Closed acqant closed 10 years ago
That should not be the case. Can you give some more information?
The output section of chef-client --once
that concerns changed iptables rules and lsb_release -a
would be helpful.
Also how you call the LWRPs and/or iptables-ng attributes you are using. Thanks!
CB
# Configure Iptables
include_recipe "iptables-ng"
iptables_ng_chain 'name' do
chain 'INPUT' # The chain to set the policy for (name_attribute)
table 'filter' # The table to use (defaults to 'filter')
policy 'DROP [0:0]' # The policy to use (defaults to 'ACCEPT [0:0]' for
# build-in chains, to '- [0:0]' for custom ones
action :create # Supported actions: :create, :create_if_missing, :delete
# Default action: :create
end
iptables_ng_rule 'ssh' do
rule "--protocol tcp --dport 33333 --match state --state NEW --jump ACCEPT"
end
iptables_ng_rule 'related_n_established' do
rule '-m state --state ESTABLISHED,RELATED -j ACCEPT'
end
iptables_ng_rule 'icmp' do
rule '--protocol icmp --icmp-type any -j ACCEPT'
end
Chef run
Recipe: iptables-ng::manage
* ruby_block[create_rules] action createRecipe: <Dynamically Defined Resource>
* file[/etc/sysconfig/iptables] action create (up to date)
- execute the ruby block create_rules
Recipe: iptables-ng::manage
* ruby_block[restart_iptables] action createRecipe: <Dynamically Defined Resource>
* service[iptables] action enable (up to date)
* service[iptables] action restart
- restart service service[iptables]
- execute the ruby block restart_iptables
/var/log/messages
Jul 9 13:42:05 localhost kernel: ip_tables: (C) 2000-2006 Netfilter Core Team
Jul 9 13:42:05 localhost kernel: nf_conntrack version 0.5.0 (7971 buckets, 31884 max)
└─> cat /etc/issue CentOS release 6.5 (Final) Kernel \r on an \m
Any way to disable iptables with this CB?
Sorry, I do not know "CB" :( Can you explain?
Your rules seem to not make a lot of sense. In case those are the real rules:
include_recipe 'iptables-ng'
, unless you use rules from attributes. I think mixing LWRP usage and attributes is not a good idea -> LWRPs are recommended and usually way more potent. Did you maybe mixin attribute rules, which are conflicting the LWRP rules, and therefore modifying the resulting iptables-restore file, resulting in a service restart?iptables_ng_rule
names with a number, so their order is defined more precisely. E.g. iptables_ng_rule '50-ssh'
. Could it be that the order is changing, and therefore the resulting iptables-restore file is a little different, resulting in a service restart?The cookbook is designed to only restart the iptables service when the iptables-restore config is changed. In your case this would be /etc/sysconfig/iptables
and /etc/sysconfig/ip6tables
.
Hope this information helps!
Just realized that "CB" probably means cookbook :)
You can disable rules using the :delete
action.
ok, took out the include_recipe in the CB ( it's a thing now! )
wiped out the iptables.d directory and added numbered rules.. looking much better thanks.
On Wed, Jul 9, 2014 at 7:28 PM, Chris Aumann notifications@github.com wrote:
Just realized that "CB" probably means cookbook :)
You can disable rules using the :delete action.
— Reply to this email directly or view it on GitHub https://github.com/chr4-cookbooks/iptables-ng/issues/28#issuecomment-48548311 .
I see iptables dmesg logs every chef run. Even if the rules don't change it restarts iptables?