cookbook 'iptables-ng', '= 3.0.0'
iptables-ng
(24) Versions
3.0.0
-
Follow16
Installs/Configures iptables-ng
cookbook 'iptables-ng', '= 3.0.0', :supermarket
knife supermarket install iptables-ng
knife supermarket download iptables-ng
iptables-ng Cookbook
This cookbook maintains and installs iptables and ip6tables rules, trying to keep as close to the way the used distribution maintains their rules.
Contrary to other iptables cookbooks, this cookbook installs iptables and maintains rules using the distributions default configuration files and services (for Debian and Ubuntu, iptables-persistent is used). If the distribution has no service for iptables, it falls back to iptables-restore.
It provides LWRPs as well as recipes which can handle iptables rules set in the nodes attributes.
It uses the directory /etc/iptables.d
to store and maintain its rules. I'm trying to be as compatible as much as possible to all distributions out there.
This cookbook is supposed to be able to:
- Configure iptables rules in a consistent and nice way for all distributions
- Be configured by using LWRPs only
- Be configured by using node attributes only
- Respect the way the currently used distribution stores their rules
- Provide a good-to-read and good-to-maintain way of deploying complex iptables rulesets
- Provide a way of specifying the order of the iptables rules, in case needed
- Only run iptables-restore once during a chef run, and only if something was actually changed
- Support both, ipv6 as well as ipv4
- Be able to assemble iptables rules from different recipes (and even cookbooks), so you can set your iptables rule where you actually configure the service
I also wrote a blog post providing further insights.
Requirements
The following distribution are best supported, but as this recipe falls back to a generic iptables restore script in case the system is unknown, it should work with every linux distribution supporting iptables.
- Ubuntu 10.04, 12.04, 14.04, 14.10
- Debian 7 (6 should work, too)
- RHEL 5.9, 6.x, 7.x
- Gentoo
- Archlinux
No external dependencies. Just add this line to your metadata.rb
and you're good to go!
depends 'iptables-ng'
Attributes
General configuration (services, paths)
While iptables-ng tries to automatically determine the correct settings and defaults for your distribution, it might be necessary to adapt them in certain cases. You can configure the behaviour of iptables-ng using the following attributes:
# The ip versions to manage iptables for node['iptables-ng']['enabled_ip_versions'] = [4, 6] # Which tables to manage: # When using a containered setup (OpenVZ, Docker, LXC) it might might be # necessary to remove the "nat" and "raw" tables. node['iptables-ng']['enabled_tables'] = %w(nat filter mangle raw) # An array of packages to install. # This should install iptables and ip6tables, # as well as a system service that takes care of reloading the rules # On Debian and Ubuntu, iptables-persistent is used by default. node['iptables-ng']['packages'] = %w(iptables) # The name of the service that will be used to restart iptables # By default, the system service of your distribution is used, so don't worry about it unless you # have special requirements. If iptables-ng can't figure out the default service to use or these # attributes are set to nil, iptables-ng will fall back to "iptables-restore" node['iptables-ng']['service_ipv4'] = 'iptables-persistent' node['iptables-ng']['service_ipv6'] = 'iptables-persistent' # The location were the iptables-restore script will be written to node['iptables-ng']['script_ipv4'] = '/etc/iptables/rules.v4' node['iptables-ng']['script_ipv6'] = '/etc/iptables/rules.v6'
Rule configuration
The use of the LWRPs is recommended, but iptables-ng can be configured using attributes only.
You can set the default policies of a chain like this
node['iptables-ng']['rules']['filter']['INPUT']['default'] = 'DROP [0:0]'
And also add rules for a chain (this example allows SSH)
node['iptables-ng']['rules']['filter']['INPUT']['ssh']['rule'] = '--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT'
You can prioritize your rules, too. This example will make sure that the 'ssh' rule is created before the 'http' rule
node['iptables-ng']['rules']['filter']['INPUT']['10-ssh']['rule'] = 'this rule is first' node['iptables-ng']['rules']['filter']['INPUT']['90-http']['rule'] = 'this rule is applied later'
Also, it's possible to only apply a rule for a certain ip version.
node['iptables-ng']['rules']['filter']['INPUT']['10-ssh']['rule'] = '--protocol tcp --source 1.2.3.4 --dport 22 --match state --state NEW --jump ACCEPT' node['iptables-ng']['rules']['filter']['INPUT']['10-ssh']['ip_version'] = 4
Auto-pruning
In Chef, it is generally accepted that removing node attributes does not result in their corresponding resources being proactively scrubbed from the system. However, this could be seen as irritating or even a security risk when dealing with firewall attribute rules in this cookbook. To automatically prune rules for attributes that have been removed, set the following attribute to true. This will not affect rules defined with the LWRP.
node['iptables-ng']['auto_prune_attribute_rules'] = true
Recipes
default
The default recipe calls the install recipe, and then configures all rules and policies given in the nodes attribute.
