
> the machines I manage are remote.
>
After once having locked myself out of a server located in Tokyo from  
the comfort of my bed in Virginia, I do the same thing from the  
command line, with just:

service iptables restart ; sleep 60 ; service iptables stop

That way if the restart locks you out, you just have to wait for the  
timer to expire and the firewall will turn back off, if everything is  
still working fine, you can just control-C the rest of the command  
line and skip the stop.

-- 
Jason Kohles
email@jasonkohles.com
http://www.jasonkohles.com/
"A witty saying proves nothing."  -- Voltaire

> After once having locked myself out of a server located in Tokyo from  
> the comfort of my bed in Virginia, I do the same thing from the  
> command line, with just:
>
> service iptables restart ; sleep 60 ; service iptables stop
>
> That way if the restart locks you out, you just have to wait for the  
> timer to expire and the firewall will turn back off, if everything is  
> still working fine, you can just control-C the rest of the command  
> line and skip the stop.
>   
Without meaning to be pedantic here, (and it''s OT, I know) hitting
control-C on that command line will skip the sleep then run service
iptables stop.

You might want to consider using && instead of ;, which will only run it
if the sleep returns true.  YMMV, of course, but the behaviour you
describe is definitely not standard.

Observe:
$ echo one ; sleep 60 ; echo two
one
<ctrl-c>
two
$

$ echo one ; sleep 60 && echo two
one
<ctrl-c>
$

This is what I do:

define iptables_rules($src) {
  exec { "iptables-restore":
    command => "/sbin/iptables-restore <
/var/lib/iptables/rules-puppet",
    subscribe => File["/var/lib/iptables/rules-puppet"],
    refreshonly => true,
    require => Package["iptables"]
  }
  file { "/var/lib/iptables/rules-puppet": mode => 600,
    source => $src, backup=>false
  }
}

which is less than ideal, but works well for me. On shutdown, the
iptables init script saves the running rules to /var/lib/iptables/rules,
which is what gets read at startup. If it came down to it, I could
hard-reboot the machine remotely to get it to read the old rules and not
load the ones from puppet.

A better solution would be welcome :)

P

Atom Powers wrote:
> I know people must be doing something to manage iptables, but I
> haven''t been able to find anything yet. ( My google-fu must be
weak
> today. )
> 
> What are you using to manage your iptables?
>

Atom Powers a écrit :
> I know people must be doing something to manage iptables, but I
> haven''t been able to find anything yet. ( My google-fu must be
weak
> today. )
>
> What are you using to manage your iptables?
>
>   
shorewall is a wrapper to iptables and a puppet recipe is available :

http://www.shorewall.net/
https://reductivelabs.com/trac/puppet/wiki/AqueosShorewall

-- 
Cordialement,
Ghislain



_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

--On Thursday, June 28, 2007 09:52:50 AM -0700 Atom Powers 
<atom.powers@gmail.com> wrote:
> I know people must be doing something to manage iptables, but I
> haven''t been able to find anything yet. ( My google-fu must be
weak
> today. )
>
> What are you using to manage your iptables?
We''re using puppet to add iptables rule fragments into a directory call
/etc/iptables.d.  Puppet manages that directory (purges unknown files) and 
when it adds or deletes something out of there, it run a script call 
rebuild-iptables that creates a new iptables rule file:

modules/iptables/manifests/init.pp:


# $Id: iptables.pp 949 2007-02-24 08:35:18Z digant $
#
# Handles iptables concerns.  See also ipt_fragment definition
define ipt_fragment($ensure) {
    case $ensure {
        absent: {
            file { "/etc/iptables.d/$name":
                ensure => absent,
            }
        }
        present: {
            file {
               "/etc/iptables.d/$name":
                    source =>
"puppet://puppet/iptables/fragments/$name",
                    notify => Exec[rebuild_iptables];
            }
        }
    }
}

class iptables {
    package { "iptables":
        ensure => present
    }

    exec { "rebuild_iptables":
        command => "/usr/sbin/rebuild-iptables",
        refreshonly => true,
        require => Package["stanford-server"]
    }

    file { "/etc/iptables.d":
        ensure => directory,
        purge => true,
        notify => Exec["rebuild_iptables"],
    }
}

/usr/sbin/rebuild-iptables:
#!/usr/bin/perl -w
our $ID = q$Id: rebuild-iptables 344 2006-10-04 02:48:30Z digant $;
#
# rebuild-iptables -- Construct an iptables rules file from fragments.
#
# Written by Russ Allbery <rra@stanford.edu>
# Adapted by Digant C Kasundra <digant@stanford.edu>
# Copyright 2005, 2006 Board of Trustees, Leland Stanford Jr. University
#
# Constructs an iptables rules file from the prefix, standard, and suffix
# files in the iptables configuration area, adding any additional modules
# specified in the command line, and prints the resulting iptables rules to
# standard output (suitable for saving into /var/lib/iptables or some other
# appropriate location on the system).

