Split out iptables
Depends-on: I7d8788e8ca9e95a1c6f79f562898464f6fb74ff7 Change-Id: I5c5599c53437c4af4dfc2e3071c42082d2688521
This commit is contained in:
parent
e23faf1f43
commit
73f162d0dd
@ -60,6 +60,7 @@ INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-asterisk"]
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-elasticsearch"]="origin/master"
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-gerrit"]="origin/master"
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-storyboard"]="origin/master"
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-iptables"]="origin/master"
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-zuul"]="origin/master"
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-kibana"]="origin/master"
|
||||
INTEGRATION_MODULES["https://git.openstack.org/openstack-infra/puppet-lodgeit"]="origin/master"
|
||||
|
@ -1,89 +0,0 @@
|
||||
# Class: iptables
|
||||
#
|
||||
# http://projects.puppetlabs.com/projects/1/wiki/Module_Iptables_Patterns
|
||||
#
|
||||
# params:
|
||||
# rules4: A list of additional iptables v4 rules
|
||||
# eg: [ '-m udp -p udp -s 127.0.0.1 --dport 8125 -j ACCEPT' ]
|
||||
# rules6: A list of additional iptables v6 rules
|
||||
# eg: [ '-m udp -p udp -s ::1 --dport 8125 -j ACCEPT' ]
|
||||
# public_tcp_ports: List of integer TCP ports on which to allow all traffic
|
||||
# public_udp_ports: List of integer UDP ports on which to allow all traffic
|
||||
class iptables(
|
||||
$rules4 = [],
|
||||
$rules6 = [],
|
||||
$public_tcp_ports = [],
|
||||
$public_udp_ports = []
|
||||
) {
|
||||
|
||||
include iptables::params
|
||||
|
||||
package { 'iptables':
|
||||
ensure => present,
|
||||
name => $::iptables::params::package_name,
|
||||
}
|
||||
|
||||
if ($::in_chroot) {
|
||||
notify { 'iptables in chroot':
|
||||
message => 'Iptables not refreshed, running in chroot',
|
||||
}
|
||||
$notify_iptables = []
|
||||
}
|
||||
else {
|
||||
service { 'iptables':
|
||||
name => $::iptables::params::service_name,
|
||||
require => Package['iptables'],
|
||||
hasstatus => $::iptables::params::service_has_status,
|
||||
status => $::iptables::params::service_status_cmd,
|
||||
hasrestart => $::iptables::params::service_has_restart,
|
||||
enable => true,
|
||||
}
|
||||
$notify_iptables = Service['iptables']
|
||||
}
|
||||
|
||||
file { $::iptables::params::rules_dir:
|
||||
ensure => directory,
|
||||
require => Package['iptables'],
|
||||
}
|
||||
|
||||
# This file is not required on Red Hat distros... but it
|
||||
# won't hurt to softlink to it either
|
||||
file { "${::iptables::params::rules_dir}/rules":
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => template('iptables/rules.erb'),
|
||||
require => [
|
||||
Package['iptables'],
|
||||
File[$::iptables::params::rules_dir],
|
||||
],
|
||||
# When this file is updated, make sure the rules get reloaded.
|
||||
notify => $notify_iptables,
|
||||
}
|
||||
|
||||
file { $::iptables::params::ipv4_rules:
|
||||
ensure => link,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
target => "${::iptables::params::rules_dir}/rules",
|
||||
require => File["${::iptables::params::rules_dir}/rules"],
|
||||
notify => $notify_iptables,
|
||||
}
|
||||
|
||||
file { $::iptables::params::ipv6_rules:
|
||||
ensure => present,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0640',
|
||||
content => template('iptables/rules.v6.erb'),
|
||||
require => [
|
||||
Package['iptables'],
|
||||
File[$::iptables::params::rules_dir],
|
||||
],
|
||||
# When this file is updated, make sure the rules get reloaded.
|
||||
notify => $notify_iptables,
|
||||
replace => true,
|
||||
}
|
||||
}
|
@ -1,60 +0,0 @@
|
||||
# Class: iptables::params
|
||||
#
|
||||
# This class holds parameters that need to be
|
||||
# accessed by other classes.
|
||||
class iptables::params {
|
||||
case $::osfamily {
|
||||
'RedHat': {
|
||||
case $::operatingsystem {
|
||||
'Fedora': {
|
||||
$package_name = 'iptables-services'
|
||||
$service_has_restart = true
|
||||
}
|
||||
'RedHat','CentOS','Scientific': {
|
||||
case $::operatingsystemrelease {
|
||||
/^7/: {
|
||||
$package_name = 'iptables-services'
|
||||
$service_has_restart = true
|
||||
}
|
||||
/^6/: {
|
||||
$package_name = 'iptables'
|
||||
$service_has_restart = false
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported operatingsystemrelease: ${::operatingsystemrelease} The 'iptables' module recognize only 6, 7 as RedHat major versions.")
