Puppet Class: psick::firewall::iptables

Defined in:
manifests/firewall/iptables.pp

Overview

Essential firewall class based on simple iptables-save file

Parameters:

  • package_name (String)
  • service_name (String)
  • service_name_v6 (Optional[String])
  • config_file_path (String)
  • config_file_path_v6 (String)
  • rules_template (String) (defaults to: 'psick/firewall/iptables.erb')
  • rules_template_v6 (String) (defaults to: 'psick/firewall/iptables6.erb')
  • extra_rules (Array) (defaults to: [ ])
  • extra_rules_v6 (Array) (defaults to: [ ])
  • filter_rules (Array) (defaults to: [ ])
  • filter_rules_v6 (Array) (defaults to: [ ])
  • nat_rules (Array) (defaults to: [ ])
  • nat_rules_v6 (Array) (defaults to: [ ])
  • mangle_rules (Array) (defaults to: [ ])
  • mangle_rules_v6 (Array) (defaults to: [ ])
  • allowall_interfaces (Array) (defaults to: [ ])
  • allowall_interfaces_v6 (Array) (defaults to: [ ])
  • allow_tcp_ports (Array) (defaults to: [ ])
  • allow_tcp_ports_v6 (Array) (defaults to: [ ])
  • allow_udp_ports (Array) (defaults to: [ ])
  • allow_udp_ports_v6 (Array) (defaults to: [ ])
  • allow_ips (Array) (defaults to: [ ])
  • allow_ips_v6 (Array) (defaults to: [ ])
  • ssh_safe_mode (Boolean) (defaults to: true)
  • ssh_safe_mode_v6 (Boolean) (defaults to: true)
  • default_input (Enum['DROP','ACCEPT']) (defaults to: 'DROP')
  • default_input_v6 (Enum['DROP','ACCEPT']) (defaults to: 'DROP')
  • default_output (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • default_output_v6 (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • default_forward (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • default_forward_v6 (Enum['DROP','ACCEPT']) (defaults to: 'ACCEPT')
  • log_filter_defaults (Boolean) (defaults to: true)
  • manage_ipv6 (Boolean) (defaults to: true)
  • manage (Boolean) (defaults to: $::psick::manage)
  • noop_manage (Boolean) (defaults to: $::psick::noop_manage)
  • noop_value (Boolean) (defaults to: $::psick::noop_value) 


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
# File 'manifests/firewall/iptables.pp', line 3

class psick::firewall::iptables (
  String $package_name,
  String $service_name,
  Optional[String] $service_name_v6,
  String $config_file_path,
  String $config_file_path_v6,
  String $rules_template                 = 'psick/firewall/iptables.erb',
  String $rules_template_v6              = 'psick/firewall/iptables6.erb',
  Array $extra_rules                     = [ ],
  Array $extra_rules_v6                  = [ ],
  Array $filter_rules                    = [ ],
  Array $filter_rules_v6                 = [ ],
  Array $nat_rules                       = [ ],
  Array $nat_rules_v6                    = [ ],
  Array $mangle_rules                    = [ ],
  Array $mangle_rules_v6                 = [ ],
  Array $allowall_interfaces             = [ ],
  Array $allowall_interfaces_v6          = [ ],
  Array $allow_tcp_ports                 = [ ],
  Array $allow_tcp_ports_v6              = [ ],
  Array $allow_udp_ports                 = [ ],
  Array $allow_udp_ports_v6              = [ ],
  Array $allow_ips                       = [ ],
  Array $allow_ips_v6                    = [ ],
  Boolean $ssh_safe_mode                 = true,
  Boolean $ssh_safe_mode_v6              = true,
  Enum['DROP','ACCEPT'] $default_input      = 'DROP',
  Enum['DROP','ACCEPT'] $default_input_v6   = 'DROP',
  Enum['DROP','ACCEPT'] $default_output     = 'ACCEPT',
  Enum['DROP','ACCEPT'] $default_output_v6  = 'ACCEPT',
  Enum['DROP','ACCEPT'] $default_forward    = 'ACCEPT',
  Enum['DROP','ACCEPT'] $default_forward_v6 = 'ACCEPT',
  Boolean $log_filter_defaults              = true,
  Boolean $manage_ipv6                      = true,

  Boolean          $manage               = $::psick::manage,
  Boolean          $noop_manage          = $::psick::noop_manage,
  Boolean          $noop_value           = $::psick::noop_value,
) {

  if $manage {
    if $noop_manage {
      noop($noop_value)
    }

    package { $package_name:
      ensure => present,
      before => Service[$service_name],
    }

    file { $config_file_path:
      ensure  => file,
      notify  => Service[$service_name],
      content => template($rules_template),
      mode    => '0640',
    }

    service { $service_name:
      ensure => running,
      enable => true,
    }

    if $manage_ipv6 {
      if $service_name_v6 {
        service { $service_name_v6:
          ensure => running,
          enable => true,
        }
      }

      file { $config_file_path_v6:
        ensure  => file,
        notify  => Service[$service_name_v6],
        content => template($rules_template_v6),
        mode    => '0640',
      }
    }

    case $::osfamily {
      'RedHat': {
        service { 'firewalld':
          ensure => stopped,
          enable => false,
        }
      }
      'Debian': {
        file { '/etc/iptables':
          ensure => directory,
        }
      }
      'Suse': {
        file { '/usr/lib/systemd/system/iptables.service':
          ensure  => file,
          content => template('psick/firewall/iptables.service.erb'),
          notify  => Service[$service_name],
        }
        file { '/etc/sysconfig/iptables.stop':
          ensure  => file,
          content => template('psick/firewall/iptables.stop.erb'),
          notify  => Service[$service_name],
        }
        package { 'SuSEfirewall2':
          ensure => absent,
        }
      }
      default: {}
    }
  }
}