search

chef-cookbooks / iptables

Development repository for Chef Cookbook iptables
https://supermarket.chef.io/cookbooks/iptables
Apache License 2.0
102 stars 141 forks source link

using iptables::disabled doesn't flush the current ruleset #69

Closed poblahblahblah closed 7 years ago

poblahblahblah commented 7 years ago

Cookbook version

3.0.1

Chef-client version

12.14.89

Platform Details

RHEL 6.8

Scenario:

We had shifted some IPTables rules from our hosts into our firewalls and thought an easy way to rollback all of the rulesets in iptables would be to just include iptables::disabled, however we found that while this removes the files from /etc/iptables.d, this doesn't flush the existing rule set.

Steps to Reproduce:

1) Set up a host and add a few arbitrary rules to IPTables 2) include the iptables::disabled recipe

Expected Result:

IPTables would be disabled and the ruleset flushed

Actual Result:

IPTables ruleset is still active

hagay3 commented 7 years ago

Fixed in here, please merge my PR https://github.com/chef-cookbooks/iptables/pull/71

poblahblahblah commented 7 years ago

It looks like this didn't end up flushing the rules on a chef-client run:

Recipe: iptables::_package
  * yum_package[iptables-services] action install
    - install version 1.4.21-17.el7 of package iptables-services
Recipe: iptables::disabled
  * service[iptables] action disable (up to date)
  * service[iptables] action stop (up to date)
  * directory[/etc/iptables.d] action delete (up to date)
  * execute[iptablesFlush] action nothing (skipped due to action :nothing)

/etc/iptables.d doesn't exist on RHEL/CentOS 7, so the flush is never triggered. Looking at a CentOS7 system I see that /usr/lib/systemd/system/iptables.service calls /usr/libexec/iptables/iptables.init. This appears to be a SysVinit style script and It looks like the script default is to rules read from /etc/sysconfig/iptables:

IPTABLES=iptables
IPTABLES_DATA=/etc/sysconfig/$IPTABLES
IPTABLES_FALLBACK_DATA=${IPTABLES_DATA}.fallback
IPTABLES_CONFIG=/etc/sysconfig/${IPTABLES}-config

Would you like me to submit a PR for CentOS/RHEL7 that addresses this? Would we just want to zero this file out and have that trigger the flush?

hagay3 commented 7 years ago

It needs to be triggered somehow, where the iptables rules dir is on rhel?

tas50 commented 7 years ago

Closing this out since it's been merged to master