puppet firewall rules not working as expected

asked 2018-03-26 17:11:54 -0600

Nunu gravatar image

updated 2018-03-27 08:41:57 -0600

DarylW gravatar image

I am having an issue that I cannot figure out in regards to the firewall module syntax, and source natting.

c111tqc-vm29:~ # iptables -n -t nat --list --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    SNAT       udp  --  0.0.0.0/0            10.0.0.0/8           multiport dports 53 /* 600 Snat to Primary IP */ to:10.220.30.123
2    SNAT       tcp  --  0.0.0.0/0            10.0.0.0/8           multiport dports 53 /* 605 Snat to Primary IP */ to:10.220.30.123

Here's my relevant puppet syntax code:

firewall { '600 Snat to Primary IP':
  chain    => 'POSTROUTING',
  jump     => 'SNAT',
  proto    => 'udp',
  destination   => '10.0.0.0/8',
  table    => 'nat',
  dport    => '53',
  tosource => $facts['networking']['ip'],
}

firewall { '605 Snat to Primary IP':
  chain    => 'POSTROUTING',
  jump     => 'SNAT',
  proto    => 'tcp',
  destination   => '10.0.0.0/8',
  table    => 'nat',
  dport    => '53',
  tosource => $facts['networking']['ip'],
}

As you can see above, when running "iptables -n -t nat --list --line-numbers", it's showing multiport dports 53... I am not sure if the puppet code is interpreting my puppet syntax incorrectly, or i am not giving it the correct syntax.

The actual iptables command line equivalent should be this:

iptables -t nat -I POSTROUTING -d 10.0.0.0/8 -j SNAT -p tcp --dport 53 --to-source 10.220.30.123

that produces below when running "iptables -t nat --list". That is what I want it to show. It's not a cosmetic issue either as I've tested the behavior, and it's not working as I wanted. Basically, I want to source NAT to 10.220.30.123 if it matches the destination being 10.0.0.0/8 network and the destinaton port is 53.

8    SNAT       tcp  --  0.0.0.0/0            10.0.0.0/16       tcp dpt:53 to:10.220.30.123
edit retag flag offensive close merge delete