##############################################################################
# Modules and declarations
##############################################################################

require 5.006;
use strict;

use Getopt::Long qw(GetOptions);

# Path to the iptables template area.
our $TEMPLATE   = ''/afs/ir/service/jumpstart/data/iptables'';

##############################################################################
# Installation
##############################################################################

# Return the prefix
sub prefix {
    my $data;
    ( $data = <<''END_OF_PREFIX'' ) =~ s/^\s+//gm;
        *filter
        :INPUT ACCEPT
        :FORWARD ACCEPT
        :OUTPUT ACCEPT
        :SUL -
        -A INPUT -j SUL
        -A SUL -i lo -j ACCEPT
END_OF_PREFIX

    return $data;
}

# Return the suffix
sub suffix {
    my $data;
    ( $data = <<''END_OF_SUFFIX'' ) =~ s/^\s+//gm;
        # Rejects all remaining connections with port-unreachable errors.

        -A SUL -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT 
--reject-with icmp-port-unreachable
        -A SUL -p udp -j REJECT --reject-with icmp-port-unreachable
        COMMIT
END_OF_SUFFIX

    return $data;
}
# Read in a file, processing includes as required.  Returns the contents of
# the file as an array.
sub read_iptables {
    my ($file) = @_;
    my @data;
    $file = $TEMPLATE . ''/'' . $file unless $file =~ m%^\.?/%;
    local *MODULE;
    open (MODULE, ''<'', $file) or die "$0: cannot open
$file: $!\n";
    local $_;
    while (<MODULE>) {
        if (/^\s*include\s+(\S+)$/) {
            my $included = $1;
            $included = $TEMPLATE . ''/'' . $included
                unless $included =~ m%^\.?/%;
            if ($file eq $included) {
                die "$0: include loop in $file, line $.\n";
            }
            push (@data, "\n");
            push (@data, read_iptables ($included));
            push (@data, "\n");
        } elsif (/^\s*include\s/) {
            die "$0: malformed include line in $file, line $.\n";
        } else {
            push (@data, $_);
        }
    }
    close MODULE;
    return @data;
}

# Write a file carefully.
sub write_iptables {
    my ($file, @data) = @_;
    open (NEW, "> $file.new") or die "$0: cannot create
$file.new: $!\n";
    print NEW @data           or die "$0: cannot write to $file.new:
$!\n";
    close NEW                 or die "$0: cannot flush $file.new:
$!\n";
    rename ("$file.new", $file)
        or die "$0: cannot install new $file: $!\n";
}

# Install iptables on a Red Hat system.  Takes the array containing the new
# iptables data.
sub install_redhat {
    my (@data) = @_;
    write_iptables (''/etc/sysconfig/iptables'', @data);
    system("/sbin/service", "iptables",
"restart");
}
# Install iptables on a Debian system.  Take the array containing the new
# iptables data.
sub install_debian {
    my (@data) = @_;
    unless (-d ''/etc/iptables'') {
        mkdir (''/etc/iptables'', 0755)
            or die "$0: cannot mkdir /etc/iptables: $!\n";
    }
    write_iptables ("/etc/iptables/general", @data);
    system("/sbin/iptables-restore < /etc/iptables/general");
}

##############################################################################
# Main routine
##############################################################################

