Giter Club home page Giter Club logo

chef-iptables_persistent's Introduction

iptables_persistent Cookbook

This cookbook configures iptables_persistent to setup a full firewall based on node attributes, settable in roles.

Attributes

Basic settings

Key Type Description Default
["iptables_persistent"]["dir"] String The configuration directory /etc/iptables
["iptables_persistent"]["rules_v4"] String The name of the rules file for IPv4 rules rules or rules.v4, depending on the platform
["iptables_persistent"]["rules_v6"] String The name of the rules file for IPv6 rules rules.v6

IPv4 rules

These settings describe the IPv4 firewall rules.

Rules can be defined using the following four variants:

Integer

If a rule simply consists of an interer, it will result in a rule hat will open this protocol port (typically UDP or TCP) on the INPUT chain for all. The generated rule will be similar to this:

-A INPUT -p tcp --dport 22 -j ACCEPT

Range

If a rule consists of a Range (e.g. 10000..20000), it will result in a rule hat will open the port range on the INPUT chain for all. The generated rule will be similar to this:

-A INPUT -p tcp --dport 10000:20000 -j ACCEPT

String

The rule will be included verbatim. It is up to you to ensure proper syntax.

Hash

This is the most common form as it allows to define rules without having to intimitly know the iptables syntax. In the hash, you can use the following keys to define a single rule:

Key Type Description Default
protocol String The protocol (udp, tcp, icmp, ...). This attribute is only settable in any_pre and any_post rules. Else it is the same as the rule section. contained rule section or emtpy
chain String The iptables chain, typically either INPUT, OUTPUT, or FORWARD INPUT
source String A single IP or a network specification of the source IP no default
destination String A single IP or a network specification of the destination IP no default
interface String The network interface (outgoing interface for OUTPUT chain, incommine interface for all others) no default
state Array of Strings Possible connection state no default
port String or Integer The destination port of the packet no default
source_port String or Integer The source port of the packet no default
opts Array of Strings Additional free-form conditions. This array is just concatenated at the end no default
target String The target of the rule. Either another chain or a decision of ACCEPT, REJECT, or DROP ACCEPT
comment String An optional comment which is appended at the end of the line no default

Where to define rules

The rules can then be appended to the respective section arrays described below. You can set the rules in different roles where they will be merged at the end. You just have to make sure to always use the same attribute level throughout your whole configuration as higher levels completely overwrite lower levels. E.g. if you have set some rules in default and then set some in override, the default rules will be completely ignored.

Generally, it is recommended to use default in roles.

Using the rules hash, you can define rules for all tables available to iptables. The table below describes the default rules for the filter table which contains the most commonly used rules. For ipv4, there are the filter, nat, mangle, and raw tables. For ipv6 there are the filter, mangle, and raw tables. Please refer to the iptables documentation about the use of these tables and the default chains available.

For some example on how to set rules, please have a look at the secure_default recipe.

Key Type Description Default
["iptables_persistent"]["ipv4"]["filter"]["chains"]["INPUT"] String The default action for the IPv4 INPUT chain ACCEPT
["iptables_persistent"]["ipv4"]["filter"]["chains"]["OUTPUT"] String The default action for the IPv4 FORWARD chain ACCEPT
["iptables_persistent"]["ipv4"]["filter"]["chains"]["FORWARD"] String The default action for the IPv4 FORWARD chain ACCEPT
["iptables_persistent"]["ipv4"]["filter"]["any_pre"] Array of Integers, Strings or Hashes non-protocol-specific rules for the IPv4 firewall. These rules are evaluated first. empty Array
["iptables_persistent"]["ipv4"]["filter"]["tcp"] Array of Integers, Strings or Hashes TCP-specific rules for the IPv4 firewall. empty Array
["iptables_persistent"]["ipv4"]["filter"]["udp"] Array of Integers, Strings or Hashes UDP-specific rules for the IPv4 firewall. empty Array
["iptables_persistent"]["ipv4"]["filter"]["any_post"] Array of Integers, Strings or Hashes non-protocol-specific rules for the IPv4 firewall. These rules are evaluated last. empty Array

IPv6 rules

Note: these rules are only evaluated if the iptables_persistent package available on the node is recent enough, i.e. >= 0.0.20101230.

Rules are evaulated exactly the same as for IPv4.

Key Type Description Default
["iptables_persistent"]["ipv6"]["filter"]["chains"]["INPUT"] String The default action for the IPv6 INPUT chain ACCEPT
["iptables_persistent"]["ipv6"]["filter"]["chains"]["OUTPUT"] String The default action for the IPv6 FORWARD chain ACCEPT
["iptables_persistent"]["ipv6"]["filter"]["chains"]["FORWARD"] String The default action for the IPv6 FORWARD chain ACCEPT
["iptables_persistent"]["ipv6"]["filter"]["any_pre"] Array of Integers, Strings or Hashes non-protocol-specific rules for the IPv6 firewall. These rules are evaluated first. empty Array
["iptables_persistent"]["ipv6"]["filter"]["tcp"] Array of Integers, Strings or Hashes TCP-specific rules for the IPv6 firewall. empty Array
["iptables_persistent"]["ipv6"]["filter"]["udp"] Array of Integers, Strings or Hashes UDP-specific rules for the IPv6 firewall. empty Array
["iptables_persistent"]["ipv6"]["filter"]["any_post"] Array of Integers, Strings or Hashes non-protocol-specific rules for the IPv6 firewall. These rules are evaluated last. empty Array