|
||||
}
|
||||
}
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported operatingsystem: ${::operatingsystem} The 'iptables' module with RedHat osfamily.")
|
||||
}
|
||||
}
|
||||
$service_name = 'iptables'
|
||||
$rules_dir = '/etc/sysconfig'
|
||||
$ipv4_rules = '/etc/sysconfig/iptables'
|
||||
$ipv6_rules = '/etc/sysconfig/ip6tables'
|
||||
$service_has_status = true
|
||||
$service_status_cmd = undef
|
||||
}
|
||||
'Debian': {
|
||||
$package_name = 'iptables-persistent'
|
||||
$service_name = 'iptables-persistent'
|
||||
$rules_dir = '/etc/iptables'
|
||||
$ipv4_rules = '/etc/iptables/rules.v4'
|
||||
$ipv6_rules = '/etc/iptables/rules.v6'
|
||||
# Because there is no running process for this service, the normal status
|
||||
# checks fail. Because puppet then thinks the service has been manually
|
||||
# stopped, it won't restart it. This fake status command will trick
|
||||
# puppet into thinking the service is *always* running (which in a way
|
||||
# it is, as iptables is part of the kernel.)
|
||||
$service_has_status = true
|
||||
$service_status_cmd = true
|
||||
# Under Debian, the "restart" parameter does not reload the rules, so
|
||||
# tell Puppet to fall back to stop/start, which does work.
|
||||
$service_has_restart = false
|
||||
}
|
||||
default: {
|
||||
fail("Unsupported osfamily: ${::osfamily} The 'iptables' module only supports osfamily Debian or RedHat (slaves only).")
|
||||
}
|
||||
}
|
||||
}
|
@ -1,29 +0,0 @@
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:openstack-INPUT - [0:0]
|
||||
-A INPUT -j openstack-INPUT
|
||||
-A openstack-INPUT -i lo -j ACCEPT
|
||||
-A openstack-INPUT -p icmp --icmp-type any -j ACCEPT
|
||||
#-A openstack-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
|
||||
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
# SSH from anywhere
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
# SNMP from openstack cacti
|
||||
-A openstack-INPUT -m udp -p udp --dport 161 -s 50.57.120.246 -j ACCEPT
|
||||
-A openstack-INPUT -m udp -p udp --dport 161 -s 198.61.215.188 -j ACCEPT
|
||||
# Public TCP ports
|
||||
<% @public_tcp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
||||
# Public UDP ports
|
||||
<% @public_udp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
||||
# Per-host rules
|
||||
<% @rules4.each do |rule| -%>
|
||||
-A openstack-INPUT <%= rule %>
|
||||
<% end -%>
|
||||
-A openstack-INPUT -j REJECT --reject-with icmp-host-prohibited
|
||||
COMMIT
|
@ -1,27 +0,0 @@
|
||||
*filter
|
||||
:INPUT ACCEPT [0:0]
|
||||
:FORWARD ACCEPT [0:0]
|
||||
:OUTPUT ACCEPT [0:0]
|
||||
:openstack-INPUT - [0:0]
|
||||
-A INPUT -j openstack-INPUT
|
||||
-A openstack-INPUT -i lo -j ACCEPT
|
||||
-A openstack-INPUT -p icmpv6 -j ACCEPT
|
||||
-A openstack-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
# SSH from anywhere
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
|
||||
# SNMP from openstack cacti
|
||||
-A openstack-INPUT -m udp -p udp --dport 161 -s 2001:4800:780d:0509:3bc3:d7f6:ff04:49de -j ACCEPT
|
||||
# Public TCP ports
|
||||
<% @public_tcp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m state --state NEW -m tcp -p tcp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
||||
# Public UDP ports
|
||||
<% @public_udp_ports.each do |port| -%>
|
||||
-A openstack-INPUT -m udp -p udp --dport <%= port %> -j ACCEPT
|
||||
<% end -%>
|
||||
# Per-host rules
|
||||
<% @rules6.each do |rule| -%>
|
||||
-A openstack-INPUT <%= rule %>
|
||||
<% end -%>
|
||||
-A openstack-INPUT -j REJECT --reject-with icmp6-adm-prohibited
|
||||
COMMIT
|
Loading…
x
Reference in New Issue
Block a user