# Fix things up for error reporting.
$| = 1;
my $fullpath = $0;
$0 =~ s%.*/%%;

# Parse command-line options.
my ($help, $version);
Getopt::Long::config (''bundling'',
''no_ignore_case'');
GetOptions (''h|help''             => \$help,
            ''v|version''          => \$version) or exit 1;
if ($help) {
    print "Feeding myself to perldoc, please wait....\n";
    exec (''perldoc'', ''-t'', $fullpath);
} elsif ($version) {
    my $version = join ('' '', (split ('' '',
$ID))[1..3]);
    $version =~ s/,v\b//;
    $version =~ s/(\S+)$/($1)/;
    $version =~ tr%/%-%;
    print $version, "\n";
    exit;
}
my @modules;

if ( -d ''/etc/iptables.d'' ) {
    @modules = </etc/iptables.d/*>;
}

# Concatenate everything together.
my @data;
push (@data, prefix());
push (@data, "\n");
for my $module (@modules) {
    push (@data, read_iptables ($module));
    push (@data, "\n");
}
push (@data, suffix());

if (-f ''/etc/debian_version'') {
    install_debian (@data);
} elsif (-f ''/etc/redhat-release'') {
    install_redhat (@data);
} else {
    die "$0: cannot figure out whether this is Red Hat or Debian\n";
}

exit 0;
__END__

##############################################################################
# Documentation
##############################################################################

=head1 NAME

rebuild-iptables - Construct an iptables rules file from fragments

=head1 SYNOPSIS

rebuild-iptables [B<-hv>]

=head1 DESCRIPTION

B<rebuild-iptables> constructs an iptables configuration file by 
concatenating
various modules found in F</etc/iptables.d>.  The resulting iptables
configuration file is written to the appropriate file for either Red Hat or
Debian (determined automatically) and iptables is restarted.

Each module is just a text file located in the directory mentioned above 
that
contains one or more iptables configuration lines (basically the arguments 
to
an B<iptables> invocation), possibly including comments.

Along with the modules in the directory specified, a standard prefix and 
suffix
is added.

Normally, the contents of each module are read in verbatim, but a module may
also contain the directive:

    include <module>

on a separate line, where <module> is the path to another module to
include,
specified the same way as modules given on the command line (hence, either a
file name relative to F</afs/ir/service/jumpstart/data/iptables> or an
absolute path).  Such a line will be replaced with the contents of the named
file.  Be careful when using this directive to not create loops; files
including themselves will be detected, but more complex loops will not and
will result in infinite output.

=head1 OPTIONS

=over 4

=item B<-h>, B<--help>

Print out this documentation (which is done simply by feeding the script to
C<perldoc -t>).

=item B<-v>, B<--version>

Print out the version of B<rebuild-iptables> and exit.

=back

=head1 FILES

=over 4
=item B<-h>, B<--help>

Print out this documentation (which is done simply by feeding the script to
C<perldoc -t>).

=item B<-v>, B<--version>

Print out the version of B<rebuild-iptables> and exit.

=back

=head1 FILES

=over 4

=item F</etc/iptables.d>

The default module location.

=item F</etc/debian_version>

If this file exists, the system is assumed to be a Debian system for
determining the installation location when B<-i> is used.

=item F</etc/iptables/general>

The install location of the generated configuration file on Debian.

=item F</etc/redhat-release>

If this file exists, the system is assumed to be a Red Hat system for
determining the installation location when B<-i> is used.

=item F</etc/sysconfig/iptables>

The install location of the generated configuration file on Red Hat.

=back

=head1 AUTHOR

Russ Allbery <rra@stanford.edu>
Digant C Kasundra <digant@stanford.edu>

=head1 SEE ALSO

iptables(8)

=cut




-- 
Digant C Kasundra <digant@stanford.edu>
Technical Lead, ITS Unix Systems and Applications, Stanford University

Hi,

I have been using this GPL iptables wrapper script for many years, it
is used widely in the small business web hosting community:

http://r-fx.org/apf.php

It has a very easy to read / setup configuration file, includes a
large number of TCP stack tweaks, very flexible .. and of course,
because it is a config file, very easy to control with Puppet.

Highly recommend this firewall script, both for functionality and ease
of management.  I have used it on 20-30 servers over the last few
years, puppet manages 4 of those.

- Max

Max wrote:
> Hi,
> 
> I have been using this GPL iptables wrapper script for many years, it
> is used widely in the small business web hosting community:
> 
> http://r-fx.org/apf.php
> 
> It has a very easy to read / setup configuration file, includes a
> large number of TCP stack tweaks, very flexible .. and of course,
> because it is a config file, very easy to control with Puppet.
> 
> Highly recommend this firewall script, both for functionality and ease
> of management.  I have used it on 20-30 servers over the last few
> years, puppet manages 4 of those.
Did the OP ask how to do iptables or how to do iptables in puppet?

Dave