Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.22.1 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'simp-iptables', '6.6.0'
Learn more about managing modules with a PuppetfileDocumentation
Table of Contents
Overview
This module provides native types for managing the system IPTables and IP6Tables as well as convenience defines and general system configuration capabilities.
The ability to use this module to automatically shim through to firewalld is optionally supported for legacy systems and modules that are working on migrating to firewalld support.
This is a SIMP module
This module is a component of the System Integrity Management Platform, a compliance-management framework built on Puppet.
Most SIMP modules actively take advantage of this module when used within the SIMP ecosystem.
Module Description
The iptables
module manages all IPTables and IP6Tables rules in an atomic
fashion. All rules are applied only once per puppet agent run during the
application of the last executed iptables
resource.
Applying the rules in this manner ensures that avoid situations where you have a partially applied IPTables rule set during a failure in your run of puppet (someone hits ^C, your system runs out of memory, etc...).
The module also takes additional safety measures to attempt to keep your firewall rules in a consistent state over time to include:
- Rolling back to the last configuration if the application of the new configuration fails
- Rolling back to an 'ssh-only' mode if application of all configurations fail
The goal is to remain in a state where you can be sure that your system is tightly restricted but also able to be recovered.
Finally, the module works to ensure that services such as OpenStack, Docker, VirtualBox, etc... can apply their rules without being affected by this module. The module provides mechanisms to preserve these rules as managed by external systems based on regular expression matches.
Setup
What iptables affects
The module manages the iptables
package, service, and rules.
On systems containing the firewalld
service, it is ensured to be stopped
unless iptables::use_firewalld
is set to true
.
Beginning with iptables
I want a basic secure iptables setup
A basic setup with iptables will allow the following:
- ICMP
- Loopback
- SSH
- Established and Related traffic (Return Traffic)
# Set up iptables with the default settings
include 'iptables'
Output (to /etc/sysconfig/iptables
)
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT
Usage
I want to open a specific port or allow access
The iptables
module has a set of defined types for adding in new firewall
rules.
#open TCP port 443 (HTTPS) and a custom 8443 from any IP Address
iptables::listen::tcp_stateful { 'webserver':
trusted_nets => ['any'],
dports => [ 443 , 8443 ]
}
#open UDP port 53 (DNS) from two specific IP addresses
iptables::listen::udp {'DNS':
trusted_nets => ['192.168.56.55','192.168.56.147'],
dports => [ 53 ]
}
#Allow a specific machine full access to this node
iptables::listen::all { 'Central Management':
trusted_nets => ['10.10.35.100'],
}
#Allow a range of ports to be accessible from a specific IP
iptables::listen::tcp_stateful { 'myapp':
trusted_nets => ['10.10.45.100'],
dports => ['1024:60000']
}
This module doesn't cover my specific iptables rule
In the case you need a rule not covered properly by the module, you can use the
iptables::add_rules
type to place the exact rule into /etc/sysconfig/iptables
.
# Inserts a custom rule into IPtables
iptables::rule { 'example':
content => '-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp\
-s 1.2.3.4 --dport 1024:65535 -j ACCEPT'
}
Firewalld Mode
This module has preliminary support for acting as a pass-through to various
firewalld
capabilities using the simp/simp_firewalld
module.
Using any of the iptables::listen::*
defined types will work seamlessly in
firewalld
mode but direct calls to iptables::rule
will emit a warning
letting the user know that they must switch over to simp_firewalld::rule
.
Additionally, calls to any of the native types included in this module will result in undefined behavior and is not advised.
Enabling Firewalld Mode
To enable firewalld
mode on supported operating systems, simply set
iptables::use_firewalld
to true
via Hiera.
NOTE: EL 8 systems enable firewalld
mode by default.
Reference
See REFERENCE.md
Limitations
- IPv6 support has not been fully tested, use with caution
firewalld
must be disabled if usingiptables
. The module will disablefirewalld
if it is present and the module is not infirewalld
compatibility mode.- This module is intended to be used on a Red Hat Enterprise Linux-compatible
distribution such as EL6 and EL7. However, any distribution that uses the
/etc/sysconfig/iptables
configuration should function properly (let us know!).
Development
Please read our Contribution Guide.
Acceptance tests
To run the system tests, you need Vagrant installed. Then, run:
bundle exec rake beaker:suites
Some environment variables may be useful:
BEAKER_debug=true
BEAKER_provision=no
BEAKER_destroy=no
BEAKER_use_fixtures_dir_for_modules=yes
BEAKER_debug
: show the commands being run on the STU and their output.BEAKER_destroy=no
: prevent the machine destruction after the tests finish so you can inspect the state.BEAKER_provision=no
: prevent the machine from being recreated. This can save a lot of time while you're writing the tests.BEAKER_use_fixtures_dir_for_modules=yes
: cause all module dependencies to be loaded from thespec/fixtures/modules
directory, based on the contents of.fixtures.yml
. The contents of this directory are usually populated bybundle exec rake spec_prep
. This can be used to run acceptance tests to run on isolated networks.
Reference
Table of Contents
Classes
iptables
: Manage iptables with default rule optimization and a failsafe fallback modeiptables::install
: NOTE: THIS IS A PRIVATE CLASS Install the IPTables and IP6Tables compoiptables::rules::base
: NOTE: THIS IS A PRIVATE CLASS Set up the basic iptables rules pertineniptables::rules::default_drop
: NOTE: THIS IS A PRIVATE CLASS Manage the default policy settings of thiptables::rules::mod_recent
: A wrapper for managing the xt_recent portion of iptables settings It is mainly meant to be a helper class but can be used alone if required.iptables::rules::prevent_localhost_spoofing
: Add rules that prevent external parties from being able to send spoofed packets to your system from ::1 The sysctl setting for rp_filter haniptables::rules::scanblock
: Provide a method for setting up an iptables electric fence Any host that makes it past all of your allow rules will be added to the ban listiptables::service
: Manage the IPTables and IP6Tables services
Defined types
iptables::listen::all
: Allow all protocols to all ports from a select set of networksiptables::listen::icmp
: This provides a simple way to allow ICMP ports into the system.iptables::listen::tcp_stateful
: Allow access to specific ports from specific hosts or networksiptables::listen::udp
: Expose UDP ports to a set of hostsiptables::ports
: A define to allow for the standardization of the iptables::ports syntax across modulesiptables::rule
: Add rules to the IPTables configuration file ### Result: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOCAL-IN
Resource types
ip6tables_optimize
: A name variable, doesn't really do anythingiptables_default_policy
: Manage the default policy on iptables tables built-in chainsiptables_optimize
: The path to the target file to be optimized. Mainly used for ensuring that the file comes after the optimization.iptables_rule
: Authoritatively manage iptables rules. This type is atomic, either all rules work, or the old rules are preserved.xt_recent
: Sets the various options on the running xt_recent kernel module. If the module needs to be loaded, attempts to load the module.
