Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


iptables-ng (24) Versions 2.2.7

Installs/Configures iptables-ng

cookbook 'iptables-ng', '= 2.2.7', :supermarket
cookbook 'iptables-ng', '= 2.2.7'
knife supermarket install iptables-ng
knife supermarket download iptables-ng
Quality 100%

iptables-ng Cookbook

Build Status

This cookbook maintains and installs iptables and ip6tables rules, trying to keep as close to the way the used distribution maintains their rules.

Contrary to other iptables cookbooks, this cookbook installs iptables and maintains rules using the distributions default configuration files and services (for Debian and Ubuntu, iptables-persistent is used). If the distribution has no service for iptables, it falls back to iptables-restore.

It provides LWRPs as well as recipes which can handle iptables rules set in the nodes attributes.

It uses the directory /etc/iptables.d to store and maintain its rules. I'm trying to be as compatible as much as possible to all distributions out there.


The following distribution are best supported, but as this recipe falls back to a generic iptables restore script in case the system is unknown, it should work with every linux distribution supporting iptables.

  • Ubuntu 10.04, 12.04, 14.04, 14.10
  • Debian 7 (6 should work, too)
  • RHEL 5.9, 6.x, 7.x
  • Gentoo
  • Archlinux

No external dependencies. Just add this line to your metadata.rb and you're good to go!

depends 'iptables-ng'


General configuration (services, paths)

While iptables-ng tries to automatically determine the correct settings and defaults for your distribution, it might be necessary to adapt them in certian cases. You can configure the behaviour of iptables-ng using the following attributes:

# The ip versions to manage iptables for
node['iptables-ng']['enabled_ip_versions'] = [4, 6]

# Which tables to manage:
# When using a containered setup (OpenVZ, Docker, LXC) it might might be
# necessary to remove the "nat" and "raw" tables.
node['iptables-ng']['enabled_tables'] = %w(nat filter mangle raw)

# An array of packages to install.
# This should install iptables and ip6tables,
# as well as a system service that takes care of reloading the rules
# On Debian and Ubuntu, iptables-persistent is used by default.
node['iptables-ng']['packages'] = %w(iptables)

# The name of the service that will be used to restart iptables
# By default, the system service of your distribution is used, so don't worry about it unless you
# have special requirements. If iptables-ng can't figure out the default service to use or these
# attributes are set to nil, iptables-ng will fall back to "iptables-restore"
node['iptables-ng']['service_ipv4'] = 'iptables-persistent'
node['iptables-ng']['service_ipv6'] = 'iptables-persistent'

# The location were the iptables-restore script will be written to
node['iptables-ng']['script_ipv4'] = '/etc/iptables/rules.v4'
node['iptables-ng']['script_ipv6'] = '/etc/iptables/rules.v6'

Rule configuration

The use of the LWRPs is recommended, but iptables-ng can be configured using attributes only.

You can set the default policies of a chain like this

node['iptables-ng']['rules']['filter']['INPUT']['default'] = 'DROP [0:0]'

And also add rules for a chain (this example allows SSH)

node['iptables-ng']['rules']['filter']['INPUT']['ssh']['rule'] = '--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT'

You can prioritize your rules, too. This example will make sure that the 'ssh' rule is created before the 'http' rule

node['iptables-ng']['rules']['filter']['INPUT']['10-ssh']['rule'] = 'this rule is first'
node['iptables-ng']['rules']['filter']['INPUT']['90-http']['rule'] = 'this rule is applied later'

Also, it's possible to only apply a rule for a certian ip version.

node['iptables-ng']['rules']['filter']['INPUT']['10-ssh']['rule'] = '--protocol tcp --source --dport 22 --match state --state NEW --jump ACCEPT'
node['iptables-ng']['rules']['filter']['INPUT']['10-ssh']['ip_version'] = 4



The default recipe calls the install recipe, and then configures all rules and policies given in the nodes attribute.


To allow only SSH for incoming connections, add this to your node configuration

  "name": "",
  "chef_environment": "_default",
  "normal": {
    "iptables-ng": {
      "rules": {
        "filter": {
          "INPUT": {
            "default": "DROP [0:0]",
            "ssh": {
              "rule": "--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT"
  "run_list": [

In case you need a rule for one specific ip version, you can set the "ip_version" attribute.

"ssh": {
  "rule": "--protocol tcp --source --dport 22 --match state --state NEW --jump ACCEPT",
  "ip_version": 4

You can also delete old rules by specifying a custom action.

"ssh": {
  "action": "delete"


The installs recipe installs iptables packages, makes sure that /etc/iptables.d is created and sets all default policies to "ACCEPT", unless they are already configured.

On Debian and Ubuntu systems, it also removes the "ufw" package, as it might interferre with this cookbook.


It's recommended to configure iptables-ng using LWRPs in your (wrapper) cookbook.

All providers take care that iptables is installed (they include the install recipe before running), so you can just use them without worrying whether everything is installed correctly.


This provider creates chains and adds their default policies.

