nc_iptables Cookbook

Manages IP Tables.

Requirements

None.

Attributes

None.

Usage

nc_iptables::default

This recipe will install iptables, set a default INPUT and FORWARD policy of DROP, and add a rule allowing SSH access.

iptables_rule definition

Most usage of this cookbook is through the usage of the iptables_rule definition. An example:

iptables_rule "smtp" do
  log  "-A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix \"TCP_SSH: \" --log-level 7"
  rule "-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT LOG --log-prefix \"smtp\" --log-level 7"
end

This would create a rule that allows SMTP traffic to this machine.

You can also specify the "weight" of a rule, which will have it float above/below other rules. The default weight is "5".

iptables_rule "loopback" do
  log  "-A INPUT -m limit --limit 5/min -j LOG --log-prefix \"LOOPBACK: \" --log-level 7"
  rule "-A INPUT -i lo -j ACCEPT"
  weight 0
end

iptables_rule "ssh" do
  log  "-A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix \"TCP_SSH: \" --log-level 7"
  rule "-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT"
  weight 0
end

Would result in http being first in the list, and smtp last, with any rules that specific no weight at all in the middle.

For convenience, you can also put multiple rules in one call of the definition:

iptables_rule "snmp" do
  rule [
    "-A INPUT -p tcp -m tcp --dport 161 -j ACCEPT",
    "-A INPUT -p udp -m udp --dport 161 -j ACCEPT",
    "-A INPUT -p tcp -m tcp --dport 162 -j ACCEPT",
    "-A INPUT -p udp -m udp --dport 162 -j ACCEPT"
  ]
  log  "-A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix \"TCP_SNMP: \" --log-level 7"
  weight 10
end

Would set up all four rules.

The results will be saved to /etc/sysconfig/iptables:

# Generated by Chef - do not modify
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow any connection back that we establish
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "Any Connection: " --log-level 7
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Chef defined firewall rules
# Name: loopback
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "LOOPBACK: " --log-level 7
-A INPUT -i lo -j ACCEPT
# Name: ssh
-A INPUT -p tcp -m limit --limit 5/min -j LOG --log-prefix "TCP_SSH: " --log-level 7
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Drop all connections we didn't specify a rule for
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "Any connection: " --log-level 7
-A INPUT -j DROP

# We aren't a router
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "Not Router: " --log-level 7
-A FORWARD -j DROP

# We have no filter on outbound traffic for convenience of app dev

COMMIT

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
definitions		definitions
recipes		recipes
spec		spec
templates/default		templates/default
test/integration/default/bats		test/integration/default/bats
.gitignore		.gitignore
.gitreview		.gitreview
.kitchen.yml		.kitchen.yml
Berksfile		Berksfile
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING		CONTRIBUTING
Gemfile		Gemfile
Gemfile.lock		Gemfile.lock
Guardfile		Guardfile
LICENSE		LICENSE
README.md		README.md
metadata.json		metadata.json
metadata.rb		metadata.rb
trigger.txt		trigger.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

nc_iptables Cookbook

Requirements

Attributes

Usage

nc_iptables::default

iptables_rule definition

About

Releases

Packages

Languages

License

johndesp/nc_iptables

Folders and files

Latest commit

History

Repository files navigation

nc_iptables Cookbook

Requirements

Attributes

Usage

nc_iptables::default

iptables_rule definition

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages