Puppet Class: psick::firewall::iptables

Defined in:
manifests/firewall/iptables.pp

Overview

Essential firewall class based on simple iptables-save file

Parameters:

  • package_name (String)
  • service_name (String)
  • service_name_v6 (Optional[String])
  • config_file_path (String)
  • config_file_path_v6 (String)
  • rules_template (String) (defaults to: 'psick/firewall/iptables.erb')
  • rules_template_v6 (String) (defaults to: 'psick/firewall/iptables6.erb')
  • extra_rules (Array) (defaults to: [ ])
  • extra_rules_v6 (Array) (defaults to: [ ])
  • filter_rules (Array) (defaults to: [ ])
  • filter_rules_v6 (Array) (defaults to: [ ])
  • nat_rules (Array) (defaults to: [ ])
  • nat_rules_v6 (Array) (defaults to: [ ])
  • mangle_rules (Array) (defaults to: [ ])
  • mangle_rules_v6 (Array) (defaults to: [ ])
  • allowall_interfaces (Array) (defaults to: [ ])
  • allowall_interfaces_v6 (Array) (defaults to: [ ])
  • allow_tcp_ports (Array) (defaults to: [ ])
  • allow_tcp_ports_v6 (Array) (defaults to: [ ])
  • allow_udp_ports (Array) (defaults to: [ ])
  • allow_udp_ports_v6 (Array) (defaults to: [ ])
  • allow_ips (Array) (defaults to: [ ])
  • allow_ips_v6 (Array) (defaults to: [ ])
  • ssh_safe_mode (Boolean) (defaults to: true)
  • ssh_safe_mode_v6 (Boolean) (defaults to: true)
  • default_input (Enum['DROP','ACCEPT']) (defaults to: 'DROP')
  • default_input_v6 (Enum['DROP','ACCEPT']) (defaults to: 'DROP')
  • default_output (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • default_output_v6 (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • default_forward (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • default_forward_v6 (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • log_filter_defaults (Boolean) (defaults to: true)
  • manage_ipv6 (Boolean) (defaults to: true) 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
 
# File 'manifests/firewall/iptables.pp', line 3

class psick::firewall::iptables (
  String $package_name,
  String $service_name,
  Optional[String] $service_name_v6,
  String $config_file_path,
  String $config_file_path_v6,
  String $rules_template                 = 'psick/firewall/iptables.erb',
  String $rules_template_v6              = 'psick/firewall/iptables6.erb',
  Array $extra_rules                     = [ ],
  Array $extra_rules_v6                  = [ ],
  Array $filter_rules                    = [ ],
  Array $filter_rules_v6                 = [ ],
  Array $nat_rules                       = [ ],
  Array $nat_rules_v6                    = [ ],
  Array $mangle_rules                    = [ ],
  Array $mangle_rules_v6                 = [ ],
  Array $allowall_interfaces             = [ ],
  Array $allowall_interfaces_v6          = [ ],
  Array $allow_tcp_ports                 = [ ],
  Array $allow_tcp_ports_v6              = [ ],
  Array $allow_udp_ports                 = [ ],
  Array $allow_udp_ports_v6              = [ ],
  Array $allow_ips                       = [ ],
  Array $allow_ips_v6                    = [ ],
  Boolean $ssh_safe_mode                 = true,
  Boolean $ssh_safe_mode_v6              = true,
  Enum['DROP','ACCEPT'] $default_input      = 'DROP',
  Enum['DROP','ACCEPT'] $default_input_v6   = 'DROP',
  Enum['DROP','ACCEPT'] $default_output     = 'ACCEPT',
  Enum['DROP','ACCEPT'] $default_output_v6  = 'ACCEPT',
  Enum['DROP','ACCEPT'] $default_forward    = 'ACCEPT',
  Enum['DROP','ACCEPT'] $default_forward_v6 = 'ACCEPT',
  Boolean $log_filter_defaults              = true,
  Boolean $manage_ipv6                      = true,
) {

  package { $package_name:
    ensure => present,
    before => Service[$service_name],
  }

  file { $config_file_path:
    ensure  => file,
    notify  => Service[$service_name],
    content => template($rules_template),
    mode    => '0640',
  }

  service { $service_name:
    ensure => running,
    enable => true,
  }

  if $manage_ipv6 {
    if $service_name_v6 {
      service { $service_name_v6:
        ensure => running,
        enable => true,
      }
    }

    file { $config_file_path_v6:
      ensure  => file,
      notify  => Service[$service_name_v6],
      content => template($rules_template_v6),
      mode    => '0640',
    }
  }

  case $::osfamily {
    'RedHat': {
      service { 'firewalld':
        ensure => stopped,
        enable => false,
      }
    }
    'Debian': {
      file { '/etc/iptables':
        ensure => directory,
      }
    }
    'Suse': {
      file { '/usr/lib/systemd/system/iptables.service':
        ensure  => file,
        content => template('psick/firewall/iptables.service.erb'),
        notify  => Service[$service_name],
      }
      file { '/etc/sysconfig/iptables.stop':
        ensure  => file,
        content => template('psick/firewall/iptables.stop.erb'),
        notify  => Service[$service_name],
      }
      package { 'SuSEfirewall2':
        ensure => absent,
      }
    }
    default: {}
  }

}