Example: Set the default policy of the filter INPUT chain to ACCEPT:

iptables_ng_chain 'INPUT' do
  policy 'ACCEPT [0:0]'

Example: Create a custom chain:

iptables_ng_chain 'MYCHAIN'

The following additional attributes are supported:

iptables_ng_chain 'name' do
  chain  'INPUT'       # The chain to set the policy for (name_attribute)
  table  'filter'      # The table to use (defaults to 'filter')
  policy 'DROP [0:0]'  # The policy to use (defaults to 'ACCEPT [0:0]' for
                       # build-in chains, to '- [0:0]' for custom ones

  action :create       # Supported actions: :create, :create_if_missing, :delete
                       # Default action: :create


This provider adds iptables rules

Example: Allow SSH on the INPUT filter chain

iptables_ng_rule 'ssh' do
  rule '--protocol tcp --dport 22 --match state --state NEW --jump ACCEPT'

The following additional attributes are supported:

iptables_ng_rule 'custom' do
  name       'my-rule'    # Name of the rule. Use "xx-" to prioritize rules.
  chain      'INPUT'      # Chain to use. Defaults to 'INPUT'
  table      'filter'     # Table to use. Defaults to 'filter'
  ip_version 4            # Integer or Array of IP versions to create the rules for.
                          # Defaults to node['iptables-ng']['enabled_ip_versions']
  rule       '-j ACCEPT'  # String or Array containing the rule(s). (Required)

  action :create          # Supported actions: :create, :create_if_missing, :delete
                          # Default action: :create

Example: Allow HTTP and HTTPS for a specific IP range only

iptables_ng_rule 'ssh' do
  rule ['--source --protocol tcp --dport 80 --match state --state NEW --jump ACCEPT',
        '--source --protocol tcp --dport 443 --match state --state NEW --jump ACCEPT']

  # As the source specified above is ipv4, this rule cannot be applied to ip6tables.
  # Therefore, setting ip_version to 4
  ip_version 4

Example: Use the same rule for an array of IPs

ips = %w(

iptables_ng_rule 'multiple_source_addresses' do
  rule { |ip| "--source #{ip} --jump ACCEPT" }

  # As the source specified above is ipv4, this rule cannot be applied to ip6tables.
  # Therefore, setting ip_version to 4
  ip_version 4

Known issues

There are some issues with systemd support on Fedora systems. Also it might be required to install iptables-service on newer Fedora machines.
Due to this issues, the tests for Fedora were removed until they are resolved.
Furthermore, due to the lack of Opscode kitchen boxes, there are not tests for Archlinux.


You fixed a bug, or added a new feature? Yippie!

  1. Fork the repository on Github
  2. Create a named feature branch (like add_component_x)
  3. Write you change
  4. Write tests for your change (if applicable)
  5. Run the tests, ensuring they all pass
  6. Submit a Pull Request using Github

Contributions of any sort are very welcome!

License and Authors

Authors: Chris Aumann

Contributors: Dan Fruehauf, Nathan Williams, Christian Graf

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

base_install Applicable Versions
config-driven-helper Applicable Versions
gateway Applicable Versions
iptables-patterns Applicable Versions
lxc Applicable Versions
sanity Applicable Versions
scrutinizer-whitelist Applicable Versions
simple_iptables_ng Applicable Versions
vesta Applicable Versions

iptables-ng CHANGELOG

This file is used to list changes made in each version of the iptables-ng cookbook.


  • Add support for Debian Jessie


  • Add possibility to disable the reload or restore of iptables at the end of a chef run


  • Only install iptables package on Amazon Linux


  • Check whether name attribute in rule provider is valid
  • Fix an issue with resource notification in rule provider
  • Fix an issue with nat table on ipv6 not properly skipped on systems without ip6tables nat support
  • Add node['iptables-ng']['ip6tables_nat_support'] attribute, default to true on recent Ubuntu versions


  • Add posibility to add an "action" when configuring iptables rules via attributes. See README for details


  • Fix an issue with init-script name on Ubuntu >= 14.10 (was renamed to netfilter-persistent)


  • Add support for RHEL 7 compatible distributions


  • Add support for node['iptables-ng']['enabled_tables']


  • Fix an issue with node['iptables-ng']['enabled_ip_versions'], Thanks Bob Ziuchkovski
  • Add Travis with rubocup and foodcritic checks


  • Add rubocup
  • Add attribute node['iptables-ng']['enabled_ip_versions']


  • Support custom chains
  • Rename/Migrate iptables_ng_policy provider to iptables_ng_chain



  • Support for ip_version parameter in attributes. See README for details.

If you use attributes to configure iptables_ng, you need to migrate

node['iptables-ng']['rules']['filter']['INPUT']['rej'] = 'myrule'


node['iptables-ng']['rules']['filter']['INPUT']['rej']['rule'] = 'myrule'


  • [Chris Aumann] - Initial release of iptables-ng

Foodcritic Metric

2.2.7 passed this metric