Functions
iptables::slice_ports
: Split a stringified Iptables::DestPort into an Array that contain groupings ofmax_length
size.iptables::use_firewalld
: Returnstrue
if the client can/should use firewalld
Data types
Iptables::ApplyTo
: Valid families to which rules should applyIptables::DestPort
: Aniptables_rule
compatible port range or ArrayIptables::PortRange
: An iptables-compatible Port Range
Classes
iptables
It is highly recommended that you place this module in
firewalld
mode if the underlying system supports it.You can do this by setting
iptables::use_firewalld: true
in Hiera
This class will detect conflicts with the SIMP option
simp_options::firewall
and, if necessary, cease management of IPTables in
the case of a conflict.
In particular, this means that if simp_options::firewall
is false
,
but you have included this class, it will refuse to manage IPTables and will
instead raise a warning.
If the simp_options::firewall
variable is not present, the module will
manage IPTables as expected.
Parameters
The following parameters are available in the iptables
class:
enable
use_firewalld
ensure
ipv6
class_debug
optimize_rules
precise_match
ignore
default_rules
scanblock
prevent_localhost_spoofing
ports
enable
Data type: Variant[Enum['ignore','firewalld'],Boolean]
Enable IPTables
- If set to
true
will enable management of IPTables - If set to
false
will disable IPTables completely - If set to
ignore
will stop managing IPTables
Default value: simplib::lookup('simp_options::firewall', { 'default_value' => true })
use_firewalld
Data type: Boolean
Explicitly enable management via simp_firewalld
- Systems that do not have
firewalld
installed will fall back toiptables
Default value: iptables::use_firewalld($enable)
ensure
Data type: String
The state that the package
resources should target
- May take any value acceptable to the native
package
resourceensure
parameter
Default value: simplib::lookup('simp_options::package_ensure', { 'default_value' => 'installed' })
ipv6
Data type: Boolean
Also manage IP6Tables
Default value: true
class_debug
Data type: Boolean
Print messages regarding rule comparisons
Default value: false
optimize_rules
Data type: Boolean
Run the inbuilt iptables rule optimizer to collapse the rules down to as small as is reasonably possible without reordering
- IPSets have been incorporated via the
firewalld
module
Default value: true
precise_match
Data type: Boolean
Instead of matching rule counts, perform a more precise match against the running and to-be-applied rules. You may find that minor changes, such as a simple netmask change will not be enforced without enabling this option.
- NOTE: You MUST use the exact same syntax that will be returned by
iptables-save
andip6tables-save
if you use this option! - For example, you cannot write
echo-request
for an ICMP echo match, you must instead use8
.
Default value: false
ignore
Data type: Array[String[1]]
Regular expressions that you would like to match in order to preserve running rules
- This modifies the behavior of the
iptables_optimize
Type. - Do not include the beginning and ending
/
but do include an end or beginning of word marker (^
and/or$
) if appropriate
Default value: []
default_rules
Data type: Boolean
Enable the usual set of default deny rules that you would expect to see on most systems
- Uses the following expectations of rule ordering (not enforced):
- 1 ->
ESTABLISHED
andRELATED
rules - 2-5 -> Standard
ACCEPT
andDENY
rules - 6-10 ->
JUMP
to other rule sets - 11-20 -> Pure
ACCEPT
rules - 22-30 ->
LOG
andREJECT
rules
- 1 ->
Default value: true
scanblock
Data type: Boolean
Enable a technique for setting up port-based triggers that will block anyone connecting to the system for an hour after connection to a forbidden port
Default value: false
prevent_localhost_spoofing
Data type: Boolean
Add rules to PREROUTING
that will prevent spoofed packets from
localhost
addresses from reaching your system
Default value: true
ports
Data type: Optional[Hash]
A hash with structure as defined below that will open ports based on the structure of the hash. @example An example section of hieradata: iptables::ports: defaults: apply_to: ipv4 80: 53: proto: udp 443: apply_to: ipv6
Default value: undef
iptables::install
NOTE: THIS IS A PRIVATE CLASS
Install the IPTables and IP6Tables components
This also installs fallback startup scripts that come into play should the regular processes fail to start due to a race consition with DNS.
iptables::rules::base
NOTE: THIS IS A PRIVATE CLASS
Set up the basic iptables rules pertinent to system security
The rules defined in here follow the following suggestion:
- 1 -> ESTABLISHED,RELATED rules.
- 2-5 -> Standard ACCEPT/DENY rules.
- 6-10 -> Jumps to other rule sets.
- 11-20 -> Pure accept rules.
- 22-30 -> Logging and rejection rules.
Parameters
The following parameters are available in the iptables::rules::base
class:
allow_ping
Data type: Boolean
Allow ICMP type 8 (ping) packets into the host
- This is enabled by default for RFC 1122 compliance
@see https://tools.ietf.org/html/rfc1122#page-42 RFC 1122 Section 3.2.2.6
Default value: true
drop_broadcast
Data type: Boolean
Drop all broadcast traffic to this host
Default value: true
drop_loopback
Data type: Boolean
Drop all loopback traffic to this host
@see https://tools.ietf.org/html/rfc1122#page-31 RFC 1122 Section 3.2.1.3(g)
Default value: true
drop_multicast
Data type: Boolean
Drop all multicast traffic to this host
Default value: true
force_local_input
Data type: Boolean
Require that all traffic traverse the LOCAL-INPUT chain
- If set to
false
, will put LOCAL-INPUT at the bottom of the INPUT traversal stack so that other chains may easily be added above.
Default value: true
iptables::rules::default_drop
NOTE: THIS IS A PRIVATE CLASS
Manage the default policy settings of the built in chains.
Given that there is a well-defined, and limited, set of built-in chains this class fully enumerates the combinations to maximize readability.
- Setting any parameter to
true
will activate the DROP condition. - Setting any parameter to
false
will activate the ACCEPT condition. - Leaving a parameter unset will not change the state of the system.
NOTE: If you need different settings for IPv6 and IPv4 then you will need to create your own resources
Parameters
The following parameters are available in the iptables::rules::default_drop
class:
filter_input
Data type: Optional[Boolean]
Default value: undef
filter_forward
Data type: Optional[Boolean]
Default value: undef
filter_output
Data type: Optional[Boolean]
Default value: undef
iptables::rules::mod_recent
A wrapper for managing the xt_recent portion of iptables settings
It is mainly meant to be a helper class but can be used alone if required.
Parameters
The following parameters are available in the iptables::rules::mod_recent
class:
notify_iptables
Data type: Boolean
Notify the IPTables service when complete
Default value: true
ip_list_tot
Data type: Integer[0]
The number of addresses remembered per table
*This effectively becomes the maximum size of your ban list
- Be aware that more addresses means more load on your system
Default value: 200
ip_pkt_list_tot
Data type: Integer[0]
The number of packets per address remembered
Default value: 20
ip_list_hash_size
Data type: Integer[0]
Hash table size
- 0 means to calculate it based on
ip_list_tot
Default value: 0
ip_list_perms
Data type: String
Permissions for /proc/net/xt_recent/*
files
Default value: '0640'
ip_list_uid
Data type: Integer[0]
Numerical UID for ownership of /proc/net/xt_recent/*
files
Default value: 0
ip_list_gid
Data type: Integer[0]
Numerical GID for ownership of /proc/net/xt_recent/*
files
Default value: 0
iptables::rules::prevent_localhost_spoofing
Add rules that prevent external parties from being able to send spoofed packets to your system from ::1
The sysctl setting for rp_filter handles this for IPv4
iptables::rules::scanblock
Provide a method for setting up an iptables electric fence
Any host that makes it past all of your allow rules will be added to the ban list.
WARNING
If you enable this, be sure to enable your IPTables rules prior to connecting with a client or you're likely to completely deny your internal hosts.
WARNING
NOTE: Changing any of the ip_*
variables will cause the iptables
service to be triggered. This is because the variables cannot take
effect until the iptables rules are reset.
Management
Details on managing xt_recent can be found in iptables(8)
. The following
are just some useful commands.
-
Add address to list
echo +addr >/proc/net/xt_recent/LIST_NAME
-
Remove address from list
echo -addr >/proc/net/xt_recent/LIST_NAME
-
Remove all address from list
echo / >/proc/net/xt_recent/LIST_NAME
-
See also
- http://www.thatsgeeky.com/2011/01/limiting-brute-force-attacks-with-iptables/
- Limiting Brute Force Attacks with IPTables
- http://www.thatsgeeky.com/2011/01/limiting-brute-force-attacks-with-iptables/
Parameters
The following parameters are available in the iptables::rules::scanblock
class:
enable
seconds
hitcount
set_rttl
update_interval
logs_per_minute
ip_list_tot
ip_pkt_list_tot
ip_list_hash_size
ip_list_perms
ip_list_uid
ip_list_gid
enable
Data type: Boolean
Enable or disable scan blocking
Default value: true
seconds
Data type: Integer[0]
Connections from attackers must happen within this number of seconds to be considered an attack
- Directly relates to hitcount to log and block attackers
Default value: 60
hitcount
Data type: Integer[0]
The number of hits that must happen within 'seconds' to be considered an attack
Default value: 2
set_rttl
Data type: Boolean
Set this if you worry about having external parties DoS your system by spoofing their IP addresses
Default value: false
update_interval
Data type: Integer[0]
Block attackers for this long (in seconds)
- Connecting systems must not connect for at least this long prior to being allowed to reconnect
Default value: 3600
logs_per_minute
Data type: Integer[0]
How many logs to send given logs_per_minute connections per minute
- This is mainly so that you don't end up overrunning your log services
Default value: 5
ip_list_tot
Data type: Integer[0]
The number of addresses remembered per table
- This effectively becomes the maximum size of your block list
- NOTE: Be aware that more addresses means more load on your system
Default value: 200
ip_pkt_list_tot
Data type: Integer[0]
The number of packets per address remembered
Default value: 20
ip_list_hash_size
Data type: Integer[0]
Hash table size
0
means to calculate it based onip_list_tot
Default value: 0
ip_list_perms
Data type: String
Permissions for /proc/net/xt_recent/*
files
Default value: '0640'
ip_list_uid
Data type: Integer[0]
Numerical UID
for ownership of /proc/net/xt_recent/*
files
Default value: 0
ip_list_gid
Data type: Integer[0]
Numerical GID
for ownership of /proc/net/xt_recent/*
files
Default value: 0
iptables::service
Manage the IPTables and IP6Tables services
Parameters
The following parameters are available in the iptables::service
class:
enable
Data type: Any
Enable IPTables
- If set to
false
with disable IPTables completely - If set to
ignore
will stop managing IPTables
Default value: pick(getvar('iptables::enable'),true)
ipv6
Data type: Any
Also manage IP6Tables
Default value: pick(getvar('iptables::ipv6'),true)
Defined types
iptables::listen::all
Allow all protocols to all ports from a select set of networks
Examples
Open Access to Hosts `1.2.3.4
and 5.6.7.8
iptables::listen::all { 'example':
trusted_nets => [ '1.2.3.4', '5.6.7.8' ],
}
### Result
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -s 1.2.3.4 -j ACCEPT
-A LOCAL-INPUT -s 5.6.7.8 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT
Parameters
The following parameters are available in the iptables::listen::all
defined type:
first
Data type: Boolean
Prepend this rule to the rule set
Default value: false
absolute
Data type: Boolean
Make sure that this rule is absolutely first, or last, depending on the
setting of first
- If
first
is true, this rule will be at the top of the list - If
first
is false, this rule will be at the bottom of the list - For all
absolute
rules, alphabetical sorting still takes place
Default value: false
order
Data type: Integer[0]
The order in which the rule should appear
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
apply_to
Data type: Iptables::ApplyTo
The IPTables network type to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, will not pick
all
Default value: 'auto'
trusted_nets
Data type: Simplib::Netlist
Client networks that should be allowed
Set to any
to allow all networks
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
iptables::listen::icmp
This provides a simple way to allow ICMP ports into the system.