Usage

iptables_persistent::default

Just include iptables_persistent in your node's run_list:

{
  "name":"my_node",
  "run_list": [
    "recipe[iptables_persistent]"
  ]
}

This will install iptables_persistent and will setup basic firewall rules. The firewall fill default to accept everything. You will need to configure rules in roles or application cookbooks.

iptables_persistent::secure_default

This will include the default recipe and will configure it with some secure defaults for a minimally working firewall:

  • Drop any IPv6 traffic
  • Allow traffic on the loopback adapter
  • Allow only established incomming and forwarded traffic on IPv4 by default
  • Allow important ICMP traffic on IPv4
  • Allow Traffic to SSH (Port 22) on IPv4

If you extend these rules, make sure to add rules on the default level. If you set rules on any higher level, they will completely replace all previous rules. You have to make sure that you can still reach your system before configuring this on production.

Contributing

  1. Fork the repository on Github
  2. Create a named feature branch (like add_component_x)
  3. Write you change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

License and Authors

Authors: Holger Just, Planio GmbH

Copyright 2013, Planio GmbH

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

chef-iptables_persistent's People

Contributors

meineerde avatar yeah avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

chef-iptables_persistent's Issues

Add resources/providers to configure rules

iptables rules should also be configureable using resources. That way, the rules could also be generated dynamically by wrapper cookbooks without hacks involving dynamic attributes.

The rules generated that way could be saved inside a node.run_state hash and included in the generated templates similar to the attributes we have now.

Error executing create on template[iptables-persistent_v4]

Any ideas what's going wrong?

Recipe: iptables_persistent::default
  * package[iptables] action install (up to date)
  * package[iptables-persistent] action install (up to date)
  * chef_gem[ipaddress] action install (up to date)
  * directory[/etc/iptables] action create (up to date)
  * template[iptables-persistent_v4] action create
================================================================================
Error executing action `create` on resource 'template[iptables-persistent_v4]'
================================================================================


Chef::Mixin::Template::TemplateError
------------------------------------
Node attributes are read-only when you do not specify which precedence level to set. To set an attribute use code like `node.default["key"] = "value"'


Resource Declaration:
---------------------
# In /etc/chef/cookbooks-1/iptables_persistent/recipes/default.rb

 31:   template "iptables-persistent_#{version}" do
 32:     path "#{node["iptables_persistent"]["dir"]}/#{node["iptables_persistent"]["rules_#{version}"]}"
 33:     source "rules.erb"
 34:     owner "root"
 35:     group "root"
 36:     mode "0644"
 37: 
 38:     variables :protocol => "ip#{version}"
 39:     notifies :create, "ruby_block[restart iptables-persistent]", :immediately
 40:   end
 41: end



Compiled Resource:
------------------
# Declared in /etc/chef/cookbooks-1/iptables_persistent/recipes/default.rb:31:in `block in from_file'

template("iptables-persistent_v4") do
  provider Chef::Provider::Template
  action "create"
  retries 0
  retry_delay 2
  path "/etc/iptables/rules.v4"
  backup 5
  atomic_update true
  source "rules.erb"
  variables {:protocol=>"ipv4"}
  cookbook_name :iptables_persistent
  recipe_name "default"
  mode "0644"
  owner "root"
  group "root"
end



Template Context:
-----------------
on line #22
 20: <%- end %>
 21: 
 22: <% rules(@protocol, table).each do |rule| -%>
 23: <%= rule %>
 24: <%- end %>


[2013-08-09T01:16:25+02:00] ERROR: Running exception handlers
[2013-08-09T01:16:25+02:00] ERROR: Exception handlers complete
[2013-08-09T01:16:25+02:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 3 resources updated
[2013-08-09T01:16:25+02:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
ERROR: RuntimeError: chef-solo failed. See output above.

apt-get -q -y install iptables-persistent=0.5.3ubuntu2 returned 100, expected 0

Could it be that a include_recipe "apt" in the iptables-persistent cookbook is necessary? I've got one in my cookbook that includes iptables_persistent but that doesn't help.

https://gist.github.com/lvnilesh/4039324
http://stackoverflow.com/questions/8937351/chef-isnt-running-the-apt-apt-get-update-recipe-apt-returns-100
http://garysieling.com/blog/fixing-error-apt-get-return-100-expected-0-chefvagrant

Recipe: iptables_persistent::default
  * package[iptables] action install
    - install version 1.4.12-1ubuntu5 of package iptables

  * package[iptables-persistent] action install
================================================================================
Error executing action `install` on resource 'package[iptables-persistent]'
================================================================================


Chef::Exceptions::Exec
----------------------
apt-get -q -y install iptables-persistent=0.5.3ubuntu2 returned 100, expected 0


Resource Declaration:
---------------------
# In /etc/chef/cookbooks-1/iptables_persistent/recipes/default.rb

 21: package "iptables-persistent"
 22: 



Compiled Resource:
------------------
# Declared in /etc/chef/cookbooks-1/iptables_persistent/recipes/default.rb:21:in `from_file'

package("iptables-persistent") do
  action :install
  retries 0
  retry_delay 2
  package_name "iptables-persistent"
  version "0.5.3ubuntu2"
  cookbook_name :iptables_persistent
  recipe_name "default"
end

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.