Closed jskarpe closed 11 years ago
alvagante
commented
12 years ago You should provide more info about your configuration. From what I see either there's some error in the iptabled concatenated file that prevents iptables-restore from loading it or there's not firewall_tool => 'iptables' option set in the modules for which you want to manage automatic firewalling.
jskarpe
commented
12 years ago Basically I only added firewall => true for the monit module + include iptables
alvagante
commented
12 years ago You should specify also firewall_tool => 'iptables' and you should that for a module that involves the opening of a port and is a "next gen" one (monit is not).
jskarpe
commented
12 years ago Ah, that explains it!
Guess you're moving away from defaulting this to 'iptables' then :-)
alvagante
commented
12 years ago Actually the firewall_tool setting has no defaults, even if at the moment only "iptables" is supported. Anyway if you want to use site-wide you can set $firewall_tool = 'iptables' as a top scope variable, so that you don't have to rewrite it for every module.
So, for example, in your /etc/puppet/manifests/site.pp (on in an External Node Classifier) you can have: $monitor = true $monitor_tool = [ 'puppi' , 'nagios' , 'munin', 'monit' ] $firewall = false $firewall_tool = [ 'iptables' ]
have avoid to declare them in every class. SOthat you can just have class { 'apache': } to have apache installed , monitored and firewalled...
jskarpe
commented
12 years ago I am still struggling with this issue. If I run the restart param: iptables-restore < /etc/iptables/rules (ubuntu 12.04), iptables is populated correctly. However, if I run puppet agent again, all the rules are blanked out as if the input is empty.
I'm guessing this has something to do with the fact that Ubuntu actually creates two iptables/rules: iptables.v4 and iptables.v6 (which are both without any rules by default)
jskarpe
commented
12 years ago What's the supported way of defining multiple netmasks for firewall?
firewall_src => ["10.47.0.0/24", "10.54.0.0/24"]
This syntax simply truncates to a string - any chance to support this, for generating multiple iptables rules?
jskarpe
commented
12 years ago Appears the rules are wiped out on iptables refresh event:
/etc/init.d/iptables-persistent restart
* Loading iptables rules...
* IPv4...
* IPv6... Simply overriding the $config_file (/etc/iptables/rules.v4) solved this for me.
Seems the module needs to separate on IPv4 and IPv6 to properly patch this. Not sure how other distros are handling this though (or even older ubuntu). Although it seems puppet only resolved the ipv4 address for my dns entries, so I guess IPv6 has limited support across the board.
alvagante
commented
12 years ago For: firewall_src => ["10.47.0.0/24", "10.54.0.0/24"] an array on this parameters is not yet supported sorry.
For ipv4/ipv6 on Ubuntu 12.04 , I have to investigate
empi89
commented
11 years ago About the "firewall_src => ["10.47.0.0/24", "10.54.0.0/24"]" @Yuav mentioned: I tried to do the same and run into the string problem too. It would be very nice to have array input supported from my point of view. I have looked at manifests/rule.pp by myself but do not have a clue how to implement it in a nice way. I think the proper way would be to generate multiple fragments within the rule instance.
alvagante
commented
11 years ago This https://github.com/example42/puppet-iptables/commit/df13970afff1e84758b66dcdcbecfb9405e2d2fa should make it possible to use arrays both for firewall_src and firewall_dest parameters of any Example42 module. I've tested it in various configuration but more tests and external feedback is definitively needed.
The previous behaviour is currently commented, in case of necessity of a rollaback.
alvagante
commented
11 years ago @Yuav Your feedback on this is very welcomed too.
When modifying specific rules on Ubuntu 12.04, it doesn't seem to have any effect. ("iptables -L" output is blank)
No errors reported by the module: