define iptables::snippet ($order = "10", $ensure = "present") {
file {"/etc/iptables.d/snippets/${order}-${name}":
owner => root,
group => root,
mode => 600,
ensure => "${ensure}",
require => File["/etc/iptables.d/snippets"],
notify => Exec["rebuildiptables.sh"],
source => ["puppet://puppet/iptables/snippets/${name}.${fqdn}",
"puppet://puppet/iptables/snippets/${name}"]
}
}
iptables::snippet{"std-prefix":
order => "00"
}
iptables::snippet{"std-suffix":
order => "999"
}
iptables::snippet{["junkfilter",
"backup_access",
"monitor_access",
"admin_access"]:
order => "01"
}
iptables::snippet{"globalrules":
order => "02"
}
service{"iptables":
enable => true,
hasrestart => true,
hasstatus => true,
ensure => running,
require => Package["iptables"]
}
## rule samples
global:
-I INPUT 1 -j admin_access
-I INPUT 2 -j junk_filter
-I INPUT 3 -j backup_access
-I INPUT 4 -j monitor_access
-I FORWARD 1 -j admin_access
-I FORWARD 2 -j junk_filter
-I FORWARD 3 -j backup_access
-I FORWARD 4 -j monitor_access
admin_access:
:admin_access - [0:0]
-A admin_access -s a.b.c.d -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT