cookbook 'simple_iptables', '= 0.1.0'
simple_iptables
(19) Versions
0.1.0
-
Follow27
Simple LWRP and recipe for managing iptables rules
cookbook 'simple_iptables', '= 0.1.0', :supermarket
knife supermarket install simple_iptables
knife supermarket download simple_iptables
Description
Simple cookbook with LWRPs for managing iptables rules and policies.
Requirements
None, other than a system that supports iptables.
Platforms
The cookbook is tested and works on Debian 6.0 and later. It may also work
on other platforms, but the templates are set up for Debian SysV init-type
systems. Contributions to support other platforms are gladly welcomed.
Attributes
This cookbook uses node attributes to track internal state when generating
the iptables rules and policies. These attributes should not be overridden
by roles, other recipes, etc.
Usage
Include the recipe simple_iptables somewhere in your run list, then use
the LWRPs simple_iptables_rule and simple_iptables_policy in your
recipes.
simple_iptables_rule Resource
Defines a single iptables rule, composed of a rule string (passed as-is to
iptables), and a jump target. The name attribute defines an iptables chain
that this rule will live in (and, thus, that other rules can jump to). For
instance:
# Allow SSH
simple_iptables_rule "ssh" do
rule "--proto tcp --dport 22"
jump "ACCEPT"
end
simple_iptables_policy Resource
Defines a default action for a given iptables chain. This is usually used to
switch from a default-accept policy to a default-reject policy. For
instance:
# Reject packets other than those explicitly allowed
simple_iptables_policy "INPUT" do
policy "DROP"
end
Example
Suppose you had the following simple_iptables configuration:
# Reject packets other than those explicitly allowed
simple_iptables_policy "INPUT" do
policy "DROP"
end
# The following rules define a "system" chain; chains
# are used as a convenient way of grouping rules together,
# for logical organization.
# Allow all traffic on the loopback device
simple_iptables_rule "system" do
rule "--in-interface lo"
jump "ACCEPT"
end
# Allow any established connections to continue, even
# if they would be in violation of other rules.
iptables_rule "system" do
rule "-m conntrack --ctstate ESTABLISHED,RELATED"
jump "ACCEPT"
end
# Allow SSH
iptables_rule "system" do
rule "--proto tcp --dport 22"
jump "ACCEPT"
end
# Allow HTTP
iptables_rule "system" do
rule "--proto tcp --dport 80"
jump "ACCEPT"
end
# And HTTPS
iptables_rule "system" do
rule "--proto tcp --dport 443"
jump "ACCEPT"
end
This would generate a file /etc/iptables-rules with the contents:
# This file generated by Chef. Changes will be overwritten.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:system - [0:0]
-A INPUT --jump system
-A system --in-interface lo --jump ACCEPT
-A system -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
-A system --proto tcp --dport 22 --jump ACCEPT
-A system --proto tcp --dport 80 --jump ACCEPT
-A system --proto tcp --dport 443 --jump ACCEPT
COMMIT
Which results in the following iptables configuration:
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
system all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain system (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Dependent cookbooks
This cookbook has no specified dependencies.
