search

chorankates / rouster

Rouster.is_a?('abstraction layer for controlling Vagrant virtual machines') => true
BSD 3-Clause "New" or "Revised" License
109 stars 14 forks source link

fixing iptables status determination #117

Closed chorankates-sfdc closed 6 years ago

chorankates-sfdc commented 6 years ago

resolving #84 by detecting iptables output and presuming it is enabled, allowing final line in output to flip to disabled as needed.

relevant iptables information in service --status-all when iptables is running:

Table: filter       
Chain INPUT (policy ACCEPT)         
num  target     prot opt source               destination
1    ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED
2    ACCEPT     icmpv6    ::/0                 ::/0
3    ACCEPT     all      ::/0                 ::/0
4    ACCEPT     tcp      ::/0                 ::/0                state NEW tcp dpt:22
5    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain FORWARD (policy ACCEPT)  
num  target     prot opt source               destination
1    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Table: filter       
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
5    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

same, when iptables is disabled:

Table: filter     
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all      ::/0                 ::/0                state RELATED,ESTABLISHED
2    ACCEPT     icmpv6    ::/0                 ::/0
3    ACCEPT     all      ::/0                 ::/0
4    ACCEPT     tcp      ::/0                 ::/0                state NEW tcp dpt:22
5    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    REJECT     all      ::/0                 ::/0                reject-with icmp6-adm-prohibited

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

iptables: Firewall is not running.

so now, if the table headers are matched, set iptables to running, and if it isn't, we'll catch the final line and flip it back to stopped

chorankates-sfdc commented 6 years ago

@pferriola @petersenallen - looks like i was making the problem harder than it needed to be.. confirmed this works as expected on RHEL6, need to confirm with 7 and check CentOS and Debian, but even if it doesn't fix everything, it does fix @pjperger's reported issue