Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

RSS

simple_iptables (19) Versions 0.1.0

Simple LWRP and recipe for managing iptables rules

Berkshelf/Librarian
Policyfile
Knife
cookbook 'simple_iptables', '= 0.1.0'
cookbook 'simple_iptables', '= 0.1.0', :supermarket
knife cookbook site install simple_iptables
knife cookbook site download simple_iptables
README
Dependencies
Quality

Description

Simple cookbook with LWRPs for managing iptables rules and policies.

Requirements

None, other than a system that supports iptables.

Platforms

The cookbook is tested and works on Debian 6.0 and later. It may also work on other platforms, but the templates are set up for Debian SysV init-type systems. Contributions to support other platforms are gladly welcomed.

Attributes

This cookbook uses node attributes to track internal state when generating the iptables rules and policies. These attributes should not be overridden by roles, other recipes, etc.

Usage

Include the recipe simple_iptables somewhere in your run list, then use the LWRPs simple_iptables_rule and simple_iptables_policy in your recipes.

simple_iptables_rule Resource

Defines a single iptables rule, composed of a rule string (passed as-is to iptables), and a jump target. The name attribute defines an iptables chain that this rule will live in (and, thus, that other rules can jump to). For instance:

# Allow SSH
simple_iptables_rule "ssh" do
  rule "--proto tcp --dport 22"
  jump "ACCEPT"
end

simple_iptables_policy Resource

Defines a default action for a given iptables chain. This is usually used to switch from a default-accept policy to a default-reject policy. For instance:

# Reject packets other than those explicitly allowed
simple_iptables_policy "INPUT" do
  policy "DROP"
end

Example

Suppose you had the following simple_iptables configuration:

# Reject packets other than those explicitly allowed
simple_iptables_policy "INPUT" do
  policy "DROP"
end

# The following rules define a "system" chain; chains
# are used as a convenient way of grouping rules together,
# for logical organization.

# Allow all traffic on the loopback device
simple_iptables_rule "system" do
  rule "--in-interface lo"
  jump "ACCEPT"
end

# Allow any established connections to continue, even
# if they would be in violation of other rules.
iptables_rule "system" do
  rule "-m conntrack --ctstate ESTABLISHED,RELATED"
  jump "ACCEPT"
end

# Allow SSH
iptables_rule "system" do
  rule "--proto tcp --dport 22"
  jump "ACCEPT"
end

# Allow HTTP
iptables_rule "system" do
  rule "--proto tcp --dport 80"
  jump "ACCEPT"
end

# And HTTPS
iptables_rule "system" do
  rule "--proto tcp --dport 443"
  jump "ACCEPT"
end

This would generate a file /etc/iptables-rules with the contents:

# This file generated by Chef. Changes will be overwritten.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:system - [0:0]
-A INPUT --jump system
-A system --in-interface lo --jump ACCEPT
-A system -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
-A system --proto tcp --dport 22 --jump ACCEPT
-A system --proto tcp --dport 80 --jump ACCEPT
-A system --proto tcp --dport 443 --jump ACCEPT
COMMIT

Which results in the following iptables configuration:

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
system     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain system (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

No quality metric results found