search

chr4-cookbooks / iptables-ng

Cookbook to maintain iptables rules and policies on different platforms, respecting the way the os handles these settings.
GNU General Public License v3.0
38 stars 33 forks source link

Loop through IPs listed in an attribute array or hash. #31

Closed Joseph-R closed 9 years ago

Joseph-R commented 9 years ago

Hey Chris,

I'm looking for the best way to create rules for an array or hash of IPs stored in an attribute. So far, it looks like any attempt to loop through this simply overwrites down to the last entry in the array, which is then written to iptables. Example:

From attributes.rb:

"ips": ["10.0.0.0/16",
         "10.0.1.0/16",
         "172.0.0.0/16",
         "172.0.1.0/16"
         ]

From default.rb:

iptables_ng_chain 'FWR' do
  policy 'ACCEPT [0:0]'
end

node['ips'].each do |ip|
  iptables_ng_rule 'Add ips' do
    chain 'FWR'
    rule "-s #{ip} -j ACCEPT"
  end
end

The above code yields one entry for the chain FWR, with the following output:

** [out :: localhost:2222] [2014-10-26T22:14:29-04:00] INFO: file[/etc/iptables.d/filter/FWR/Add ips_v4] not queuing delayed action create on ruby_block[restart_iptables] (delayed), as it's already been queued
** [out :: localhost:2222] [2014-10-26T22:14:29-04:00] INFO: file[/etc/iptables.d/filter/FWR/Add ips_v4] not queuing delayed action create on ruby_block[restart_iptables] (delayed), as it's already been queued

And adds one rule to /etc/sysconfig/iptables (on CentOS 6), that looks like this:

--append FWR -s 172.0.1.0/16 -j ACCEPT

Is there a way around this? Or a better way to structure a list of IPs so that I can add in bulk?

I appreciate any feedback.

chr4 commented 9 years ago

This is actually pretty simple. As stated in the Docs, the rule attribute of the iptables_ng_rule provider also accepts an Array. You can use map to create the desired result:

iptables_ng_rule 'add_ips' do
  chain 'FWR'
  rule ips.map { |ip| "-s #{ip} -j ACCEPT" }

  # As the source specified above is ipv4, this rule cannot be applied to ip6tables.
  # Therefore, setting ip_version to 4
  ip_version 4
end

I should probably add this to the README for future reference. Does this solves your problem?

chr4 commented 9 years ago

Also note, that having whitespace in the name is a bad idea, as it translates into the filename. A future version might automatically escape whitespaces to underscores, but currently that's not the case.

chr4 commented 9 years ago

I added this example to the README. Another note: If you use the --source parameter with ipv4 addresses, you will most likely have to restrict this ruleset to ipv4 only. You can do so using the ip_version 4 attribute. I updated the example to reflect that.

Joseph-R commented 9 years ago

Great, thanks Chris! Really appreciate your responsiveness on this.

iptables_ng_rule 'add_ips' do
  chain 'FWR'
  rule ips.map { |ip| "-s #{ip} -j ACCEPT" }
  ip_version 4
end

This worked great for us, and removing the whitespace from rule names was also a good idea.

Thanks again for your input! I appreciate you updating your docs as well.