About to start looking at managing iptables on our CentOS 5.2 systems, anyone know if a type/solution already exists for this? Thanks, Matt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Howdy, Iptables management can be implemented quite easily, i use a modified version of the following: http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleIptables Cheers Quoting Matt <mattmoran76@gmail.com>:> > About to start looking at managing iptables on our CentOS 5.2 systems, > anyone know if a type/solution already exists for this? > > Thanks, > > Matt > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
> About to start looking at managing iptables on our CentOS 5.2 systems, > anyone know if a type/solution already exists for this?Have a look at http://github.com/camptocamp/puppet-iptables/tree/master It''s work in progress (and currently stalled). It works for me on a dozen redhat 5.x hosts. Marc --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Marc Fournier <marc.fournier@camptocamp.com> writes:> Have a look at http://github.com/camptocamp/puppet-iptables/tree/master > It''s work in progress (and currently stalled). It works for me on a > dozen redhat 5.x hosts.I just started playing with this. It seems pretty convenient. One question though, how do you ensure iptables is installed? Right now, I''m just sticking a package resource in, but the first run results in errors, when puppet tries to apply iptables rules before the binaries exist. seph --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi>> Have a look at http://github.com/camptocamp/puppet-iptables/tree/master >> It''s work in progress (and currently stalled). It works for me on a >> dozen redhat 5.x hosts. > > I just started playing with this. It seems pretty convenient. One > question though, how do you ensure iptables is installed? Right now, I''m > just sticking a package resource in, but the first run results in > errors, when puppet tries to apply iptables rules before the binaries > exist.so you should do a global Package require at the top of your site.pp: Iptables { require => Package[''iptables''], } this is the quick solution I see foor that. Another thing would be to add the require for every iptables call you do, maybe do then the call in a warpper define. IMHO you should even be able to do this within the provider, however I don''t this would be the way to go, or is it? cheers pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Interesting ... I''ll have to look at that recipe a little more indepth... I''m about to go live with my overall puppet solution, what i did was just a simple module which pushes out the iptables configuration and restarts the daemon. It simply looks for a file that ends in the $fqdn, and if that isn''t there if there is a file ending in $service_group (defined in the nodes configuration) that matches the particular node, and lastly if all this has failed it will push out a default. By definition, i should have generally 2 or 3 hosts in a service group, which are supposed to be identical, so that cuts down on managing files (downside being that i don''t look for the destination addresses) I''ve been thinking about using templates, but this complicates matters... I was envisaging something like the recipe for down the line, nice that the doco exists :) cheers chakkerz --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
2009/4/22 Marc Fournier <marc.fournier@camptocamp.com>:> > >> About to start looking at managing iptables on our CentOS 5.2 systems, >> anyone know if a type/solution already exists for this? > > Have a look at http://github.com/camptocamp/puppet-iptables/tree/master > It''s work in progress (and currently stalled). It works for me on a > dozen redhat 5.x hosts. > > MarcThat looks like what i''m after, i''ll give it a go next week. Cheers, Matt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
It depends on what you want but you could also use shorewall. http://git.black.co.at/?p=module-shorewall;a=tree It is not sure it is the site of the original puppet script author I think but I don''t have the original at hand. I''m pretty satisfied with it. In fact, these scripts are replicated on several puppet recipes repository, so I think I''m not the only satisfied :-). I choose it other simpler iptable configuration because the shorewall package (at least under Debian) ship with init scripts whereas you have to make your own for iptables. The only drawback I have with these scripts is that it regulary remake the shorewall configuration (even if puppet conf was not changed) and it take some time on slow cpu. Perhaps if it used augeas instead of concatening files it would be more "modification aware" (I don''t know augeas though). I''m new with shorewall and I had to get used to the higher level of abstraction but the iptables rules maded seemed good. 2009/4/23 Matt <mattmoran76@gmail.com>> > 2009/4/22 Marc Fournier <marc.fournier@camptocamp.com>: > > > > > >> About to start looking at managing iptables on our CentOS 5.2 systems, > >> anyone know if a type/solution already exists for this? > > > > Have a look at http://github.com/camptocamp/puppet-iptables/tree/master > > It''s work in progress (and currently stalled). It works for me on a > > dozen redhat 5.x hosts. > > > > Marc > > That looks like what i''m after, i''ll give it a go next week. Cheers, > > Matt > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---