- See also
- iptables(8)
Examples
Allow ping
From 1.2.3.4
and 5.6.7.8
iptables::listen::icmp { "example":
trusted_nets => [ "1.2.3.4", "5.6.7.8" ],
icmp_type => '8'
}
### Result
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -p icmp -s 1.2.3.4 --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -p icmp -s 5.6.7.8 --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT
Parameters
The following parameters are available in the iptables::listen::icmp
defined type:
icmp_types
Data type: Variant[Array[String],String]
The iptables-compatible ICMP types that should be allowed
- You can list the ICMP types with
iptables -p icmp -h
- Set to
any
to allow all ICMP types
first
Data type: Boolean
Prepend this rule to the rule set
Default value: false
absolute
Data type: Boolean
Make sure that this rule is absolutely first, or last, depending on the
setting of first
- If
first
is true, this rule will be at the top of the list - If
first
is false, this rule will be at the bottom of the list - For all
absolute
rules, alphabetical sorting still takes place
Default value: false
order
Data type: Integer[0]
The order in which the rule should appear
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
apply_to
Data type: Iptables::ApplyTo
The IPTables network type to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, will not pick
all
Default value: 'auto'
trusted_nets
Data type: Simplib::Netlist
Client networks that should be allowed
Set to any
to allow all networks
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
iptables::listen::tcp_stateful
Allow access to specific ports from specific hosts or networks
Examples
Provide Access to Specific Ports
iptables::listen::tcp_stateful { 'example':
trusted_nets => [ '1.2.3.4', '5.6.7.8' ],
dports => [ 5, '1024:65535' ]
}
### Result
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 5 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 5.6.7.8 --dport 5 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 5.6.7.8 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT
Parameters
The following parameters are available in the iptables::listen::tcp_stateful
defined type:
dports
Data type: Iptables::DestPort
The ports that you want to expose
first
Data type: Boolean
Prepend this rule to the rule set
Default value: false
absolute
Data type: Boolean
Make sure that this rule is absolutely first, or last, depending on the
setting of first
- If
first
is true, this rule will be at the top of the list - If
first
is false, this rule will be at the bottom of the list - For all
absolute
rules, alphabetical sorting still takes place
Default value: false
order
Data type: Integer[0]
The order in which the rule should appear
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
apply_to
Data type: Iptables::ApplyTo
The IPTables network type to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, will not pick
all
Default value: 'auto'
trusted_nets
Data type: Simplib::Netlist
Client networks that should be allowed
Set to any
to allow all networks
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
iptables::listen::udp
Expose UDP ports to a set of hosts
Examples
Allow UDP Access to 1.2.3.4
and 5.6.7.8
iptables::listen::udp { 'example':
trusted_nets => [ '1.2.3.4', '5.6.7.8' ],
dports => [ 5, '1024:65535' ]
}
### Result
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -p udp -s 1.2.3.4 --dport 5 -j ACCEPT
-A LOCAL-INPUT -p udp -s 5.6.7.8 --dport 5 -j ACCEPT
-A LOCAL-INPUT -p udp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -p udp -s 5.6.7.8 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT
Parameters
The following parameters are available in the iptables::listen::udp
defined type:
dports
Data type: Iptables::DestPort
The ports that you want to expose
first
Data type: Boolean
Prepend this rule to the rule set
Default value: false
absolute
Data type: Boolean
Make sure that this rule is absolutely first, or last, depending on the
setting of first
- If
first
is true, this rule will be at the top of the list - If
first
is false, this rule will be at the bottom of the list - For all
absolute
rules, alphabetical sorting still takes place
Default value: false
order
Data type: Integer[0]
The order in which the rule should appear
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
apply_to
Data type: Iptables::ApplyTo
The IPTables network type to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, will not pick
all
Default value: 'auto'
trusted_nets
Data type: Simplib::Netlist
Client networks that should be allowed
Set to any
to allow all networks
Default value: simplib::lookup('simp_options::trusted_nets', { 'default_value' => ['127.0.0.1'] })
iptables::ports
A define to allow for the standardization of the iptables::ports syntax across modules
Parameters
The following parameters are available in the iptables::ports
defined type:
ports
Data type: Hash
A hash with structure as defined below that will open ports based on the structure of the hash. @example An example section of hieradata: iptables::ports: defaults: apply_to: ipv4 80: 53: proto: udp 443: apply_to: ipv6 514: proto:
- udp
- tcp
iptables::rule
Add rules to the IPTables configuration file
Result:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :LOCAL-INPUT - [0:0] -A INPUT -j LOCAL-INPUT -A FORWARD -j LOCAL-INPUT -A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT -A LOCAL-INPUT -i lo -j ACCEPT -A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT -A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A LOCAL-INPUT -j LOG --log-prefix "IPT:" -A LOCAL-INPUT -j DROP COMMIT
Examples
Add a TCP Allow Rule
iptables::rule { 'example':
content => '-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT'
}
Parameters
The following parameters are available in the iptables::rule
defined type:
content
Data type: String
The exact content of the rule that should be added
table
Data type: String
The name of the table you are adding to
-
Usual names include (but are not limited to):
- filter
- mangle
- nat
- raw
- security
Default value: 'filter'
first
Data type: Boolean
Prepend this rule to the rule set
Default value: false
absolute
Data type: Boolean
Make sure that this rule is absolutely first, or last, depending on the
setting of first
- If
first
is true, this rule will be at the top of the list - If
first
is false, this rule will be at the bottom of the list - For all
absolute
rules, alphabetical sorting still takes place
Default value: false
order
Data type: Integer[0]
The order in which the rule should appear
-
1 is the minimum and 9999999 is the maximum
-
The following ordering ranges are suggested (but not enforced):
- 1 -> ESTABLISHED,RELATED rules
- 2-5 -> Standard ACCEPT/DENY rules
- 6-10 -> Jumps to other rule sets
- 11-20 -> Pure accept rules
- 22-30 -> Logging and rejection rules
Default value: 11
header
Data type: Boolean
Automatically add the line header -A LOCAL-INPUT
Default value: true
apply_to
Data type: Iptables::ApplyTo
The IPTables network type to which to apply this rule
- ipv4 -> iptables
- ipv6 -> ip6tables
- all -> Both
- auto -> Try to figure it out from the rule, will not pick
all
Default value: 'auto'
Resource types
ip6tables_optimize
A name variable, doesn't really do anything
Properties
The following properties are available in the ip6tables_optimize
type.
optimize
Valid values: true
, false
Whether or not to optimize
Default value: true
Parameters
The following parameters are available in the ip6tables_optimize
type.
disable
Valid values: true
, false
This is a way to authoritatively disable the application of the iptables module.
Default value: false
ignore
Ignore all running iptables rules matching one or more provided Ruby regexes. The regexes are compared against the jump and chain options, as well as the interface name of the running rules and excluded from the synchronization comparison against the new rules.
!!Do not include the beginning and ending slashes in your regular expressions.!!
NOTE: If a rule has been added or removed, this setting ignored and ip6tables will be restarted! If you have services which are affected by this, make sure that they subscribe to Service['ip6tables'] and/or Service['ip6tables'] as appropriate.
Examples:
Preserve all rules whose chain begins with the word 'foo'
ignore => '^foo'
Preserve all rules whose chain begins with the word 'foo' or
ends with the word 'bar'
ignore => ['^foo','bar$']
name
namevar
A name variable, doesn't really do anything
precise_match
Valid values: true
, false
Instead of matching rule counts, perform a more precise match against the running and to-be-applied rules. You may find that minor changes, such as a simple netmask change will not be enforced without enabling this option.
This is enabled by default because it is a more correct approach.
- NOTE: You MUST use the exact same syntax that will be returned by
ip6tables-save
if you enable this option! - For example, you cannot write
echo-request
for an ICMP echo match, you must instead use8
.
Default value: true
provider
The specific backend to use for this ip6tables_optimize
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
iptables_default_policy
Manage the default policy on iptables tables built-in chains
Properties
The following properties are available in the iptables_default_policy
type.
policy
Valid values: ACCEPT
, DROP
, accept
, drop
The IPTables JUMP policy to apply
Default value: DROP
Parameters
The following parameters are available in the iptables_default_policy
type.
apply_to
Valid values: ipv4
, ipv6
, all
What version(s) of iptables to which to apply this rule. 'all' is equivalent to ['ipv4', 'ipv6'] as appropriate.
Default value: all
chain
namevar
The targeted chain
name
A name of the form : to which the resource will be applied
provider
The specific backend to use for this iptables_default_policy
resource. You will seldom need to specify this --- Puppet
will usually discover the appropriate provider for your platform.
table
namevar
The table that the chain belongs to
iptables_optimize
The path to the target file to be optimized. Mainly used for ensuring that the file comes after the optimization.
Properties
The following properties are available in the iptables_optimize
type.
optimize
Valid values: true
, false
Whether or not to optimize
Default value: true
Parameters
The following parameters are available in the iptables_optimize
type.
disable
Valid values: true
, false
This is a way to authoritatively disable the application of the iptables module.
Default value: false
ignore
Ignore all running iptables rules matching one or more provided Ruby regexes. The regexes are compared against the jump and chain options, as well as the interface name of the running rules and excluded from the synchronization comparison against the new rules.
!!Do not include the beginning and ending slashes in your regular expressions.!!
NOTE: If a rule has been added or removed, this setting ignored and iptables will be restarted! If you have services which are affected by this, make sure that they subscribe to Service['iptables'] and/or Service['ip6tables'] as appropriate.
Examples:
Preserve all rules whose jump or chain begins with the word 'foo'
ignore => '^foo'
Preserve all rules whose jump or chain begins with the word 'foo' or
ends with the word 'bar'
ignore => ['^foo','bar$']
name
namevar
The path to the target file to be optimized. Mainly used for ensuring that the file comes after the optimization.
precise_match
Valid values: true
, false
Instead of matching rule counts, perform a more precise match against the running and to-be-applied rules. You may find that minor changes, such as a simple netmask change will not be enforced without enabling this option.
This is enabled by default because it is a more correct approach.
- NOTE: You MUST use the exact same syntax that will be returned by
iptables-save
if you enable this option! - For example, you cannot write
echo-request
for an ICMP echo match, you must instead use8
.
Default value: true
provider
The specific backend to use for this iptables_optimize
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
iptables_rule
Authoritatively manage iptables rules. This type is atomic, either all rules work, or the old rules are preserved.
Properties
The following properties are available in the iptables_rule
type.
content
Valid values: /\w+/
The content of the rule that should be added
Parameters
The following parameters are available in the iptables_rule
type.
absolute
apply_to
comment
comment_header
first
header
include_comment
name
order
provider
resolve
table
absolute
Valid values: true
, false
Set to 'true' if you want the rule to be the absolute first or last. This is relative and places items in alphabetical order if multiple absolute first/lasts are specified.
Default value: false
apply_to
Valid values: ipv4
, ipv6
, all
, auto
What version(s) of iptables to which to apply this rule. If set to 'auto' (the default) then we'll try to guess what you want and default to ['ipv4','ipv6'].
If 'auto' is set then each line will be evaluated as an independent rule.
- Any rules that have IPv4 addresses will be applied to iptables.
- Any rules that have IPv6 addresses will be applied to ip6tables.
- All other rules will be applied to both utilities.
- If in doubt, split your rules and specify your tables!
Default value: auto
comment
A comment to add to the rule.
The value of $comment_header will be prepended.
Empty comments (no content and no header) will be discarded.
Content will be truncated at 255 characters, including the header.
Default value: ''
comment_header
A header to prepend to all comments for easy visual rule tracking
Default value: SIMP:
first
Valid values: true
, false
Set to 'true' if you want to prepend your rule.
Default value: false
header
Valid values: true
, false
Whether or not to auto-include the table LOCAL-INPUT in the rule.
Default value: true
include_comment
Valid values: true
, false
, yes
, no
Whether or not to include the value in the $comment paramter
Default value: true
name
namevar
The name of the rule. Simply used for creating the unique fragments.
order
Valid values: /\d+/
The order in which the rule should appear. 1 is the minimum and 999 is the max.
Default value: 11
provider
The specific backend to use for this iptables_rule
resource. You will seldom need to specify this --- Puppet will
usually discover the appropriate provider for your platform.
resolve
Valid values: true
, false
Whether or not to use DNS resolution to identify hostnames in IPTables statements.
This should probably be left at :true since it is a rare scenario and, should you use this, you will want the rule to go into either iptables or ip6tables correctly.
With this enabled, the IP address that is resolved will be added to IPTables and not the hostname itself.
Default value: true
table
The name of the table that you are adding to.
Default value: filter
xt_recent
Sets the various options on the running xt_recent kernel module.
If the module needs to be loaded, attempts to load the module.
Properties
The following properties are available in the xt_recent
type.
ip_list_gid
Valid values: /^\d+$/
Numerical GID for ownership of /proc/net/xt_recent/* files.
Default value: 0
ip_list_hash_size
Valid values: /^\d+$/
Hash table size. 0 means to calculate it based on ip_list_tot.
Default value: 0
ip_list_perms
Valid values: /^[0-7]{4}$/
Permissions for /proc/net/xt_recent/* files.
Default value: 0640
ip_list_tot
Valid values: /^\d+$/
The number of addresses remembered per table. This effectively becomes the maximum size of your block list. Be aware that more addresses means more load on your system.
Default value: 100
ip_list_uid
Valid values: /^\d+$/
Numerical UID for ownership of /proc/net/xt_recent/* files.
Default value: 0
ip_pkt_list_tot
Valid values: /^\d+$/
The number of packets per address remembered.
Default value: 20
Parameters
The following parameters are available in the xt_recent
type.
name
namevar
The path to the xt_recent variables to be manipulated
provider
The specific backend to use for this xt_recent
resource. You will seldom need to specify this --- Puppet will usually
discover the appropriate provider for your platform.
Functions
iptables::slice_ports
Type: Ruby 4.x API
Split a stringified Iptables::DestPort into an Array that contain groupings
of max_length
size.
iptables::slice_ports(Variant[String,Array[String]] $input, Integer[1] $max_length)
Split a stringified Iptables::DestPort into an Array that contain groupings
of max_length
size.
