Closed aalmenar closed 7 years ago
Thanks for reporting!
iptables_ng_chain 'INPUT' do
policy 'DROP [0:0]'
end
Is the correct way of doing it. The recommended way of configurating iptables (incl. policies) are the LWRPs, it's supposed to be working the way you are doing this.
Can you provide some more information? Helpful would be the OS/ Version you're using plus:
sudo tree /etc/iptables.d
Plus the content generated iptables rulefiles, on Debian/ Ubuntu they are located in /etc/iptables/rules.*
.
Sure:
OS: Ubuntu 16.04 (amd64) but Debian 8.6 (amd64) happens the same.
The output of tree /etc/iptables.d
/etc/iptables.d
|-- filter
| |-- FORWARD
| | `-- default
| |-- INPUT
| | |-- default
| | |-- ssh.rule_v4
| | `-- ssh.rule_v6
| `-- OUTPUT
| `-- default
|-- mangle
| |-- FORWARD
| | `-- default
| |-- INPUT
| | `-- default
| |-- OUTPUT
| | `-- default
| |-- POSTROUTING
| | `-- default
| `-- PREROUTING
| `-- default
|-- nat
| |-- OUTPUT
| | `-- default
| |-- POSTROUTING
| | `-- default
| `-- PREROUTING
| `-- default
`-- raw
|-- OUTPUT
| `-- default
`-- PREROUTING
`-- default
17 directories, 15 files
cat /etc/iptables/rules.v4
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
--append INPUT --protocol tcp --dport 22 -j ACCEPT
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*nat
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
cat /etc/iptables/rules.v6
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
--append INPUT --protocol tcp --dport 22 -j ACCEPT
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
COMMIT
Downloaded the repo and this test fails:
rake kitchen:lwrp-chain-create-default-ubuntu-1604
# Running tests:
iptables-ng::lwrp_chain_create_default#test_0001_should set default FORWARD policy to DROP = 0.00 s = F
iptables-ng::lwrp_chain_create_default#test_0002_should enable iptables serices = 0.17 s = .
iptables-ng::lwrp_chain_create_default#test_0003_should apply the specified iptables rules = 0.02 s = F
Finished tests in 0.194298s, 15.4402 tests/s, 25.7337 assertions/s.
1) Failure:
iptables-ng::lwrp_chain_create_default#test_0001_should set default FORWARD policy to DROP [/var/chef/minitest/iptables_ng_test/lwrp_chain_create_default_test.rb:7]:
Expected file '/etc/iptables.d/filter/FORWARD/default' to include the specified content
2) Failure:
iptables-ng::lwrp_chain_create_default#test_0003_should apply the specified iptables rules [/var/chef/minitest/iptables_ng_test/lwrp_chain_create_default_test.rb:17]:
Expected "Chain INPUT (policy ACCEPT)\ntarget prot opt source destination \n\nChain FORWARD (policy ACCEPT)\ntarget prot opt source destination \n\nChain OUTPUT (policy ACCEPT)\ntarget prot opt source destination \n" to include "Chain FORWARD (policy DROP)".
Which version of the cookbook are you using? I'm using the exact same policy setting on multiple production machines on xenial using 2.3.1
.
The test should'nt fail, in case you're using current master, that needs to be fixed...
Can you paste the output of cat /etc/iptables.d/filter/INPUT/default
?
cat /etc/iptables.d/filter/INPUT/default ACCEPT [0:0]
The version of the cookbook being used according to berkshelf is: Using iptables-ng (2.3.1)
Also the tests fail, i checked out the repo when i opened this issue and using master.
The only change was to remove in .kitchen.yml all the distros except ubuntu-16.04 and debian-8.4
I was able to reproduce the issue on one of my machines. I think you spotted something here, will look into it.
I think https://github.com/chr4-cookbooks/iptables-ng/commit/476871e1db5385a7af12cc30776abebf92e646dc#diff-22c9e9950b290a03ab5b3160eea23c9dR55 introduced this. @sspans, can you comment on this? It feels like the policy is not updated correctly since the exception workaround.
The way Chef seems to be going right now (removing ressource-cloning) I think we have to die one of the two deaths.
In this specific term, maybe it would be best to force people to run the install
recipe, so the default chain folders are created, and then force them to use iptables_ng_chain
manually, in case they want to add custom chains, and remove the code creating the chains from the iptables_ng_rule
provider.
The problem of finding an unique ressource name for 476871e#diff-22c9e9950b290a03ab5b3160eea23c9dR55 persists, though.
One solution (again, hurting convenience) is to remove setting the default policies in theiptables-ng::install
recipe, and forcing the users to set them on their own. This is error prone, though I fear.
Closing this in favor of this pull-request
Hi,
I've been trying to use this cookbook following the documentation. I have on my recipe, somethign like this:
But Default policy on filter table on INPUT chain is always ACCEPT. Tried also this:
But no result, even tried this:
But also, no results.
Should policies be configured on attributes and not using LWRP's ?
Cheers.
Edit (chr4): Added syntax highlighting