Puppet Class: packetfilter::router

Defined in:
manifests/router.pp

Overview

Class: packetfilter::router

Typical set of rules for simplistic router nodes. Allows only limited inbound traffic without placing restrictions on outbound traffic. This also sets the net.ipv4.ip_forward sysctl parameter to 1; without that change this class would not do much good.

Authors

Samuli Seppänen <samuli.seppanen@gmail.com>

Parameters:

  • source (Any)
  • iniface (Any)
  • outiface (Any) 


13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
# File 'manifests/router.pp', line 13

class packetfilter::router
(
    $source,
    $iniface,
    $outiface
)
{
    ensure_resource('sysctl::value', 'net.ipv4.ip_forward', { 'value' => 1 })

    # Masquerade rules
    firewall { "101 ipv4 masquerade ${outiface}":
        provider => 'iptables',
        chain    => 'POSTROUTING',
        proto    => 'all',
        outiface => $outiface,
        source   => $source,
        table    => 'nat',
        jump     => 'MASQUERADE',
    }

    # INPUT chain
    firewall { '102 ipv4 accept masquerade iniface':
        provider => 'iptables',
        chain    => 'INPUT',
        proto    => 'all',
        state    => [ 'NEW' ],
        iniface  => $iniface,
        action   => 'accept',
    }

    # FORWARD chain
    firewall { '102 ipv4 forward masquerade iniface':
        provider => 'iptables',
        chain    => 'FORWARD',
        proto    => 'all',
        state    => [ 'NEW' ],
        iniface  => $iniface,
        action   => 'accept',
    }

    firewall { '104 ipv4 forward related and established':
        provider => 'iptables',
        chain    => 'FORWARD',
        proto    => 'all',
        state    => [ 'ESTABLISHED', 'RELATED' ],
        action   => 'accept',
    }
}