<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>iptables — Bcfg2 1.3.0 documentation</title>
<link rel="stylesheet" href="../../../../../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../../../../../_static/pygments.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../../../../../',
VERSION: '1.3.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="../../../../../_static/jquery.js"></script>
<script type="text/javascript" src="../../../../../_static/underscore.js"></script>
<script type="text/javascript" src="../../../../../_static/doctools.js"></script>
<script type="text/javascript" src="../../../../../_static/sidebar.js"></script>
<link rel="shortcut icon" href="../../../../../_static/favicon.ico"/>
<link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../../../index.html" />
<link rel="up" title="TGenshi" href="../../tgenshi.html" />
<link rel="next" title="motd" href="motd.html" />
<link rel="prev" title="hosts" href="hosts.html" />
<link rel="stylesheet" href="../../../../../_static/bcfg2.css" type=""/>
</head>
<body>
<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../../../../index.html"><img src="../../../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../../../../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="../../../../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="motd.html" title="motd"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="hosts.html" title="hosts"
accesskey="P">previous</a> |</li>
<li><a href="../../../../../index.html">home</a> | </li>
<!--<li><a href="../../../../../search.html">search</a> | </li>-->
<li><a href="../../../../../help/index.html">help</a> | </li>
<li><a href="../../../../../contents.html">documentation </a> »</li>
<li><a href="../../../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../../../../index.html" >The Bcfg2 Server</a> »</li>
<li><a href="../../../index.html" >Plugins</a> »</li>
<li><a href="../../tgenshi.html" accesskey="U">TGenshi</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body">
<div class="section" id="iptables">
<h1>iptables<a class="headerlink" href="#iptables" title="Permalink to this headline">¶</a></h1>
<ul class="simple">
<li>Setup a Genshi base iptables file that contains the basic rules you
want every host to have</li>
<li>To be safe you should have a client side IptablesDeadmanScript if you
intend on having bcfg2 bounce iptables upon rule updates</li>
</ul>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">When updating files in the <tt class="docutils literal"><span class="pre">includes</span></tt> directory, you will
need to <cite>touch</cite> the Genshi template to regenerate the
template contents.</p>
</div>
<div class="section" id="repository-cfg-etc-sysconfig-iptables-iptables-genshi">
<h2>/repository/Cfg/etc/sysconfig/iptables/iptables.genshi<a class="headerlink" href="#repository-cfg-etc-sysconfig-iptables-iptables-genshi" title="Permalink to this headline">¶</a></h2>
<div class="highlight-none"><div class="highlight"><pre>{% python
from genshi.builder import tag
import os,sys
import Bcfg2.Options
opts = { 'repo': Bcfg2.Options.SERVER_REPOSITORY }
setup = Bcfg2.Options.OptionParser(opts)
setup.parse('--')
repo = setup['repo']
basedir = '%s' % (repo)
# for instance:
bcfg2BaseDir = basedir + name + '/'
def checkHostFile(hostName, type):
fileName = bcfg2BaseDir + type + '.H_' + hostName
if os.path.isfile(fileName)==True :
return fileName
else:
return fileName
def checkGroupFile(groupName, type):
fileName = bcfg2BaseDir + type + '.G_' + groupName
if os.path.isfile(fileName)==True :
return fileName
else:
return fileName
%}\
# BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $$Id$$
# Templates live in ${bcfg2BaseDir}
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]
#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
#Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP
# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT
{% if metadata.groups %}\
# group custom FILTER rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-filter')} %}\
{% end %}\
{% end %}\
# host-specific FILTER rules:
{% include ${checkHostFile(metadata.hostname, 'custom-filter')} %}\
COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat
# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if metadata.groups %}\
# group NAT for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-prerouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group NAT for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-output')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group NAT for POSTROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-postrouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group custom NAT rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-nat')} %}\
{% end %}\
{% end %}\
# host-specific NAT ruls:
{% include ${checkHostFile(metadata.hostname, 'custom-nat')} %}\
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle
# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if metadata.groups %}\
# group MANGLE for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-prerouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for INPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-input')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for FORWARD:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-forward')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-output')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for POSTROUTING rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-postrouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group custom MANGLE rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-mangle')} %}\
{% end %}\
{% end %}\
# host-specific MANGLE rules:
{% include ${checkHostFile(metadata.hostname, 'custom-mangle')} %}\
COMMIT
</pre></div>
</div>
<div class="section" id="cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server">
<h3>Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server<a class="headerlink" href="#cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server" title="Permalink to this headline">¶</a></h3>
<div class="highlight-none"><div class="highlight"><pre>:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
</pre></div>
</div>
<p>For a host that is in the mysql-server group you get an iptables file
that looks like the following:</p>
<div class="highlight-python"><pre># BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$
# Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]
#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
# Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP
# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT
# group custom FILTER rules:
:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
# host-specific FILTER rules:
COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat
# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# group NAT for PREROUTING:
# group NAT for OUTPUT:
# group NAT for POSTROUTING:
# group custom NAT rules:
# host-specific NAT rules:
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle
# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# group MANGLE for PREROUTING:
# group MANGLE for INPUT:
# group MANGLE for FORWARD:
# group MANGLE for OUTPUT:
# group MANGLE for POSTROUTING rules:
# group custom MANGLE rules:
# host-specific MANGLE rules:
COMMIT</pre>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar">
<div class="sphinxsidebarwrapper">
<h3><a href="../../../../../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">iptables</a><ul>
<li><a class="reference internal" href="#repository-cfg-etc-sysconfig-iptables-iptables-genshi">/repository/Cfg/etc/sysconfig/iptables/iptables.genshi</a><ul>
<li><a class="reference internal" href="#cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server">Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="hosts.html"
title="previous chapter">hosts</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="motd.html"
title="next chapter">motd</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../../../../../_sources/server/plugins/generators/examples/genshi/iptables.txt"
rel="nofollow">Show Source</a></li>
</ul>
<div id="searchbox" style="display: none">
<h3>Quick search</h3>
<form class="search" action="../../../../../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
<p class="searchtip" style="font-size: 90%">
Enter search terms or a module, class or function name.
</p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../../../../../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="../../../../../py-modindex.html" title="Python Module Index"
>modules</a> |</li>
<li class="right" >
<a href="motd.html" title="motd"
>next</a> |</li>
<li class="right" >
<a href="hosts.html" title="hosts"
>previous</a> |</li>
<li><a href="../../../../../index.html">home</a> | </li>
<!--<li><a href="../../../../../search.html">search</a> | </li>-->
<li><a href="../../../../../help/index.html">help</a> | </li>
<li><a href="../../../../../contents.html">documentation </a> »</li>
<li><a href="../../../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li>
<li><a href="../../../../index.html" >The Bcfg2 Server</a> »</li>
<li><a href="../../../index.html" >Plugins</a> »</li>
<li><a href="../../tgenshi.html" >TGenshi</a> »</li>
</ul>
</div>
<div class="footer">
© Copyright 2009-2013, Narayan Desai.
Last updated on Mar 20, 2013.
Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
</div>
</body>
</html>
distrib
>
Fedora
>
17
>
i386
>
media
>
updates
>
by-pkgid
>
b50d8ee6d7871fcc13c0677a9364ed59
>
files
>
458