Returns: Array[Array[String]]
]
input
Data type: Variant[String,Array[String]]
One or more ports or port ranges, all represented as strings.
max_length
Data type: Integer[1]
The maximum length of each group.
iptables::use_firewalld
Type: Puppet Language
Returns true
if the client can/should use firewalld
iptables::use_firewalld(Variant[String[1], Boolean] $enable = true)
Returns true
if the client can/should use firewalld
Returns: Boolean
enable
Data type: Variant[String[1], Boolean]
The type of enablement to use
- true => Do the right thing based on the underlying OS
- false => Return
false
- firewalld => Force
firewalld
if available
Data types
Iptables::ApplyTo
Valid families to which rules should apply
Alias of
Enum['ipv4', 'ipv6', 'all', 'auto']
Iptables::DestPort
An iptables_rule
compatible port range or Array
Alias of
Variant[Simplib::Port, Iptables::PortRange, Array[Variant[Simplib::Port, Iptables::PortRange]]]
Iptables::PortRange
An iptables-compatible Port Range
Alias of
Pattern['^([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5]):([0-5]?\d?\d?\d?\d|6[0-4]\d\d\d|65[0-4]\d\d|655[0-2]\d|6553[0-5])$']
- Tue Jun 15 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.6.0
- Removed support for Puppet 5
- Ensured support for Puppet 7 in requirements and stdlib
- Wed Mar 10 2021 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.5
- Fixed
- Moved the service-relevant files out of
install
and intoservice
- Ensure that EL8+ installs
iptables-service
instead of trying to install the EL7 packages - Call
iptables::install
in all enabled modes sincefirewalld
may require the underlying packages
- Moved the service-relevant files out of
- Thu Jan 07 2021 Chris Tessmer chris.tessmer@onyxpoint.com - 6.5.5
- Removed EL6 support
- Mon Nov 16 2020 Liz Nemsick lnemsick.simp@gmail.com - 6.5.4
- Fixed a bug in which the iptables services and rules were not managed when iptables::use_firewalld was set to true on an EL6 system.
- Fixed an ordering issue with setting
xt_recent
parameters that could occur on OEL7 nodes. However, there are other issues withxt_recent
on OEL that may prevent this module from working on OEL in some circumstances.
- Fri Oct 23 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.3
- Ensure that systems that do not have firewalld will not attempt to configure it.
- Tue Sep 29 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.2
- Fix README.md inaccuracies
- Tue Aug 18 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.1
- Ensure that all addresses are normalized when rules are processed
- Remove nested looped rule normalization of addresses since it is no longer required
- Fix normalize_addresses() so that it simply grabs the netmask if present and slaps on the appropriate one if not
- Wed Jun 10 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.5.0
- Removed the experimental firewalld support
- Hooked the module into the new simp/simp_firewalld module
- Wed May 27 2020 Trevor Vaughan tvaughan@onyxpoint.com - 6.4.0
- Fixed some bugs in the 'munge' portions of the native types.
- Improved the internal rule matching to handle most netmask and port updates.
- Added a
exact_match
Boolean to theiptables_optimize
andip6tables_optimize
native types to allow for more aggressive rule matching.- This change requires that inbound rules match whatever is returned by
iptables-save
and/orip6tables-save
to prevent iptables flapping.
- This change requires that inbound rules match whatever is returned by
- Experimental firewalld support
- Added support for voxpupuli/firewalld
- Added an
iptables::firewalld_shim
class for configuring firewalld in accordance with the current iptables configuration. - Ensure that the iptables::listen::* will work in firewalld mode
- No work has been done to convert the advanced capabilities such as scanblock.
- Will automatically use firewalld in EL 8
- Allows optional enabling of firewalld in EL 7 by either setting
iptables::use_firewalld
totrue
- IPv6 is not currently supported due to needing to move the auto-detection logic to a higher level. Preferrably, this will go into the upstream firewalld module.
- Wed Sep 11 2019 Mark Fitch CodePhase@users.noreply.github.com - 6.3.1
- Allow LOCAL-INPUT jump rule in FORWARD and INPUT chains to occur last as a default action through the addition of an iptables::rules::base::force_local_input parameter
- Wed Aug 21 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.3.1
- Allow users to disable adding the 'SIMP:' prefix to the comment
- Allow users to disable comments on rules completely
- Added REFERENCE.md
- Removed outdated 'doc' directory
- Fri Jul 05 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.3.0
- Add v2 compliance_markup data
- Fri Jun 21 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.2
- Add rule to allow outbound communication over OUTPUT to the loopback device by default.
- Mon Jun 10 2019 Steven Pritchard steven.pritchard@onyxpoint.com - 6.2.1
- Allow 'proto' in iptables::ports to be an array
- Mon Apr 08 2019 Trevor Vaughan tvaughan@onyxpoint.com - 6.2.0
- Added 'iptables_default_policy' for modifying the default policy of the 'filter' table on either IPv4 or IPv6.
- Added 'iptables::rules::default_drop' to allow users to easily toggle the default drop behavior of the default filter policies.
- Removed Puppet 4 support
- Added Puppet 6 support
- Mon Apr 01 2019 Jim Anderson thesemicolons@protonmail.com - 6.2.0
- Added rule to drop 127.0.0.0/8 addresses as defined in RFC 1122 - Section: 3.2.1.3(g).
- Mon Mar 25 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.2.0
- Fixed bug in which port ranges specified by iptables::listen::tcp_stateful::dports or iptables::listen::udp::dports could be erroneously split over multiple iptables rules
- Replaced deprecated simplib Puppet 3 function slice_array with iptables::slice_ports
- Mon Mar 25 2019 Joseph Sharkey shark.bruhaha@gmail.com - 6.2.0
- Updated puppet template scope API from 3 to newer
- Thu Mar 07 2019 Liz Nemsick lnemsick.simp@gmail.com - 6.1.7
- Update the upper bound of stdlib to < 6.0.0
- Update a URL in the README.md
- Mon Jan 21 2019 Miguel Cruz mcruz@metrostarsystems.com - 6.1.7
- Fix typo in documentation
- Thu Nov 01 2018 Jeanne Greulich jeanne.greulichr@onyxpoint.com - 6.1.6
- static asset updates for puppet 5
- Thu Oct 11 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.6
- Changed $package_ensure from 'latest' to 'installed'
- It will also respect
simp_options::package_ensure
- It will also respect
- Fri Sep 07 2018 Liz Nemsick lnemsick.simp@gmail.com - 6.1.6
- Drop Hiera 4 support
- Thu May 17 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.5
- Perform deep rule comparison on rulesets that are otherwise identical
- Remove chances for memory leaks due to the design of iptables_rule
- Set init script permissions back to the RPM defaults of 0755
- Thu May 03 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.4
- Remove erroneous native IPTables jump point retention
- Wed May 02 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.3
- Fix issue where a
jump
target went to an empty ruleset and the chain was dropped - Retain all native IPTables jump points by default
- Add
==
method for IPTables Rulesets
- Sun Mar 11 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.2
- Added support for OEL 6 and 7
- Added Puppet 5 acceptance tests
- Mon Jan 22 2018 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.1
- Fixed bugs in the chain retention and optimization code that would cause iptables to fail to reload in some situations.
