Wrap text
Report abuse
iptables template
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<% if File.exist? "/etc/puppet/services/s_firewall/templates/nodes.d/#{fqdn}-rules" -%>
<% IO.foreach("/etc/puppet/services/s_firewall/templates/nodes.d/#{fqdn}-rules") do |rule| -%>
<%= rule -%>
<% end -%>
<% end -%>
########################
### END Server Rules ###
########################
-A INPUT -j LOG --log-prefix "INPUT DROP: "
-P INPUT DROP
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
s_firewall module init.pp
class s_firewall inherits iptables {
File["iptables"] {
content => template("s_firewall/iptables"),
notify => Service["iptables"],
}
}
iptables module init.pp (i think i sourced most of this from elsewhere)
class iptables {
service { "iptables":
name => $operatingsystem ? {
default => "iptables",
},
ensure => "running",
enable => true,
hasrestart => true,
restart => "iptables-restore < /etc/sysconfig/iptables",
hasstatus => true,
}
file { "iptables":
mode => "0600",
owner => "root",
group => "root",
ensure => "present",
path => $operatingsystem ? {
default => "/etc/sysconfig/iptables",
},
}
}
class iptables::disable inherits iptables {
Service["iptables"] {
ensure => "stopped",
enable => false,
}
}
