Defined Type: iptables::rule

Defined in:
manifests/rule.pp

Overview

Add rules to the IPTables configuration file

### Result:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:LOCAL-INPUT - [0:0]
-A INPUT -j LOCAL-INPUT
-A FORWARD -j LOCAL-INPUT
-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT
-A LOCAL-INPUT -i lo -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT
-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A LOCAL-INPUT -j LOG --log-prefix "IPT:"
-A LOCAL-INPUT -j DROP
COMMIT

Examples:

Add a TCP Allow Rule

iptables::rule { 'example':
  content => '-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp -s 1.2.3.4 --dport 1024:65535 -j ACCEPT'
}

Parameters:

  • content (String)

    The exact content of the rule that should be added

  • table (String) (defaults to: 'filter')

    The name of the table you are adding to

    • Usual names include (but are not limited to):

      * filter
* mangle
* nat
* raw
* security
  • first (Boolean) (defaults to: false)

    Prepend this rule to the rule set

  • absolute (Boolean) (defaults to: false)

    Make sure that this rule is absolutely first, or last, depending on the setting of “first“

    • If “first“ is true, this rule will be at the top of the list

    • If “first“ is false, this rule will be at the bottom of the list

    • For all “absolute“ rules, alphabetical sorting still takes place

  • order (Integer[0]) (defaults to: 11)

    The order in which the rule should appear

    • 1 is the minimum and 9999999 is the maximum

    • The following ordering ranges are suggested (but not enforced):

      * 1     -> ESTABLISHED,RELATED rules
* 2-5   -> Standard ACCEPT/DENY rules
* 6-10  -> Jumps to other rule sets
* 11-20 -> Pure accept rules
* 22-30 -> Logging and rejection rules
  • header (Boolean) (defaults to: true)

    Automatically add the line header “-A LOCAL-INPUT“

  • apply_to (Iptables::ApplyTo) (defaults to: 'auto')

    The IPTables network type to which to apply this rule

    • ipv4 -> iptables

    • ipv6 -> ip6tables

    • all -> Both

    • auto -> Try to figure it out from the rule, will not pick “all“



75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
# File 'manifests/rule.pp', line 75

define iptables::rule (
  String            $content,
  String            $table    = 'filter',
  Boolean           $first    = false,
  Boolean           $absolute = false,
  Integer[0]        $order    = 11,
  Boolean           $header   = true,
  Iptables::ApplyTo $apply_to = 'auto'
) {
  include iptables

  if $iptables::use_firewalld {
    $_caller = simplib::caller()

    notify { 'iptables::rule with firewalld':
      message  => "iptables::rule cannot be used directly in firewalld mode, please use simp_firewalld::rule => Called from ${_caller}",
      loglevel => 'warning'
    }
  }
  else {
    iptables_rule { $name:
      table    => $table,
      absolute => $absolute,
      first    => $first,
      order    => $order,
      header   => $header,
      content  => $content,
      apply_to => $apply_to,
    }
  }
}