Sophie

Sophie

distrib > Fedora > 17 > i386 > media > updates > by-pkgid > b50d8ee6d7871fcc13c0677a9364ed59 > files > 458

bcfg2-doc-1.3.0-1.fc17.noarch.rpm



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>iptables &mdash; Bcfg2 1.3.0 documentation</title>
    
    <link rel="stylesheet" href="../../../../../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../../../../../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../../../../../',
        VERSION:     '1.3.0',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../../../../../_static/jquery.js"></script>
    <script type="text/javascript" src="../../../../../_static/underscore.js"></script>
    <script type="text/javascript" src="../../../../../_static/doctools.js"></script>
    <script type="text/javascript" src="../../../../../_static/sidebar.js"></script>
    <link rel="shortcut icon" href="../../../../../_static/favicon.ico"/>
    <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../../../index.html" />
    <link rel="up" title="TGenshi" href="../../tgenshi.html" />
    <link rel="next" title="motd" href="motd.html" />
    <link rel="prev" title="hosts" href="hosts.html" />
 
<link rel="stylesheet" href="../../../../../_static/bcfg2.css" type=""/>

  </head>
  <body>

<div style="text-align: left; padding: 10px 10px 15px 15px">
<a href="../../../../../index.html"><img src="../../../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a>
</div>

    <div class="related">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../../../../genindex.html" title="General Index"
             accesskey="I">index</a></li>
        <li class="right" >
          <a href="../../../../../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="motd.html" title="motd"
             accesskey="N">next</a> |</li>
        <li class="right" >
          <a href="hosts.html" title="hosts"
             accesskey="P">previous</a> |</li>
	<li><a href="../../../../../index.html">home</a> |&nbsp;</li>
	<!--<li><a href="../../../../../search.html">search</a> |&nbsp;</li>-->
	<li><a href="../../../../../help/index.html">help</a> |&nbsp;</li>
	<li><a href="../../../../../contents.html">documentation </a> &raquo;</li>

          <li><a href="../../../../../contents.html" >Bcfg2 documentation 1.3.0</a> &raquo;</li>
          <li><a href="../../../../index.html" >The Bcfg2 Server</a> &raquo;</li>
          <li><a href="../../../index.html" >Plugins</a> &raquo;</li>
          <li><a href="../../tgenshi.html" accesskey="U">TGenshi</a> &raquo;</li> 
      </ul>
    </div>
  

    <div class="document">
      <div class="documentwrapper">
        <div class="bodywrapper">
          <div class="body">
            
  <div class="section" id="iptables">
<h1>iptables<a class="headerlink" href="#iptables" title="Permalink to this headline">¶</a></h1>
<ul class="simple">
<li>Setup a Genshi base iptables file that contains the basic rules you
want every host to have</li>
<li>To be safe you should have a client side IptablesDeadmanScript if you
intend on having bcfg2 bounce iptables upon rule updates</li>
</ul>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">When updating files in the <tt class="docutils literal"><span class="pre">includes</span></tt> directory, you will
need to <cite>touch</cite> the Genshi template to regenerate the
template contents.</p>
</div>
<div class="section" id="repository-cfg-etc-sysconfig-iptables-iptables-genshi">
<h2>/repository/Cfg/etc/sysconfig/iptables/iptables.genshi<a class="headerlink" href="#repository-cfg-etc-sysconfig-iptables-iptables-genshi" title="Permalink to this headline">¶</a></h2>
<div class="highlight-none"><div class="highlight"><pre>{% python
    from genshi.builder import tag
    import os,sys
    import Bcfg2.Options

    opts = { &#39;repo&#39;: Bcfg2.Options.SERVER_REPOSITORY }
    setup = Bcfg2.Options.OptionParser(opts)
    setup.parse(&#39;--&#39;)
    repo = setup[&#39;repo&#39;]
    basedir = &#39;%s&#39; % (repo)

    # for instance:
    bcfg2BaseDir = basedir + name + &#39;/&#39;

    def checkHostFile(hostName, type):
        fileName = bcfg2BaseDir + type + &#39;.H_&#39; + hostName
        if os.path.isfile(fileName)==True :
           return fileName
        else:
           return fileName

    def checkGroupFile(groupName, type):
        fileName = bcfg2BaseDir + type + &#39;.G_&#39; + groupName
        if os.path.isfile(fileName)==True :
           return fileName
        else:
           return fileName

%}\
# BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $$Id$$
# Templates live in ${bcfg2BaseDir}
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]

#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
#Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix &quot; Incoming SMTP (denied) &quot;
-A NO-SMTP -j DROP

# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT

# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT

{% if metadata.groups %}\
# group custom FILTER rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;custom-filter&#39;)} %}\
{% end %}\
{% end %}\

# host-specific FILTER rules:
{% include ${checkHostFile(metadata.hostname, &#39;custom-filter&#39;)} %}\

COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat

# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

{% if metadata.groups %}\
# group NAT for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;nat-prerouting&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group NAT for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;nat-output&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group NAT for POSTROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;nat-postrouting&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group custom NAT rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;custom-nat&#39;)} %}\
{% end %}\
{% end %}\

# host-specific NAT ruls:
{% include ${checkHostFile(metadata.hostname, &#39;custom-nat&#39;)} %}\
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle

# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

{% if metadata.groups %}\
# group MANGLE for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;mangle-prerouting&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group MANGLE for INPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;mangle-input&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group MANGLE for FORWARD:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;mangle-forward&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group MANGLE for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;mangle-output&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group MANGLE for POSTROUTING rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;mangle-postrouting&#39;)} %}\
{% end %}\
{% end %}\

{% if metadata.groups %}\
# group custom MANGLE rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,&#39;custom-mangle&#39;)} %}\
{% end %}\
{% end %}\

# host-specific MANGLE rules:
{% include ${checkHostFile(metadata.hostname, &#39;custom-mangle&#39;)} %}\
COMMIT
</pre></div>
</div>
<div class="section" id="cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server">
<h3>Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server<a class="headerlink" href="#cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server" title="Permalink to this headline">¶</a></h3>
<div class="highlight-none"><div class="highlight"><pre>:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
</pre></div>
</div>
<p>For a host that is in the mysql-server group you get an iptables file
that looks like the following:</p>
<div class="highlight-python"><pre># BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$
# Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]

#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
# Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP

# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT

# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT

# group custom FILTER rules:
:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT

# host-specific FILTER rules:

COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat

# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# group NAT for PREROUTING:

# group NAT for OUTPUT:

# group NAT for POSTROUTING:

# group custom NAT rules:

# host-specific NAT rules:
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle

# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

# group MANGLE for PREROUTING:

# group MANGLE for INPUT:
# group MANGLE for FORWARD:

# group MANGLE for OUTPUT:

# group MANGLE for POSTROUTING rules:

# group custom MANGLE rules:

# host-specific MANGLE rules:
COMMIT</pre>
</div>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../../../../../index.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">iptables</a><ul>
<li><a class="reference internal" href="#repository-cfg-etc-sysconfig-iptables-iptables-genshi">/repository/Cfg/etc/sysconfig/iptables/iptables.genshi</a><ul>
<li><a class="reference internal" href="#cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server">Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server</a></li>
</ul>
</li>
</ul>
</li>
</ul>

  <h4>Previous topic</h4>
  <p class="topless"><a href="hosts.html"
                        title="previous chapter">hosts</a></p>
  <h4>Next topic</h4>
  <p class="topless"><a href="motd.html"
                        title="next chapter">motd</a></p>
  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../../../../../_sources/server/plugins/generators/examples/genshi/iptables.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../../../../../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
      <div class="clearer"></div>
    </div>
    <div class="related">
      <h3>Navigation</h3>
      <ul>
        <li class="right" style="margin-right: 10px">
          <a href="../../../../../genindex.html" title="General Index"
             >index</a></li>
        <li class="right" >
          <a href="../../../../../py-modindex.html" title="Python Module Index"
             >modules</a> |</li>
        <li class="right" >
          <a href="motd.html" title="motd"
             >next</a> |</li>
        <li class="right" >
          <a href="hosts.html" title="hosts"
             >previous</a> |</li>
	<li><a href="../../../../../index.html">home</a> |&nbsp;</li>
	<!--<li><a href="../../../../../search.html">search</a> |&nbsp;</li>-->
	<li><a href="../../../../../help/index.html">help</a> |&nbsp;</li>
	<li><a href="../../../../../contents.html">documentation </a> &raquo;</li>

          <li><a href="../../../../../contents.html" >Bcfg2 documentation 1.3.0</a> &raquo;</li>
          <li><a href="../../../../index.html" >The Bcfg2 Server</a> &raquo;</li>
          <li><a href="../../../index.html" >Plugins</a> &raquo;</li>
          <li><a href="../../tgenshi.html" >TGenshi</a> &raquo;</li> 
      </ul>
    </div>
    <div class="footer">
        &copy; Copyright 2009-2013, Narayan Desai.
      Last updated on Mar 20, 2013.
      Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3.
    </div>
  </body>
</html>