Ask Your Question
0

Understanding PuppetLabs::Firewall - how to?

asked 2013-09-20 06:04:09 -0500

ethrbunny gravatar image

I'm having some troubles wrapping my head around how to use this module to build IPTables files. What's entailed to end up with the following set of rules:

:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m tcp -p tcp -s 100.95.96.0/24 --dport 22 -j ACCEPT
-A INPUT -m tcp -p tcp -s 100.95.95.0/24 --dport 22 -j ACCEPT
-A INPUT -m tcp -p ...
(more)
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
3

answered 2013-09-20 15:41:11 -0500

doc75 gravatar image

updated 2013-09-20 15:42:08 -0500

Hello,

In order to get the rule you need and especially the INPUT DROP default policy, I would suggest you to read this answer (disaclaimer: post to my own question).

Afterwards, the rules should be as follow (not tested):

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

firewall { '000 accept related established rules (INPUT)':
    proto  => 'all',
    chain  => 'INPUT',
    state  => ['RELATED', 'ESTABLISHED'],
    action => 'accept',
  }

-A INPUT -p icmp -j ACCEPT

firewall { '001 accept all icmp (INPUT)':
    proto  => 'icmp',
    chain  => 'INPUT',
    action => 'accept',
  }

-A INPUT -i lo -j ACCEPT

firewall { '002 accept all to lo interface (INPUT)':
    proto   => 'all',
    chain   => 'INPUT ...
(more)
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-09-20 06:04:09 -0500

Seen: 146 times

Last updated: Sep 20 '13