.. -*- mode: rst -*-
==========
iptables
==========
* Setup a Genshi base iptables file that contains the basic rules you
want every host to have
* To be safe you should have a client side IptablesDeadmanScript if you
intend on having bcfg2 bounce iptables upon rule updates
.. note:: When updating files in the ``includes`` directory, you will
need to `touch` the Genshi template to regenerate the
template contents.
/repository/Cfg/etc/sysconfig/iptables/iptables.genshi
======================================================
.. code-block:: none
{% python
from genshi.builder import tag
import os,sys
import Bcfg2.Options
opts = { 'repo': Bcfg2.Options.SERVER_REPOSITORY }
setup = Bcfg2.Options.OptionParser(opts)
setup.parse('--')
repo = setup['repo']
basedir = '%s' % (repo)
# for instance:
bcfg2BaseDir = basedir + name + '/'
def checkHostFile(hostName, type):
fileName = bcfg2BaseDir + type + '.H_' + hostName
if os.path.isfile(fileName)==True :
return fileName
else:
return fileName
def checkGroupFile(groupName, type):
fileName = bcfg2BaseDir + type + '.G_' + groupName
if os.path.isfile(fileName)==True :
return fileName
else:
return fileName
%}\
# BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $$Id$$
# Templates live in ${bcfg2BaseDir}
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]
#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
#Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP
# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT
{% if metadata.groups %}\
# group custom FILTER rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-filter')} %}\
{% end %}\
{% end %}\
# host-specific FILTER rules:
{% include ${checkHostFile(metadata.hostname, 'custom-filter')} %}\
COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat
# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if metadata.groups %}\
# group NAT for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-prerouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group NAT for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-output')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group NAT for POSTROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-postrouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group custom NAT rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-nat')} %}\
{% end %}\
{% end %}\
# host-specific NAT ruls:
{% include ${checkHostFile(metadata.hostname, 'custom-nat')} %}\
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle
# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if metadata.groups %}\
# group MANGLE for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-prerouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for INPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-input')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for FORWARD:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-forward')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-output')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for POSTROUTING rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-postrouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group custom MANGLE rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-mangle')} %}\
{% end %}\
{% end %}\
# host-specific MANGLE rules:
{% include ${checkHostFile(metadata.hostname, 'custom-mangle')} %}\
COMMIT
Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server
-------------------------------------------------------
.. code-block:: none
:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
For a host that is in the mysql-server group you get an iptables file
that looks like the following::
# BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$
# Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]
#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
# Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP
# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT
# group custom FILTER rules:
:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
# host-specific FILTER rules:
COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat
# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# group NAT for PREROUTING:
# group NAT for OUTPUT:
# group NAT for POSTROUTING:
# group custom NAT rules:
# host-specific NAT rules:
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle
# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# group MANGLE for PREROUTING:
# group MANGLE for INPUT:
# group MANGLE for FORWARD:
# group MANGLE for OUTPUT:
# group MANGLE for POSTROUTING rules:
# group custom MANGLE rules:
# host-specific MANGLE rules:
COMMIT
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
209
