Puppet users - Apr 2009 - iptables anyone?

About to start looking at managing iptables on our CentOS 5.2 systems,
anyone know if a type/solution already exists for this?

Thanks,

Matt

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Howdy,

Iptables management can be implemented quite easily, i use a modified 
version of
the following:
http://reductivelabs.com/trac/puppet/wiki/Recipes/ModuleIptables

Cheers


Quoting Matt <mattmoran76@gmail.com>:
>
> About to start looking at managing iptables on our CentOS 5.2 systems,
> anyone know if a type/solution already exists for this?
>
> Thanks,
>
> Matt
>
> >
>


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> About to start looking at managing iptables on our CentOS 5.2 systems,
> anyone know if a type/solution already exists for this?
Have a look at http://github.com/camptocamp/puppet-iptables/tree/master
It''s work in progress (and currently stalled). It works for me on a
dozen redhat 5.x hosts.

Marc



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Marc Fournier <marc.fournier@camptocamp.com> writes:
> Have a look at http://github.com/camptocamp/puppet-iptables/tree/master
> It''s work in progress (and currently stalled). It works for me on
a
> dozen redhat 5.x hosts.
I just started playing with this. It seems pretty convenient. One
question though, how do you ensure iptables is installed? Right now,
I''m
just sticking a package resource in, but the first run results in
errors, when puppet tries to apply iptables rules before the binaries
exist.

seph

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi
>> Have a look at http://github.com/camptocamp/puppet-iptables/tree/master
>> It''s work in progress (and currently stalled). It works for me
on a
>> dozen redhat 5.x hosts.
> 
> I just started playing with this. It seems pretty convenient. One
> question though, how do you ensure iptables is installed? Right now,
I''m
> just sticking a package resource in, but the first run results in
> errors, when puppet tries to apply iptables rules before the binaries
> exist.

so you should do a global Package require at the top of your site.pp:

Iptables {
   require => Package[''iptables''],
}

this is the quick solution I see foor that. Another thing would be to
add the require for every iptables call you do, maybe do then the call
in a warpper define.
IMHO you should even be able to do this within the provider, however I
don''t this would be the way to go, or is it?

cheers pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Interesting ... I''ll have to look at that recipe a little more
indepth...

I''m about to go live with my overall puppet solution, what i did was
just a simple module which pushes out the iptables configuration and
restarts the daemon. It simply looks for a file that ends in the
$fqdn, and if that isn''t there if there is a file ending in
$service_group (defined in the nodes configuration) that matches the
particular node, and lastly if all this has failed it will push out a
default. By definition, i should have generally 2 or 3 hosts in a
service group, which are supposed to be identical, so that cuts down
on managing files (downside being that i don''t look for the
destination addresses)

I''ve been thinking about using templates, but this complicates
matters... I was envisaging something like the recipe for down the
line, nice that the doco exists :)

cheers
chakkerz
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2009/4/22 Marc Fournier
<marc.fournier@camptocamp.com>:
>
>
>> About to start looking at managing iptables on our CentOS 5.2 systems,
>> anyone know if a type/solution already exists for this?
>
> Have a look at http://github.com/camptocamp/puppet-iptables/tree/master
> It''s work in progress (and currently stalled). It works for me on
a
> dozen redhat 5.x hosts.
>
> Marc
That looks like what i''m after, i''ll give it a go next week. 
Cheers,

Matt

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

It depends on what you want but you could also use shorewall.
http://git.black.co.at/?p=module-shorewall;a=tree
It is not sure it is the site of the original puppet script author I think
but I don''t have the original at hand.

I''m pretty satisfied with it. In fact, these scripts are replicated on
several puppet recipes repository, so I think I''m not the only
satisfied
:-).
I choose it other simpler iptable configuration because the shorewall
package (at least under Debian) ship with init scripts whereas you have to
make your own for iptables.
The only drawback I have with these scripts is that it regulary remake the
shorewall configuration (even if puppet conf was not changed) and it take
some time on slow cpu. Perhaps if it used augeas instead of concatening
files it would be more "modification aware" (I don''t know
augeas though).

I''m new with shorewall and I had to get used to the higher level of
abstraction but the iptables rules maded seemed good.

2009/4/23 Matt <mattmoran76@gmail.com>
>
> 2009/4/22 Marc Fournier <marc.fournier@camptocamp.com>:
> >
> >
> >> About to start looking at managing iptables on our CentOS 5.2
systems,
> >> anyone know if a type/solution already exists for this?
> >
> > Have a look at
http://github.com/camptocamp/puppet-iptables/tree/master
> > It''s work in progress (and currently stalled). It works for
me on a
> > dozen redhat 5.x hosts.
> >
> > Marc
>
> That looks like what i''m after, i''ll give it a go next
week.  Cheers,
>
> Matt
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---