1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
########################
###   Common Rules   ###
########################
# allow vcenter
# allow internal networks to ping
# ssh
# munin
########################
###   Server Rules   ###
########################
<% if File.exist? "/etc/puppet/services/s_firewall/templates/nodes.d/#{fqdn}-rules" -%>
<%   IO.foreach("/etc/puppet/services/s_firewall/templates/nodes.d/#{fqdn}-rules") do |rule| -%>
<%=     rule -%>
<%   end -%>
<% end -%>
########################
### END Server Rules ###
########################
-A INPUT -j LOG --log-prefix "INPUT DROP: "
-P INPUT DROP
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

1
2
3
4
5
6
7

class s_firewall inherits iptables {
  File["iptables"] {
    content => template("s_firewall/iptables"),
    notify => Service["iptables"],
  }
}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

class iptables {
  service { "iptables":
    name       => $operatingsystem ? {
              default => "iptables",
            },
    ensure     => "running",
    enable     => true,
    hasrestart => true,
    restart    => "iptables-restore < /etc/sysconfig/iptables",
    hasstatus  => true,
  }

  file { "iptables":
    mode   => "0600",
    owner  => "root",
    group  => "root",
    ensure => "present",
    path   => $operatingsystem ? {
          default => "/etc/sysconfig/iptables",
        },
  }
}

class iptables::disable inherits iptables {
  Service["iptables"] {
    ensure => "stopped",
    enable => false,
  }
}