search

sous-chefs / firewall

Development repository for the firewall cookbook
https://supermarket.chef.io/cookbooks/firewall
Apache License 2.0
99 stars 150 forks source link

iptables nat rule prevents iptables-restore from working #115

Closed richardowen closed 8 years ago

richardowen commented 8 years ago

I'm running on Ubuntu 14.04. I've got my attributes/recipe set up like this:

default['firewall']['ubuntu_iptables'] = true
default['firewall']['iptables']['defaults']['policy']['input'] = 'ACCEPT'

firewall 'default'

firewall_rule 'nat rule' do
    command :masquerade
    dest_interface 'eth0'
    direction :post
    protocol :none
    source '10.10.0.0/24'
end

Unfortunately this doesn't work. I get this in the Chef run:

* service[iptables-persistent] action restart

  ================================================================================
  Error executing action `restart` on resource 'service[iptables-persistent]'
  ================================================================================

  Mixlib::ShellOut::ShellCommandFailed
  ------------------------------------
  Expected process to exit with [0], but received '1'
  ---- Begin output of /etc/init.d/iptables-persistent start ----
  STDOUT: * Loading iptables rules...
   *  IPv4...
   *  IPv6...
     ...fail!
  STDERR:
  ---- End output of /etc/init.d/iptables-persistent start ----
  Ran /etc/init.d/iptables-persistent start returned 1

  Resource Declaration:
  ---------------------
  # In /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb

  113:         service_affected = service 'iptables-persistent' do
  114:           action :nothing
  115:         end
  116:

  Compiled Resource:
  ------------------
  # Declared in /var/chef/cache/cookbooks/firewall/libraries/provider_firewall_iptables_ubuntu.rb:113:in `block (2 levels) in <css:FirewallIptablesUbuntu>'

  service("iptables-persistent") do
    action [:nothing]
    updated true
    supports {:restart=>nil, :reload=>nil, :status=>nil}
    retries 0
    retry_delay 2
    default_guard_interpreter :default
    service_name "iptables-persistent"
    enabled true
    running true
    pattern "iptables-persistent"
    declared_type :service
    cookbook_name "xxx"
  end

In trying to debug this, I tried running iptables-restore on /etc/iptables/rules.v4 and got this:

root@ec2-instance:~# iptables-restore < /etc/iptables/rules.v4
iptables-restore v1.4.21: The -t option (seen in line 10) cannot be used in iptables-restore.

Error occurred at line: 10
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

It seems we can't put rules with -t nat in there.

martinb3 commented 8 years ago

Hi there -- we've documented it in #101, but this cookbook doesn't support chains other than *filter currently. I'd love to see this fixed, but it will likely require some refactoring. I'd be glad to review any PRs that resolve it, though. Thank you for the report!