- Mon Jan 22 2018 Nick Miller nick.miller@onyxpoint.com - 6.1.1
- This commit moves the logic that parses the
iptables::ports
Hash into a define, to make it possible to use the same hash format in other modules without copying code. - There was also a bug where compilation would fail if
proto
was specified in the defaults section of the Hash.
- Mon Dec 04 2017 Some Dude 7zbayf+sw1l67jjhlbk@sharklasers.com - 6.1.0-0
- Fixed a bug in the order of the IPTables rules in scanblock module
- Previously, IPTables would not block connections from banned IPs that were accessing open ports.
- Thu Nov 30 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.1.0-0
- Added the ability to ignore interfaces using the 'ignore' regex array
- Fixed issues with ignoring rules and added some optimization
- No longer apply IPTables rules in the optimization phase and simply wait for the downstream service to trigger
- Thu Aug 10 2017 Nick Markowski nmarkowski@keywcorp.com - 6.0.3-0
- Updated iptables::listen::tcp_stateful example to pass valid Iptables::DestPort types to dports
- Wed May 24 2017 Brandon Riden brandon.riden@onyxpoint.com - 6.0.1-0
- Added a workaround for Puppet 4.10 type issues
- There was a bug in Puppet where all lookup() Hash keys were being converted into Strings even if they were another data type
- This is fixed in Puppet > 4.10.2 but this patch will remain for backwards compatibility
- Update puppet dependency in metadata.json
- Remove OBE pe dependency in metadata.json
- Thu Jan 13 2017 Nick Miller nick.miller@onyxpoint.com - 6.0.1-0
- Added a feature to add resources via hiera
- Wed Jan 11 2017 Trevor Vaughan tvaughan@onyxpoint.com - 6.0.0-0
- Removed the legacy call to Facter in the 'xt_recent' 'set' provider
- Wed Dec 07 2016 Nick Markowski nmarkowski@keywcorp.com - 6.0.0-0
- Renamed the global catalyst 'client_nets' to 'trusted_nets'
- Wed Nov 09 2016 Liz Nemsick lnemsick.simp@gmail.com - 5.0.0-0
- Fixed bug in the set provider for the xt_recent type that required manual modifications to the permissions for the /sys/module/xt_recent/parameters/* files, in order for the scanblock capability to be enabled.
- Fixed bugs in the xt_recent type and its set provider that caused Puppet to believe /sys/module/xt_recent/parameters/ip_list_perms file content had changed when it had not.
- Eliminated use of deprecated Puppet.newtype
- Updated to compliance_markup version 2
- Fri Sep 30 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.5-0
- Updated the ip6tables_optimize provider so that it works in Puppet 4
- Fri Aug 26 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.4-0
- Ensure that the SELinux context on the init scripts is correct so that the runs are idempotent
- Thu Jul 07 2016 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.3-0
- Fixed an issue with the remote lookup regular expression processing in Ruby 1.8
- Mon May 16 2016 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.2-0
- Sanitized fact references to run under
STRICT_VARIABLES=yes
- Wed Apr 13 2016 Kendall Moore kendall.moore@onyxpoint.com - 4.1.1-0
- Changed default provider of services to redhat
- Tue Apr 12 2016 Kendall Moore kendall.moore@onyxpoint.com - 4.1.0-17
- Removed custom type deprecation warning
- Fri Feb 19 2016 Ralph Wright ralph.wright@onyxpoint.com - 4.1.0-16
- Added compliance function support
- Tue Jan 26 2016 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-15
- Normalized common static module assets
- Mon Nov 09 2015 Chris Tessmer chris.tessmer@onypoint.com - 4.1.0-14
- migration to simplib and simpcat (lib/ only)
- Mon Jul 27 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-13
- Added an iptables::prevent_localhost_spoofing class to handle IPv6 spoofed communication.
- Wed Jul 08 2015 Chris Tessmer chris.tessmer@onyxpoint.com - 4.1.0-12
- Updated iptables::disable's default to look up 'use_iptables' from hiera.
- Fixed iptables::disable to disable management of IPv4 rules.
- Mon Apr 27 2015 Michael Riddle mriddle@onyxpoint.com - 4.1.0-11
- Implemented a workaround for ports being read in as valid ipv6 addresses on iptables lines that don't contain any ipaddress. Any iptables lines containing a port with no ipaddress would only validate as an ipv6 rule.
- Thu Apr 02 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-10
- Fixed DNS resolution in the IPTables provider. Unfortunately, this never actually worked as implemented.
- Fri Jan 16 2015 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-9
- Changed puppet-server requirement to puppet
- Tue Aug 05 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-8
- Changed all top-scope class variable calls to actual global variables. This isn't great, but there isn't an elegant way to do this inside Puppet right now.
- Update to fix the scenario where the /etc/sysconfig/ip*tables files don't exist.
- Fixed a typo where the ip6tables-retry script was really calling iptables.
- Tue Jul 15 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-7
- Added CentOS as a supported OS as part of CentOS 7 upgrade.
- Thu Jun 26 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-6
- Provide for RHEL7 compatiblity.
- Added an iptables::disable option that will disable our IPTables enforcement by way of telling optimize to effectively noop.
- Rewrote most of the IPTables native type to be more maintainable.
- Added a new option iptables::authoritative which, when set, ties iptables_optimize to the iptables service. When not set, optimize will simply do what it can on the chains that it knows about. This is new and may need a bit more work on some edge cases.
- Sun Jun 22 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-5
- Removed MD5 file checksums for FIPS compliance.
- Tue Apr 29 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-4
- Updated the optimize code to ignore matches in both chains and jumps.
- Tue Apr 15 2014 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-4
- Ensure that DNS lookups are sorted so that iptables does not continually restart.
- Moved the default rules out of sec and into iptables::base_rules.
- Updated the iptables class to call out to base_rules and scanblock based on parameters.
- Thu Feb 13 2014 Kendall Moore kmoore@keywcorp.com - 4.1.0-3
- Updated all string booleans to native booleans in manifests and templates.
- Wed Dec 11 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-2
- Updated the rule comparison code in iptables_rule to properly compare the new and old rules.
- Properly handle blank lines in the /etc/sysconfig/ip*tables files.