Example:
To allow only SSH for incoming connections, add this to your node configuration
{ "name": "example.com", "chef_environment": "_default", "normal": { "iptables-ng": { "rules": { "filter": { "INPUT": { "default": "DROP [0:0]", "ssh": { "rule": "--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT" } } } } } }, "run_list": [ "recipe[iptables-ng]" ] }
In case you need a rule for one specific ip version, you can set the "ip_version" attribute.
"ssh": { "rule": "--protocol tcp --source 1.2.3.4 --dport 22 --match state --state NEW --jump ACCEPT", "ip_version": 4 }
You can also delete old rules by specifying a custom action.
"ssh": { "action": "delete" }
install
The installs recipe installs iptables packages, makes sure that /etc/iptables.d
is created and sets all default policies to "ACCEPT", unless they are already configured.
On Debian and Ubuntu systems, it also removes the "ufw" package, as it might interferre with this cookbook.
Note: This recipe needs to be run before the LWRPs are used!
include_recipe 'iptables-ng::install'
Providers
It's recommended to configure iptables-ng using LWRPs in your (wrapper) cookbook.
All providers take care that iptables is installed (they include the install recipe before running), so you can just use them without worrying whether everything is installed correctly.
iptables_ng_chain
This provider creates chains and adds their default policies.
Example: Set the default policy of the filter INPUT chain to ACCEPT:
iptables_ng_chain 'INPUT' do policy 'ACCEPT [0:0]' end
Example: Create a custom chain:
iptables_ng_chain 'MYCHAIN'
The following additional attributes are supported:
iptables_ng_chain 'name' do chain 'INPUT' # The chain to set the policy for (name_attribute) table 'filter' # The table to use (defaults to 'filter') policy 'DROP [0:0]' # The policy to use (defaults to 'ACCEPT [0:0]' for # build-in chains, to '- [0:0]' for custom ones action :create # Supported actions: :create, :create_if_missing, :delete # Default action: :create end
iptables_ng_rule
This provider adds iptables rules
Example: Allow SSH on the INPUT filter chain
iptables_ng_rule 'ssh' do rule '--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT' end
The following additional attributes are supported:
iptables_ng_rule 'custom' do name 'my-rule' # Name of the rule. Use "xx-" to prioritize rules. chain 'INPUT' # Chain to use. Defaults to 'INPUT' (custom chains need to be created using iptables_ng_chain first!) table 'filter' # Table to use. Defaults to 'filter' ip_version 4 # Integer or Array of IP versions to create the rules for. # Defaults to node['iptables-ng']['enabled_ip_versions'] rule '-j ACCEPT' # String or Array containing the rule(s). (Required) action :create # Supported actions: :create, :create_if_missing, :delete # Default action: :create end
Example: Allow HTTP and HTTPS for a specific IP range only
iptables_ng_rule 'ssh' do rule ['--source 192.168.1.0/24 --protocol tcp --dport 80 --match state --state NEW --jump ACCEPT', '--source 192.168.1.0/24 --protocol tcp --dport 443 --match state --state NEW --jump ACCEPT'] # As the source specified above is ipv4, this rule cannot be applied to ip6tables. # Therefore, setting ip_version to 4 ip_version 4 end
Example: Use the same rule for an array of IPs
ips = %w(10.10.10.1 123.123.123.123 192.168.1.0/24) iptables_ng_rule 'multiple_source_addresses' do rule ips.map { |ip| "--source #{ip} --jump ACCEPT" } # As the source specified above is ipv4, this rule cannot be applied to ip6tables. # Therefore, setting ip_version to 4 ip_version 4 end
Known issues
There are some issues with systemd support on Fedora systems. Also it might be required to install iptables-service on newer Fedora machines.
Due to this issues, the tests for Fedora were removed until they are resolved.
Furthermore, due to the lack of Opscode kitchen boxes, there are no tests for Archlinux.
Contributing
You fixed a bug, or added a new feature? Yippie!
- Fork the repository on Github
- Create a named feature branch (like
add_component_x
) - Write you change
- Write tests for your change (if applicable)
- Run the tests, ensuring they all pass
- Submit a Pull Request using Github
Contributions of any sort are very welcome!
License and Authors
Authors: Chris Aumann
Contributors: Dan Fruehauf, Nathan Williams, Christian Graf, James Le Cuirot, Sten Spans
Other licenses than GPLv3
In case you can't use the provided license for some reason, feel free to contact me.
Copyright (C) 2015 Chris Aumann
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
iptables-ng CHANGELOG
This file is used to list changes made in each version of the iptables-ng cookbook.