- Fixed the providers to properly handle the case where /etc/sysconfig/iptables is absent and/or the commands are at alternate paths.
- Thu Nov 21 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.1.0-1
- Made several changes to the iptables_rule custom type to:
- Now resolves all hostnames in the rules by default. This can be disabled but may cause issues with the autodiscovery between ipv4
- Ensure that the -A header is not prepended to a rule if it already has a header value.
- Ensure that no rules attempt to be added if they belong to a table that is not valid for the given ip*tables type.
- Tue Nov 19 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.1-1
- Fixed an issue in iptables_optimize where a situation could arize that would cause the table definitions to not be properly loaded and the iptables reload to fail.
- Thu Oct 10 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.1-0
- Removed all calls to the Puppet FileLocking classes which get removed in later versions of Puppet.
- Added an iptables::scanblock class which will work to semi-permanently block any IP address that is prodding your host. This is mainly intended for Internet facing hosts.
- The IPTables module custom types were almost completely rewritten.
- The iptables_requires_restart facts are gone and you can now pass an array of regular expressions to the 'ignore' variable of the iptables class and have it ignore running rules with targets matching any of the expressions when deciding to restart iptables.
- Fri Oct 04 2013 Nick Markowski nmarkowski@keywcorp.com - 4.0.0-1
- Updated template to reference instance variables with @
- Wed Jul 31 2013 Trevor Vaughan tvaughan@onyxpoint.com - 4.0.0-0
- CRIT: There was a severe bug in allow_all_services.erb that would make any call to iptables::add_all_listen open IPTables to all hosts. This has been corrected.
- Updated the ip*tables_requires_restart facts to only select on the -j options no matter what order they are in.
- Added a call to 'validate_net_list' to all iptables defines so that incorrect client_nets arrays fail hard.
- Tue Jan 08 2013 Maintenance 2.1.0-6
- Added two new facts: iptables_requires_restart and ip6tables_requires_restart that replace the ip(6)?tables_running and ip(6)?tables_saved facts. The old facts simply were not accurate enough for complex situations.
- Update to fix the ability of the iptables rule mechanisms to handle rules with over 15 ports.
- Updated to require pupmod-common >= 2.1.1-2 so that upgrading an old system works properly.
- Fri Oct 19 2012 Maintenance 2.1.0-5
- Removed one line in the iptables_rule type that caused the type to fail if ipv6 wasn't enabled on the target system.
- Tue Sep 18 2012 Maintenance 2.1.0-4
- Updated all references of /etc/modprobe.conf to /etc/modprobe.d/00_simp_blacklist.conf as modprobe.conf is now deprecated.
- Fri Aug 17 2012 Maintenance 2.1.0-3
- Moved all dynamic resource creation and checking to 'finish' instead of 'initialize' in the custom type.
- Tue Jul 24 2012 Maintenance 2.1.0-2
- Fix all instances of 'IPT:' instead of "IPT:"
- Tue Jun 26 2012 Maintenance 2.1.0-1
- Trigger ip6?tables restart when rules change on the host regardless of the count.
- Thu Jun 07 2012 Maintenance 2.1.0-0
- Ensure that Arrays in templates are flattened.
- Call facts as instance variables.
- Rewrote the iptables templates to more efficiently handle checking for the 'any' case.
- Moved mit-tests to /usr/share/simp...
- This is a massive rewrite of the iptables module that adds native support for ip6tables as well as some magical rule munging that should make life easier.
- The old methods have been kept around for backward compatibliity purposes.
- Rules are now also optimized before being written and ip(6)tables will try to fall back to the previous configuration upon restart.
- This is not the Puppet Labs module since that one a) doesn't let you add artibrary rules and b) modifies rules on the fly which turned out to be quite dangerous at times. This is more of an all-or-nothing approach.
- More will be added to the native type as time allows.
- Fri Mar 02 2012 Maintenance 2.0.0-6
- Added a startup script, iptables-retry to try and restart iptables after networking starts just in case a rule was added with an fqdn.
- Updated the iptables startup script to the latest version.
- Reformatted all code to meet Puppet Labs' guidance.
- Improved test stubs.
- Added a check in the custom facts to not call iptables if service iptables status doesn't return anything.
- Mon Dec 26 2011 Maintenance 2.0.0-5
- Updated the spec file to not require a separate file list.
- Scoped all of the top level variables.
- Mon Dec 05 2011 Maintenance 2.0.0-4
- No longer print the status messages when nothing needs to happen. These can be enabled using the $class_debug variable.
- Mon Oct 10 2011 Maintenance 2.0.0-3
- Updated to put quotes around everything that need it in a comparison statement so that puppet > 2.5 doesn't explode with an undef error.
- Mon Sep 12 2011 Maintenance 2.0.0-2
- Ensure that the iptables_running fact does not do DNS lookups.
- Mon Apr 18 2011 Maintenance - 2.0.0-1
- Changed puppet://$puppet_server/ to puppet:///
- Updated to use concat_build and concat_fragment types.
- Tue Jan 11 2011 Maintenance 2.0.0-0
- Refactored for SIMP-2.0.0-alpha release
- Tue Oct 26 2010 Maintenance - 1-1
- Converting all spec files to check for directories prior to copy.
- Fri May 21 2010 Maintenance 1.0-0
- Doc update and code refactor
- Fri May 07 2010 Maintenance 0.1-20
- Added a fact, iptables_running that returns the number of rules in the running iptables.
- Added a fact, iptables_saved that returns the number of rules in the saved iptables rule set.
- Added a check to see if the running IPTables ruleset has fewer rules than the specified IPTables ruleset. If it does, have IPTables reload.
- Sat Feb 13 2010 Maintenance 0.1-19
- Moved the ESTABLISHED/RELATED rule to the top of the stack.
- Thu Jan 28 2010 Maintenance 0.1-18
- The IPTables service now uses iptables-restore instead of 'service iptables restart' to restart iptables. This means that no state will be lost due to spurious iptables restarts.
- Mon Nov 02 2009 Maintenance 0.1-17
- Added the ability to have custom comments above each entry.
- Now remove any subsequent duplicate entries comments will, of course, cause problems with this.
Dependencies
- puppetlabs/stdlib (>= 6.6.0 < 8.0.0)
- simp/simplib (>= 4.0.1 < 5.0.0)
pupmod-simp-iptables - A Puppet Module for managing IPTables -- Per Section 105 of the Copyright Act of 1976, these works are not entitled to domestic copyright protection under US Federal law. The US Government retains the right to pursue copyright protections outside of the United States. The United States Government has unlimited rights in this software and all derivatives thereof, pursuant to the contracts under which it was developed and the License under which it falls. --- Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.