3.0.0
Release to workaround cloning issues, for the upcoming Chef-13 release:
- Removed the feature to automatically run iptables-ng::install
upon LWRP
usage. It's now required to manually run iptables-ng::install
before using
the LWRPs. This can be achieved by adding the following before using the
LWRPs for the first time (also make sure it's only included once):
ruby
include_recipe 'iptables-ng::install'
- Removed the feature to automatically create new custom chains when using the
iptables_ng_rule
provider. Custom chains are now required to be added
manually before using them:
ruby
iptables_ng_chain 'CUSTOM'
iptables_ng_rule 'rule-using-custom-chain'
This release also fixes a bug previously introduced by trying to workaround the
cloning issues, where a chain policy wasn't properly updated. See this
issue for details.
2.3.1
- Add compatibility fix for older chef-clients
2.3.0
- Add workarounds for duplicate resource warnings
2.2.11
- Add compatibility setting for
source_url
attribute inmetadata.rb
2.2.10
- Revert
use_inline_resources
, was causing trouble
2.2.9 (broken, do not use!)
- Fix code linting complaints (rubocop, foodcritc)
- Add
use_inline_resources
to providers
2.2.8
- Add
node['iptables-ng']['auto_prune_attribute_rules']
attribute to remove unused/ old rules created by attributes automatically
2.2.7
- Add support for Debian Jessie
2.2.6
- Add possibility to disable the reload or restore of iptables at the end of a chef run
2.2.5
- Only install
iptables
package on Amazon Linux
2.2.4
- Check whether name attribute in rule provider is valid
- Fix an issue with resource notification in rule provider
- Fix an issue with nat table on ipv6 not properly skipped on systems without ip6tables nat support
- Add
node['iptables-ng']['ip6tables_nat_support']
attribute, default to true on recent Ubuntu versions
2.2.3
- Add posibility to add an "action" when configuring iptables rules via attributes. See README for details
2.2.2
- Fix an issue with init-script name on Ubuntu >= 14.10 (was renamed to netfilter-persistent)
2.2.1
- Add support for RHEL 7 compatible distributions
2.2.0
- Add support for
node['iptables-ng']['enabled_tables']
2.1.1
- Fix an issue with
node['iptables-ng']['enabled_ip_versions']
, Thanks Bob Ziuchkovski - Add Travis with rubocup and foodcritic checks
2.1.0
- Add rubocup
- Add attribute
node['iptables-ng']['enabled_ip_versions']
2.0.0
- Support custom chains
- Rename/Migrate iptables_ng_policy provider to iptables_ng_chain
1.1.1
- Fixes duplicate resource name warnings [CHEF-3694], Thanks James FitzGibbon
1.1.0
- Support for ip_version parameter in attributes. See README for details.
If you use attributes to configure iptables_ng, you need to migrate
node['iptables-ng']['rules']['filter']['INPUT']['rej'] = 'myrule'
to
node['iptables-ng']['rules']['filter']['INPUT']['rej']['rule'] = 'myrule'
1.0.0
- [Chris Aumann] - Initial release of iptables-ng
Collaborator Number Metric
3.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
3.0.0 failed this metric
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:21
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:25
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:29
FC059: LWRP provider does not declare use_inline_resources: iptables-ng/providers/chain.rb:1
FC059: LWRP provider does not declare use_inline_resources: iptables-ng/providers/rule.rb:1
FC066: Ensure chef_version is set in metadata: iptables-ng/metadata.rb:1
FC069: Ensure standardized license defined in metadata: iptables-ng/metadata.rb:1
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/providers/chain.rb:57
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/providers/rule.rb:44
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/recipes/default.rb:58
Run with Foodcritic Version 12.2.1 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
License Metric
3.0.0 passed this metric
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 failed this metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
3.0.0 failed this metric
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:21
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:25
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:29
FC059: LWRP provider does not declare use_inline_resources: iptables-ng/providers/chain.rb:1
FC059: LWRP provider does not declare use_inline_resources: iptables-ng/providers/rule.rb:1
FC066: Ensure chef_version is set in metadata: iptables-ng/metadata.rb:1
FC069: Ensure standardized license defined in metadata: iptables-ng/metadata.rb:1
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/providers/chain.rb:57
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/providers/rule.rb:44
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/recipes/default.rb:58
Run with Foodcritic Version 12.2.1 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
License Metric
3.0.0 passed this metric
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 failed this metric
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:25
FC017: LWRP does not notify when updated: iptables-ng/providers/rule.rb:29
FC059: LWRP provider does not declare use_inline_resources: iptables-ng/providers/chain.rb:1
FC059: LWRP provider does not declare use_inline_resources: iptables-ng/providers/rule.rb:1
FC066: Ensure chef_version is set in metadata: iptables-ng/metadata.rb:1
FC069: Ensure standardized license defined in metadata: iptables-ng/metadata.rb:1
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/providers/chain.rb:57
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/providers/rule.rb:44
FC104: Use the :run action in ruby_block instead of :create: iptables-ng/recipes/default.rb:58
Run with Foodcritic Version 12.2.1 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
3.0.0 passed this metric
No Binaries Metric
3.0.0 passed this metric
Testing File Metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 passed this metric
3.0.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.0.0 passed this metric
3.0.0 passed this metric